1. /
  2. Security Response/
  3. Symantec's Antispyware Approach

Symantec's Antispyware Approach

Introduction

The word spyware elicits an immediate reaction from anyone who has surfed the Internet in the past couple of years. Pop-up advertisements, suddenly sluggish Internet connections, and strange icons that mysteriously appear on your desktop and refuse to be removed are all associated with a type of program called spyware. Although less common, these simple annoyances can cross the line into clearly malicious behavior. For example, the program may search for and steal confidential information such as user names and passwords for fraudulent purposes.

Given the relative newness of spyware and the wide variety of programs that have been grouped in this category, there has been a great deal of confusion regarding the programs and the security risk they pose to consumers and organizations. With over 20 years of experience protecting individuals and businesses from malware threats, Symantec can better help you understand and tackle the spyware problem. Symantec's unique antispyware approach is driven by the needs of our customers and partners, and our years of leadership in the security community. Through our antispyware approach, we empower users and organizations to regain control of their environment and systems, allowing them to keep the software they value while removing unwanted programs.

Security Threats and Risks

While threats such as Blaster, Welchia, and other headline-grabbing malware plagued the Internet in 2003, a silent problem caught hold as spyware programs proliferated across users' systems. In response to this new area of risk (which Symantec termed expanded threats) we began helping customers by enabling them to detect spyware and other undesirable programs on their computers using Norton™ and Symantec™ AntiVirus products. This protection provided much-needed help with a little-understood problem that was then eclipsed by noisier and truly destructive malware threats.

Times have changed considerably and Symantec's approach to what were once referred to as expanded threats has evolved to meet the challenges posed by programs that are now broadly referred to as spyware. Our antispyware approach is centered on clear definitions, hands-on risk analysis of spyware and adware programs, and helping customers easily understand and control what is on their systems through unambiguous guidance and robust removal of unwanted software.

This approach is based on years of experience handling similar security issues. For example, for years, Symantec products have enabled users to control whether or not content that may be acceptable to some but objectionable to others - such as adult content - is allowed on their systems. Our experience in addressing challenges such as this, which depend on user preferences and the location of their computers (i.e., at home or at the office), has shown us that education and flexibility are essential. With that in mind, Symantec's goal is to guide customers to making the best choice for themselves, their family, or their organization.

We also understand the importance of not "over-hyping" security problems, which creates unnecessary levels of fear and doubt while desensitizing people to the most critical threats. To this effect, Symantec makes a clear distinction between malware threats such as viruses, and possibly undesirable applications such as spyware and adware, which we categorize as security risks. Beyond spyware and adware, security risks also include dialer programs, remote access utilities, hacking tools, and other types of applications that may or may not be wanted on a system.

Defining Spyware and Adware

While there are many similarities across the definitions used by industry groups, academics, antispyware companies, and others, the industry has yet to arrive at a common description for this quickly evolving and often confusing area. Symantec defines spyware and adware as follows:

Spyware: Programs that have the ability to scan systems or monitor activity and relay information to other computers or locations in cyberspace. Among the information that may be actively or passively gathered and disseminated by spyware are passwords, log-in details, account numbers, personal information, individual files, or other personal documents. Spyware may also gather and distribute information related to the user's computer, applications running on the computer, Internet browser usage, or other computing habits.

Spyware frequently attempts to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user. These types of programs can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger spyware by accepting a EULA from a software program linked to the spyware or by visiting a Web site that downloads the spyware with or without a EULA.

Adware: Programs that facilitate delivery of advertising content to the user through their own or another program's interface. In some cases, these programs may gather information from the user's computer, including information related to Internet browser usage or other computing habits, and relay this information back to a remote computer or other locations in cyberspace.

Adware can be downloaded from Web sites (often in shareware or freeware), email messages, and instant messenger programs. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement (EULA) from a software program linked to the adware or by visiting a Web site that downloads the adware with or without a EULA.

Symantec's definitions do not imply a value judgment on the appropriateness of spyware and adware programs or the businesses that support their development and distribution. Symantec's definitions describe the functionality of these programs so that they can then be classified according to their risk profile.

Security Risk Assessment and Classification

While security risks such as spyware and adware can be seen as an extension of the malware problem, the existing classification system for threats such as worms and viruses-which are always undesirable and should be automatically removed from a computer-does not fit this new category of potentially unwanted applications. Given the important differences between malware threats and security risk programs, Symantec designed a risk classification system for rating adware and related applications that guides users to make informed decisions about what to keep and what to remove from their computers (see Figure 1). Using a risk calculator, this system scores the overall impact of applications in four different categories, providing a final designation of the application as a "high," "medium," or "low" risk alongside a recommendation as to how to proceed. The four categories used within the risk classification system - performance impact, privacy impact, ease of removal, and stealth - along with an overview of the risk rating system, are discussed in detail below.

Performance impact

One of the most troubling areas for users and administrators is the unexpected impact spyware and adware programs can have on a system or a network's performance. System crashes, bogged-down Internet connections, and unusual Web browser behavior all fall into the category of "performance impact," which measures the effect of a security risk program on a system's stability, speed, and performance. Programs that score higher in this category can produce wasted hours of troubleshooting, increased calls to the IT help desk, and/or irritating disruptions. A limited sample of application behavior considered for performance impact includes the following:

  • Does the program slow down the system or network connection?
  • Does the program impact system stability?
  • Does the program launch pop-up advertisements? If yes, how frequently?
  • Does the program serve as a means of downloading and installing other security risks (e.g., additional spyware and/or adware)?
  • Does the program replace the browser home page or alter search options/behavior?
Rating Basic Description
High Significant impact on system stability and/or performance
Medium Frequent pop-up windows, home page replacement, redirection of Web pages and search results
Low Minimal impact on system performance
Table 1. Performance impact classification guidelines used in Symantec's risk classification system

Privacy impact

While commonly invisible to the user, the violation of a user's and an organization's privacy by spyware - and less frequently, by adware - is a critical concern. The privacy impact of a security risk application indicates the extent to which it captures information about users from their behavior for use by a third party (i.e., the spyware or adware company). The information captured by the program ranges from basic Web browsing behavior to sensitive data such as user names and passwords which might be used in conjunction with identity theft or unauthorized transfers from a victim's bank account. Once captured, the user's information is typically transmitted back to the third party via the Internet but may also be sent via other means or stored locally. A limited sample of application behavior considered for privacy impact includes the following:

  • Release of confidential, sensitive information such as financial institution account numbers and passwords, other account numbers and passwords, credit card and social security identifiers, or other international equivalents
  • Release of less sensitive data such as tracking of Web surfing habits
  • Presence and consistency of a privacy policy
Rating Basic Description
High Release of confidential, sensitive information such as financial institution account numbers and passwords, other account numbers and passwords, credit card and social security identifiers, or other international equivalents
Medium Tracking Web browsing and other similar user behavior, absence of a privacy policy (e.g., in a EULA), privacy policy inconsistent with observed behaviors
Low No or minimal privacy impact
Table 2. Privacy impact classification guidelines used in Symantec's risk classification system

NOTE: While presenting a EULA that informs users of the type of information being captured and what is being done with it may imply lower risk compared with an application that does not do so, programs that present this type of disclosure can still be considered spyware by Symantec. An important aspect of spyware is the consideration of the user's expectation of what the software does, which is typically not readily understood through a EULA, and often very long document, presented in a small window and written in legal language which is difficult for most people to easily understand.

Ease of removal

Spyware and adware programs often resist removal in an attempt to prolong their stay on a system. Symantec's removal measurement is based on the relative difficulty of removing an unwanted application from a system. Behavior for this category ranges from applications that can be easily removed using a vendor-provided uninstall program to spyware and adware applications that embed themselves deep within the machine and all but refuse to be removed. A limited sample of application behavior considered for ease of removal includes the following:

  • Does the program avoid uninstall by a user, including unsolicited re-install and techniques to restart user-terminated processes?
  • Does the program offer a non-functional or incomplete uninstall program so that a security risk application continues to operate in spite of the user's wishes?
  • Does the program lack an uninstall feature or fail to register in the Microsoft Windows® Add/Remove Programs area?
Rating Basic Description
High Avoidance of uninstall, non-functional or incomplete uninstall
Medium Lack of uninstall or self-guided uninstall instructions
Low The security risk program can be effectively removed using a standard uninstall feature so that it no longer runs on the computer and minimal or no traces remain
Table 3. Ease of removal classification guidelines used in Symantec's risk classification system

Stealth

A common characteristic associated with spyware and some adware is that of stealth: the programs may attempt to install themselves without the user noticing, and then remain hidden in order to prevent detection and removal. The unexpected, seemingly invisible nature of this software allows it to remain on the machine and conduct its activities (e.g., behavior tracking, popping up advertisements, and so on) unbeknownst to the user. Stealth behavior ranges from a completely "silent" or unnoticeable installation and concealed operations to programs that inform a user of installation and are easily visible on the machine (i.e., users can see the program's icons/processes/etc. and understand how it arrived on their machine).

Application behavior considered for stealth includes, but is not limited to, the following:

  • Does the program install itself silently, with little or no indication to the user?
  • Does the program lack a user interface?
  • Does the program conceal its processes (e.g., hiding processes from the Windows Task Manager)?
  • Do the program's processes hide themselves from the user using an obscure name (e.g., ~tmp001)?
  • Do the program's processes hide themselves from the user using a common name that would normally be overlooked (e.g., explorer.exe, svchost.exe)?
  • Is the user notified of the presence of the program only through a EULA? Does the EULA appear to relate to a different program?
Rating Basic Description
High Exhibits most or all stealth behaviors such as silent install, no user interface, and concealment of application processes
Medium Exhibits some but not all stealth behaviors such as silent install, no user interface, or concealment of application processes
Low Normal installation and application behaviors
Table 4. Stealth classification guidelines used in Symantec's risk classification system

Symantec's Security Risk Assessment at Work

The following example illustrates how Symantec's security risk assessment is used to determine the likely impact of an adware program on a user's machine.

Category Behavior Score
Performance Frequent pop-up ads and consumption of a considerable amount of system resources High
Privacy Web surfing behavior is tracked, and information on the Web sites that the user is visiting is sent back to the adware vendor for analysis and delivery of targeted advertisements (e.g., pop-up advertisements) Medium
Removal The program does not include an uninstall capability and resists manual deletion by a user High
Stealth The program installs silently in the user's Web browser without notification or presentation of a EULA; its processes are visible in the Windows Task Manager High
Table 5. Example of risk assessment for a high-risk adware program

Overall Rating: High Risk
Recommended Action: Automatic Removal

The overall risk score and rating are used by Symantec's LiveUpdate to ensure customers have up-to-date protection against spyware and other security risk programs.

Security risk reclassification measures and false positives

There are times when a software vendor may feel that its product has been unfairly or inaccurately categorized by Symantec as a security risk program. When this occurs, Symantec offers an online form whereby the vendor can submit an inquiry to Symantec for further examination and resolution. In addition, Symantec offers a Web-based form for reporting false positive detections of spyware and adware.

Symantec's Global Intelligence Network and Security Response

Due to its long-time security leadership role, Symantec is uniquely positioned to tackle the challenges of spyware and adware. At the heart of Symantec's antispyware capabilities is the world's leading scalable security infrastructure, the Symantec Global Intelligence Network, with over 120 million desktop, server, and gateway antivirus installations that allow spyware and adware to be captured and transmitted back to Symantec Security Response centers for analysis. The global reach and size of this network gives Symantec unmatched insight into the spyware and adware problem, allowing us to greatly improve the ability of organizations and end users across the world to protect themselves.

Symantec Security Response centers - located in North America, Asia, Australia, and Europe - are manned by researchers who represent a cross section of the most highly-regarded security experts in the industry, offering customers 24x7 coverage for important security events no matter when they happen. The diversity of threats and security risks handled by the Symantec Security Response organization places it at the forefront of spyware research. For example, Symantec's antispyware researchers benefit from the understanding and expertise of not only their group, but also that of Symantec antispam specialists who monitor and analyze unsolicited email messages being used to deliver spyware program installers. Similarly, Symantec's intrusion experts provide analysis of the ways in which Web browser vulnerability exploitation can be used in conjunction with spyware to surreptitiously install the applications in a "silent" or "drive-by" fashion.

Spyware and adware are growing increasingly sophisticated, with some programs exhibiting traditional virus behaviors to avoid detection, such as changing shape and behavior or burrowing deep into a systems internals. Symantec's renowned expertise for eliminating malware combined with a team of senior antivirus researchers serve as strong advantages in staying ahead of these security risks.

Conclusion

Symantec's antispyware approach, Global Intelligence Network, and time-tested expertise for combating security issues similar to spyware provide our customers with a full range of solutions that empower them to regain control of their systems and networks. Ultimately, these solutions and measures enable individuals and organizations to make informed decisions about whether to keep or remove unwanted software for improved productivity and better protection of their privacy.

The best defense against emerging security risks such as spyware and adware is collaboration amongst companies and organizations. Symantec is committed to working with industry groups, legislative bodies, law enforcement, and others to meet the considerable challenges and risks that spyware poses to users and organizations around the world.

For more information on spyware and adware, register at ses.symantec.com/antispyware to receive a free copy of Symantec's "Exploring Spyware and Adware Risk Assessment" white paper.