How to fix spyware

Malware won't go away until we get smarter. Expecting more from the anti-malware vendors would be a good first step.
Written by Rupert Goodwins, Contributor
Christmas comes and Christmas goes, a time of family, friends and tradition. There is one new tradition I would happy convert to Buddhism to avoid, however: the festive deinfestation of the computers. Seeing as you're here, Rupert, my Dell's running a little slow. Here's a mince pie, try not to get the crumbs in the keyboard. And what's with the rude pop-ups?

The latest spyware is smart, subtle and hideously tenacious. It hooks into multiple parts of the Windows start-up sequence, and intercepts attempts to edit files such as the registry. Its filenames are invented anew each time it installs itself: it monitors its own components and replaces them if they're deleted. It is impossible to remove this stuff unless you boot up with an uninfected copy of the operating system: even then, a high order of surgical skill is necessary to unhook each of its tendrils from around your computer's heart.

It used to be simple to boot up a computer with a clean copy of the operating system: you kept a prepared, write-protected floppy disk to hand. Put it in, restart the computer and the universe begins anew. These days, XP is far too grand for mere floppies – assuming you could read such fossils in the first place – and it can't run directly from CD, so you have to do a system restore and hope that catches the nasties. Or you can back up your data, reformat and reinstall your applications, a painful and error-prone process.

So why have no anti-malware vendors produced a fully featured, bootable scanner and spyware-removal tool? Trying to base one around Windows would be a bad idea. I don't know how much money Redmond wants to license a run-time version of the OS to distribute with your software, but it won't be peanuts. It won't be easy to cut it down to fit portable media, either.

You don't need Windows to read and write a Windows-format hard disk, though. There's no reason a perfectly good scanner and disinfector can't be written to run under one of the open-source operating systems – with the bonus that you can easily create your own version of the OS with just the bits you need. Boot your PC from that, and the OS will see the infected drive as just another device full of data. The malware hasn't got a chance. If I could carry that around on my USB keychain -- and a credit-card-sized CD in my wallet for those PCs which can't boot from USB -- my holidays would be a lot less stressful.

This would be an excellent open source project with plenty of opportunities for revenue, were it not for the need to have a permanent team of highly skilled threat analysis monkeys on tap. Malware evolves at a terrifying rate, and any respectable product has to keep up. Writing the software is one thing, keeping the database current is quite another.

In an ideal world, the researchers from the various anti-malware companies would publish and share their databases. There is no chance of this happening. Not only do they see this information as their crown jewels, they actively prosper from the fact that no one company has a perfect record. Read any anti-malware review, and you'll see the recommendation that you run at least two products, just to be sure – thus doubling the size of the market. Too tasty to give up just for the sake of the users.

There are several possible ways to bypass this sorry state of affairs. Microsoft should have no interest in profiting from problems it has at least some responsibility for. It's already bought Giant Software and started giving away the product in mute acknowledgment of problems it has a duty to fix. By publishing its threat database it would encourage a healthier environment. Alternatively, threat analysis by skilled volunteers could be coordinated online just as any other project: for something that has such advantages for everyone in the IT community, employer support should be forthcoming.

Whatever it takes, there has to be a step change in the protection the community wants to give itself. There are plenty of good anti-malware products, but none is good enough. The products are reactive, not innovative: the market has painted itself into a lucrative corner. And I -- and countless other IT problem-solvers around the world -- would like our Christmases back, please.

Editorial standards