The missing glue in the fight against malware

The missing glue in the fight against malware

Summary: While at Interop in Las Vegas, I was treated to dinner by representatives of Tenebril, developers of the anti-spyware product SpyCatcher.  At the table to convince me that the practically unknown security solution provider is a player to be reckoned with in the anti-spyware market were its newly installed vice presidents of marketing and communications Fred Felman and Te Smith (respectively).

SHARE:
TOPICS: Security
17

While at Interop in Las Vegas, I was treated to dinner by representatives of Tenebril, developers of the anti-spyware product SpyCatcher.  At the table to convince me that the practically unknown security solution provider is a player to be reckoned with in the anti-spyware market were its newly installed vice presidents of marketing and communications Fred Felman and Te Smith (respectively).  Also present was Sierra Ventures venture partner Mark Fernandes, who recently poured $6.5 million into the company's coffers, a portion of which will be dedicated to turning SpyCatcher into an enterprise-class product that, they claim, will run circles around other enterprise offerings such as the corporate edition of Webroot's SpySweeper.  

Absent of any independently provided research or personal experience with the products, I can't possibly verify such claims.  But the record should also show that Tenebril practically cleaned Checkpoint's clock of the executives that came with its acquisition of Zone Labs.  Not only were Felman and Smith executives at Zone/Checkpoint before leaving to join Tenebril, so too were Irfam Salim and Chris Weltzien.  Salim, now CEO at Tenebril, was Zone's president and COO; and Weltzien, now senior vice president of Tenebril's consumer group, ran e-commerce for Zone.  Say what you will about Zone (in response to what I've written about the company's solutions, I have received both complaints and praise regarding its personal firewall solutions), this is a goodly part of the team that made Zone Labs' Zone Alarm (its personal firewall product) the most popular product in its category.  That all of them saw in the unknown Tenebril an opportunity to repeat that success is a tenuous vote of confidence.  Executives often move in teams and everyone has a price.  But it's a vote nonetheless.

Whether they'll succeed remains to be seen.  At Zone Labs, they practically invented the category of personal firewalls and never had to worry about playing catch-up.  At Tenebril,  they must rise from obscurity in an already crowded field.  That there even is a crowded field is the sign of a problem -- one that's common to the battles against all the other forms of malware: virii, worms, spam, phishing, etc.  It means that the industry lacks the standards necessary to secure certain protocols.  When the existing players in an industry cannot come to such agreements (and the purveyors of existing software can't seem to secure it), it gives rise to a plethora of proprietary offerings.   The world's best example of this deficiency is on the spam front, where the various e-mail service and solution providers have known for over three years that what's really needed in lieu of hundreds of proprietary solutions are some more fortified e-mail standards.  But here we are in 2005 and, for a variety of reasons (along with plenty of fingerpointing), the e-mail industry has failed to reach any significant technological agreements.  It's a travesty.  Back in January 2003, I tried and failed to put an end to that travesty with an initiative I called JamSpam.

Now, in 2005, I'm in agreement with headlines like the one from News.com's Charlie Cooper that reads The end of spyware? Fat chance

The recent Antispyware Workshop, hosted by our own CNET Download.com, gathered many of the vendors on both sides of the fence for a day of discussion about the spyware and adware problem. Dan Farber reported from the event:


Esther Dyson hosted a panel of adware vendors, who were giving assurances that they want to be on the good side of consumers, while spyware expert Ben Edelman and Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), demonstrated the devious methods and the extended ecosystem the adware vendors use to fuel billions of dollars in revenue.

One of Tenebril's arguments is that it has some secret sauce in its technology that the other umpteen anti-spyware solutions do not -- a kernel of technology on which consumer and enterprise offerings will easily outperform their competitors.   This sounds strikingly similar to what all the anti-spam vendors have been telling me for three years.  Yet spam still exists and it's worse than ever.  If all of these solutions were so effective back then, one would think that by now, spamming would be a dead-end opportunity.  It's not.  It's a lucrative one -- if you know how to do it right and skirt the law.  So, I'm going to make a prediction.  Three years from now, the spyware problem will be worse than it is today and I'll be writing about one of the reasons that there has been no improvement: the failure of the industry to recognize where technological consensus is needed, and then to build solutions on top of that consensus technology. 

So, in the case of spyware, what would that technology be?  I'm directing that question rhetorically at the new executive team at Tenebril because it's simply an extension of the  same conversation that I was having with them about personal firewalls while they were at Zone Labs.  Personal Firewalls and anti-spyware have quite a bit in common.  In some ways, personal firewalls help to solve the spyware problem because they can block spyware from "phoning home" -- what happens when malware reports back to its creators or distributors with its findings (eg: logged keystrokes).  

But, one reason personal firewalls aren't always successful in this endeavour is that they often require user inputs.   When a personal firewall detects a first time attempt by some process to reach the outside world, it notifies the user that something new is trying to get out and it asks the user if the attempted communication should be permitted.  But, as I've written before, this allow/disallow inquiry is all too often noticably deficient in the kind of information a user needs to make an informed decision.  This is particularly troubling since, regardless of whether it's trapping malware or legitimate software,  the wrong answer might render your software inoperable.  "LSASS.EXE is trying to reach 177.24.202.16.   Allow Always?  Allow this once?  Deny?" it asks me.  What the heck is LSASS.EXE?  What or where is 177.24.202.16?  And finally, why isn't the software answering these questions for me?

The answer to that last question is easy.  The software doesn't know.  Nor, considering the number of software components out there (legitimate and not), can it know.  For a while, with many personal firewalls, this meant that answering the allow/deny question was guesswork (or, a lot of Googlework).  Fortunately, guessing couldn't get you into too much trouble.  Sooner or later, every networked computer loses its connection to its network anyway.  When, through a personal firewall, a user denies network access to a particular software component,  the net result for that software component is pretty much the same as what happens when the system suddenly loses its network connection for some other reason (the cable get pulled out, the Wi-Fi signal disappears, etc.).  If a user mistakenly denies network access to a legitimate software component that needs it, and the system or the software hangs, fixing the problem requires little more than a reboot and a correction to the firewall's ruleset. 

But that's not how software should work. And when I started dinging Zone Labs and other firewall makers for having this problem, I also recognized that no single firewall developer -- not even Symantec -- was big enough to develop and maintain the database they'd need in order to provide  users with the information required to make an informed decision.  How do I know this? Some of them tried.  But the information was invariably incomplete.  To really do that database right would require the participation of all the software vendors,  and for them to participate, it would have to be easy and it would have to be centralized. 

To date, a centralized database that lists legitimate software components along with a description of what they do and the types of servers (or even their IP addresses) that they may attempt to communicate with doesn't exist.  It needs to and the only way such a database could come to be is if all of the vendors that need access to it contribute to its development.  Though it wouldn't be a standard per se, agreement on specifics (schemas, logistics, etc.) would be required.  Should such a central database exist, and should it list both legitimate software as well as malware, then personal firewalls would have a resource they could mine to help users respond to the allow/deny question. 

So, why all the talk about personal firewalls when this is a story about anti-spyware?  Well, for starters, history is repeating itself.  The industry has so far failed to work together on spam.  Since I explained this sort of personal firewall consortium idea to firewall vendors, nothing has happened.  And now, here we are trying to face down spyware, which is like trying to boil the ocean.  Sound familiar?  If you characterized today's anti-malware as proprietary attempts at boiling the ocean, you wouldn't get any argument from me (although you might from the anti-malware vendors).

Presumably, the interest in Tenebril on behalf of Sierra Ventures and the ex-Zone Labs executives had to do with their belief that the company's secret sauce -- developed by founder and CTO Christian Carrillo -- is much better at boiling the ocean than anything else they looked at.   But, as good as it may be at boiling the ocean, Tenebril's SpyCatcher is still human.  I haven't seen it, but it has to be.  It may indeed turn out to be better than its competitors at identifying suspicious activity and artifacts of spyware.  But like all anti-malware products, anti-spyware, lest it mistakenly be acting on something that legitimately belongs on a system, needs confirmation from a human before it takes final action (eg: eradication). 

My case in point is Webroot's SpySweeper.  Webroot was at Interop as well.  At the show, Webroot announced that it wil be releasing, on a quarterly basis, a comprehensive research report on the state of spyware.   The first version of it (2005Q1) is 90 pages long and rivals in comprehensiveness the sort of category-specific research that you might pay to get from an outfit like Gartner.  That's not surprising, since the company hired a security analyst -- Richard Stiennon -- away from Gartner to produce the reports.  While businesses -- particularly ones that want to stay on top of spyware trends -- will find the report to be a valuable resource, the catch is that you have to supply some personal information to Webroot before it can be downloaded from the company's Web site

At Interop, Webroot was providing the report on a CD that also had a copy of Spysweeper on it. So, while on the flight home, I decided to see if SpySweeper thought any Spyware was on my system.  If you believe what Tenebril has to say, the fact that SpySweeper didn't find any actual spyware on my system (which it didn't) is no guarantee that spyware isn't there.  At the same time, I feel better having installed a "sweeper" where none was before.   While SpySweeper didn't find any spyware, the aforementioned opportunity for human intervention arose when it spotted 24 suspicious cookies.  Spysweeper wanted confirmation before eradicating them.  But, just like the way personal firewalls don't provide enough information on which to base an allow/deny decision, Spysweeper was unable to give me enough decision support data for each of the suspicious cookies.  In fact, in many cases, it just provides you with a boilerplate explanation.  This, in addition to the fact that it flagged two cookies from my own company's Web site, undermined my confidence in the accuracy of Spysweeper's suspicions.  For example, I know my company's site issues cookies to maintain my login state (which, for ease-of-use reasons, I want maintained).  I worried that by deleting those cookies, my login state would get wiped out.  Not enough information was provided to help me through this decision.  Given the absence of accurate decision support information when it comes to cookies from my own company,  what should I make of the other 22 suspicious cookies? 

It would be ridiculous for me to expect Webroot or Tenebril or any other spyware vendor to independently catalog, perfectly identify, and recommend precise action on every cookie out there.  But, the industry could get together with vendors in other security verticals (eg: anti-virus personal firewalls) to build that centralized database.  To the database,  my company could submit disclosures about the cookies it issues and links to its privacy policies.  To the database, software developers could submit disclosures about their software and its expected behavior.   Would this database be perfect? No.  Could some spyware developer lie on the their disclosure?  Yes.  But they'd get outted pretty quickly. 

Of course, anti-malware vendors would probably rather not see such a database get developed.  To the extent that any individual anti-malware vendor is taking on this responsibility on its own (insanity) or feels as though it has come up with something that obviates the need for additional decision support  information (perhaps through their secret sauce), that vendor may see a centralized database as something that undermines their competitive advantage.  In fact, they should be seeing it the other way around.  Such a centralized database is the sort of standard platform on which they can not only build better products for their customers, but they can also build on the data that's provided with more comforting advice; perhaps more comforting than what the competitors have come up with.  The bottom line is that if it makes sense to fingerprint malicious software, then it makes even more sense to fingerprint legitimate software (and cookies) too (something that anti-malware does, but it's on a per system basis instead of being centralized).

On behalf of consumers and businesses that are threatened everyday by malware, I'm reaching out to the anti-malware vendors -- the Tenebrils, the Webroots, the Zone Labs, the Symantecs -- to pull such a consortium together, to get the database up and running, and to support it in their products.  Such vendor run and sponsored consortia are not unprecedented and you know it would be a relief for legitimate software vendors and Web sites to have a way to reach users at decision time to help those users understand exactly what the ramifications of their allow-deny/eradicate-keep decisions are. Users will appreciate it because the resulting software will be significantly less frustrating than it is today.

Finally, should the anti-malware industry get serious about pulling something like this together, then there are at least two companies that I think should be involved.  One of them is Verisign and the other is Uniblue. Anybody who has ever downloaded an Active-X control knows that Verisign has  long been in the business of code-signing.  Code-signing is a technique that assures users that the code has not changed since it was issued by the developer. In other words, it wasn't corrupted, or worse, infected between the time the developer issued it and the time you installed it onto your system. 

Today, most anti-malware products use the same sort of technique to watch for changes to executable code.   To the extent that a centralized database of legitimate software, cookies, and web sites might be developed, perhaps it could also include a list of legitimate developer-applied signatures to look for on all the software components being tracked.  Verisign has some experience in this business and while I'm not suggesting that this portion of the proposed consortium be turned over to one company, my sense is that Verisign's experience in the area of distributing signed code might come in handy to a new consortium.

Why Uniblue too? If there's one company that has developed some really good intelligence on existing software components, that company is Uniblue.  The company, formerly known as LI Utilities, has the most complete database on Windows software that I've seen. I've come to rely on its product -- WinTasks -- to not only keep my system in tip-top shape, but also for decision support when making decisions with my anti-malware.  How many times have you tried to figure out what all those programs listed in Windows' Task Manager are doing?  While WinTasks doesn't know about all of them, it knows about more than any other product I've seen.  More recently, since I last tested WinTasks, the newest version of the software now has some anti-malware-like features such as software block and allow lists. (Users can ensure that certain executables never run on their systems while explicitly allowing others.)   In fact, on the basis of its database and WinTasks features, I wouldn't be surprised if LI Utilities gets swept up into some other vendor's anti-malware portfolio in the very near future.  

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Some great points and two arguments

    OK, great analysis of the state of malware defense. But a few counter arguments:

    On the matter of cookies for instance. There is a P3P standard that cookie publishers use to self validate that they meet several levels of privacy protection. IE is then configured to accept various levels of privacy protection in cookies. The trouble is, every single publisher of cookies complies with the default standard. No one "calls them out" if they vioulate these standards.
    If there were a central database of all software it would make things easy for the end user but it would be wide open for abuse. A nice distributed system like DNS could be used as a model. Imagine what would happen if that database got corrupted or DDOS'd! Your firewall would block everything (or allow everything, just as bad).

    So nice thoughts, but as long as their is movement and change in the computing world there will not be a central database of good stuff that works.

    On the competitive issues you raise: Tell me this. Say Vendor A, a start-up, has the ability to find and eradicate a particular menace. All of the magazines and reviewers give it the best ratings and it starts to succeed. Meanwhile, Vendor M, S, and M (you know who I mean) clammer for "standards" that really means: "give us your IP so we can do what you do". Is that the best thing? Should the innovator turn its IP over to the established players just so the "user" can see a problem solved without researching and *purchasing* new products?

    Market forces are at work here. OS vendors and Security companies are going to have to continue to invest in R&D to counter new threats.

    -Richard Stiennon
    Webroot
    The security blog at www.threatchaos.com
    stiennon
  • Signed Software

    As the author of a few freeware applications (I.E. http://serenesound.com ), I don't like the idea of requiring signed software. I could not afford to purchase the certificates and the third party testing that would probably go with them.

    Further,there are a number of malware detecting programs out there allready. Microsoft gives one away for free. Just like I would't run a compture with out virus protection ten years ago and wouldn't run a computer without a firewall five years ago, today I wouldn't run my computer without serveral active malware detecting programs.

    I sometimes think that this process can be considered biological. Our bodies use a lot of energy and resources to keep opportunistic parasites/germs/viruses/etc. from managing to take over. Sometimes those defences need a little help. Other times our defences cause misguided damage when they attack the wrong thing. We'd all be dead much quicker without them.

    http://charlie.balch.org
    virtualcharlie
  • Hmm...

    Verisign? They will sign anyone's code.
    See:
    http://www.benedelman.org/news/020305-1.html

    Alex Eckelberry
    alexeck_z
  • About that database

    It seems to me that a huge database that is both publicly available, easy to use, AND comprehensive is one based on the basic rules used on the slashdot news site. This would work for validating and identifying spam by email clients as well.

    Any software vendor can enter their software in the database as needing access through personal firewalls, and your personall firewall client many be configured to not allow this software to access the Internet until it has been validated by at least two malware software vendors as being okay on the slash spyware site, or maybe not until more than 65% of reports say it should be allowed and there are more than 100 reports.

    Same for spam, when 10 or more 'trusted' users report a message, domain, address, IPaddress, content, header, or subject etc. as being spam, then your email client automatically slips it onto the blacklist. Blacklist additions can be made by anyone, but you can set your client to only add those blacklist entries that meet qualifying criteria, such as more than 95% or reports show it as spam, and there are more than 100 reports, or when more than one major antivirus vendor lists it as spam/worm/trojan etc.

    This type of database is accessible to everyone, and using weighted ratings, its possible to stop most types of abuse. Despite the fact that there could be abuses, the fact that this data would be available to all Internet users free of charge makes it simple to keep up to date firewall and spam lists. This would go a very long way toward making cyberspace more enjoyable.

    Yes, I said free of charge. If all ISPs were to keep a mirror of the data, it would make global traffic more or less unaffected by all the downloads, and help to prevent things like DDoS attacks on the servers. At the point where this exists, what ISP could afford to not provide a mirror of it to their customers for free?
    zappepcs
  • Until you mentioned Verisign..

    I was with you until you suggested these egomaniacal monopolists as part of the solution.

    Where you asleep at the keyboard while they turned Network Solutions into the most-hated domain registrar around?

    Remember how they tried to usurp the web by redirecting misspelled or unknown domain names to their own ads by unilaterally changing how DNS works?

    Or perhaps you still like paying $350/year for an SSL certificate when you can buy the same thing from Thawte (which Verisign owns!) for $150 or from others like Comodo for only $50/year.
    spiv
  • Database open to corruption

    Despite triple-layer protection, within a month's time I got three of the worst malware around which effectively cripped my business computer (I think due to Comcast (still) flickering on and off, causing my firewall, Black Ice, to hibernate and not come on in time, I think - maybe not...). Bought three programs that promised to rout out about:blank - they didn't. Another with a free trial blocked it but didn't erase it. I paid for that one anyway on the "don't muzzle the oxen" theory.

    Advice from tech support was all the same - over and over again - wipe the disk and start over. I don't have time, so I limped along, researching, tinkering and tweaking. To make a long story shorter, on numerous geek sites, blogs, tech advice, etc. I found "solutions" which recommended correcting items in the registry which are supposed to be there, and without which, the computer won't work right. Finally fixed mine two months after it started, wasn't easy.

    Most amusing were the "free scans" which all found different numerous malicious spyware/adware/malware which included Klondike, ZDNet, CNet, CNN, etc. etc.

    I can imagine a database, improperly supervised, in which legitimate lines of code are reported as malware, and users' computers crash by the millions. Auto-reporting alone won't get it.

    I'm trying Microsoft's beta spyware and I think they are on the right track. I (gulp) checked the box for permission to transmit feedback on access or download attempts. Let's see where they run with it. I agree that something must be done or the proliferation of computer users and purchasers will slow down out of sheer frustration.

    Bess W. Metcalf
    http://sneakykitchen.com
    Bess
  • The desktop is not the place...

    The desktop is not the place to solve the problem or spyware, malware, and spam.

    The Internet connection is the central funnel through which this deviants arrive and is the best place to control it. (The desktop should be a 'last resort' extra barrier).

    The average computer user, whether at home or at a small-medium business that doesn't have fancy IT staffs and the budget to stay on top of technology, is not the place to wage the battle.

    Talk with real users, not computer geeks, yuppie excel jocks, or IT people and one discovers a few things:

    Many don't know how to install software applications at all. They use what came bundled on their computer and that's about it.


    Downloading an application from the Internet is something they have never done and do not know how to do.

    Updating software (whether it is the operating system, virus signatures, spyware databases) is something they don't understand they need to do, let alone do.

    How many times have you asked "Did you update your virus software?" and be told "What do you mean. My PC came with it."

    AOL is/was the only one that "gets this". AOL has always had the forced software upgrade when the user disconnects and for the most part, it works in getting the average consumer to keep their AOL software up to date.


    The server/carrier-grade technology actually works very well. As a web hosting company, we recently switched from a hodge-podge of commercial software applications to working with the Postini service.

    On my own email account, I removed my "catchall" alias so I would be receiving all kinds of junkmail and I proceeded to get 28,000 message a day while Postini really did catch all the viruses and only lets less than 5 junkmails a day get through.

    If all the major ISP's and providers implemented server-side blocking, the problem would be greatly reduced if not completely obliterated in a relatively short amount of time.
    spiv
  • Block the money with a database of URL's

    What everyone seems to ignore is that most spam and spyware is trying to get the reader to buy something.

    The "call to action" may be an encrypted URL, but nonetheless the goal of most malware is to get the user (by trickery if need be) to visit a specific URL.

    If ISP's maintained a central database of these IP addresses (perhaps administered by a trusted non-profit 3rd party) and then if they programmed their routers to block access to these sites, the problem would be solved.

    It's fruitless trying to educate the consumer not to click on the links or be tricked to do so; if the target sites are simply made unavailable on a worldwide basis in near real-time, the financial rewards would diminish dramatically and to the point where the effort would no longer be worthwhile.
    spiv
    • Block the obfuscated URLs

      I like the idea of making URLS clearer. In particular, I don't see why my HTML and SMTP clients can't automatically detect a URL that is a wolf in sheep's clothing. A warning message should pop-up when I try to click on something that is not what it pretends to be.

      In example, I'd get a warning if the description says Ebay and the link is not to Ebay.

      Charlie
      virtualcharlie
  • Truth, technology can not stop spam or spyware.

    Look, it's a constant one upmaship and always has been. I buld a better wall, the hackers get bigger tools to knock it down.

    At some point, somewhere, some time people are going to wake up to this and get serious about punishing those doing it. And no, I don't mean community service wrist slaps.

    Like a bad intersection, no one will fix it until someone dies from it....
    No_Ax_to_Grind
    • It's not the wall

      The problems is that you can make a bigger wall but you put more windows and doors in because the huge wall is ugly.

      Also community service isn't bad. Not sure what you have against it. I mean why not get something out of criminals instead having them take millions then we fork out money keeping them locked up while the earn interest on their bank accounts in the caymans. While they are in prison they get thier free education.

      Personally I'd rather see white collar criminals cleaning gutters of my street for 10 years or picking up the needles and condoms from our parks.
      voska
    • You mean Microsoft technology or software can't stop it.

      It IS their fault.. design flaws ruin it for the rest of us.
      Xunil_Sierutuf
    • well I get practically no spam on three email accounts, and no spyware

      I don't get viruses and spyware since I run macs (I made the
      move in part for this very reason).
      I haven't got Tiger, so I haven't experienced this recent problem
      with the dashboard. I think that will be fixed in a few days in any
      case.
      I put spamassassin on the email server at work, but this has only
      marginal effect. Far more effective is incorporating the blacklists
      from spamhaus.org.
      After that... practically no spam!
      Hotmail seems to be ok at killing spam, sometimes puts good
      stuff into the spam box, but overall, it's a major improvement
      over the situation a few years ago.
      So I think you're wrong.
      Technology HAS stopped spam and spyware for me.
      hipparchus2000
  • I HATE These blogs!!!!

    The print is small and cramped. The posting is difficult to read. Why bother...
    voska
    • ..... lol...

      view ---> text size ---> largest

      *shakes head*
      Valis Keogh
  • Spybot Search & Destroy, and other freeware

    Spybot Search & Destroy works well and it's free. (Or consider Microsoft's new anti-spyware program.)

    Also get Javacool Software Spyware Blaster free from www.javacoolsoftware.com .

    Use a good free antivirus program such as Avast or AVG and a free firewall such as Zone Alarm.

    Free popup blocking is available with Firefox, the SP2 version of MSIE, or the Google Toolbar for older versions of MSIE.

    The spyware and malware writers don't have to win. The tools that protect you are there for the downloading. The only thing that keeps the bad guys going is that everyone isn't using the good and free protections that are available.
    Neil Parks
  • as if wondows and IE are not slow enough already you want to put a database

    lookup on every web browser click.

    that is not acceptable.

    we need the ISP's to take some responsibility here and stop that junk before it gets to the user.

    i know that's the big 'R' word that nobody likes to admit to. but it's true. the ISP has to bear some measure of responsibility for allowing this stuff just as a reporter has to bear some for shouting something from the rooftops that ends up getting people killed.

    if it takes a neighborhood to raise a child then it's gonna take everybody pulling together to stop unscupulous marketers.

    yo.
    wessonjoe