Spycar.org, the brain child of Ed Skoudis, was created as a test of behavioral anti-spyware (AS) engines. The name is a play on EICAR.COM, the industry accepted anti-virus (AV) engine test file. Unlike EICAR.COM, Spycar.org has a long way to go before gaining industry acceptance.
Spycar.org offers programs that perform functions that are common to most spyware/adware programs. Unfortunately, these behaviors are also necessary for many applications and drivers, and are not currently a reliable indication of spyware. To expect a behavioral Anti-Spyware product to outright block Spycar tests is unrealistic.
Spycar constists of static files, and thus signature based detection is quite effective. Unfortunately, this defeats the purpose of the tests.
The proliferation of mutating spyware and rootkits is antiquating signature based detection. Anti-Spyware products that don't beef up their behavioral detections will fall by the wayside. Tenebril applauds Ed's effort in trying to push the Anti-Spyware industry into more behavioral detection methods. When spycar.org can truly emulate some bad behavior, it's sure to gain some industry acceptance.
Tuesday, May 09, 2006
Thursday, December 15, 2005
Who's on First?
[This was written back in December and not posted until now]
Interesting article in eWeek from Paul Roberts before the holiday, Antispyware Battles Rootkits with Rootkit Tactics.
This whole issue points out the need for user education, esp. with an emotionally-charged, redhot topic like rootkits.
Security hardening is a vital job for any security app. Good security apps - not just antispyware apps as Paul says in his article - use a variety of techniques for hardening and fortification. These techniques include masking certain processes in memory, for example, so attackers can't disable a security app that a user has chosen for their protection.
What's new is that *the malware creators* are now fortifying *their* apps using some of these security techniques as well as using rootkits.
These malware creators are crafting evasive threats, malware designed to circumvent legacy security applications. They're using every tool, technique and trick they can find to do so. We'll see more of these techniques in 2006.
Interesting article in eWeek from Paul Roberts before the holiday, Antispyware Battles Rootkits with Rootkit Tactics.
This whole issue points out the need for user education, esp. with an emotionally-charged, redhot topic like rootkits.
Security hardening is a vital job for any security app. Good security apps - not just antispyware apps as Paul says in his article - use a variety of techniques for hardening and fortification. These techniques include masking certain processes in memory, for example, so attackers can't disable a security app that a user has chosen for their protection.
What's new is that *the malware creators* are now fortifying *their* apps using some of these security techniques as well as using rootkits.
These malware creators are crafting evasive threats, malware designed to circumvent legacy security applications. They're using every tool, technique and trick they can find to do so. We'll see more of these techniques in 2006.
Subscribe to:
Posts (Atom)