January 8, 2018
What's the difference between malware and legitimate software?
Just as malware is often purported to be legitimate software, legitimate software sometimes uses unethical marketing and operating practices. Some folks term this “Shadyware.” It is marketed as useful software, which it may be in part, but it also contains annoying or harmful functionality that negatively impacts the user’s security.
The line between malware and legitimate software can sometimes be a very fuzzy and grey one. Due to (mostly) lawyers and their ilk, programs that straddle the line between useful and malicious are referred to as PUPs - potentially unwanted programs.
Part of the problem we are dealing with lies with the very usefulness of computers, and the versatility with which they may be programmed. Behavior that is helpful in one context (e.g. detecting password fields and storing their contents, which is necessary for the operation of password managers) can be harmful in other contexts (e.g. keyloggers, which use the same functionality, but send this information to someone else for typically malicious purposes).
Further, techniques that are developed in one area can also be repurposed for malicious activities in another. For example, shims, which are small programs that fit on the interface between other programs and encrypt everything written to disk, and are a necessary part of many data-at-rest protection solutions, can be repurposed for malicious activities (same thing, but sending the key offsite so criminals can hold your data for ransom).
There are numerous examples of techniques that have been adapted from the legitimate market to the malicious one. Given this, it is perhaps not all that surprising that some members of the 'legitimate' market have similarly been tempted into using the malicious market's techniques.
Sadly, many examples of this kind of turnabout-is-fair-play operation are out there, and some of these have become very prominent in recent months.
For instance, late last year, the "eFast Browser" specifically tried to hijack the preferred browsers of users, removing associations to the legitimate Chrome/Chromium browser and replacing them with the eFast version - a variant on Chrome that was specifically built to pop up ads, some of which directed users to even more malware. You may recall that such display ads can themselves also frequently lead to problems .
Recently, very similar behavior has been seen on the part of 'legitimate' security vendors. An example of this is Comodo. When users install the company’s product, it installs a replacement 'Chromodo' browser to replace Chrome. This is similar to the eFast switch, in that it installs the duplicate browser in order to bypass certain protections that Chrome has in place to prevent malware from executing - but which can also prevent certain 'traditional' antivirus hooks from being used to monitor web usage.
Comodo has also been implicated in providing another attack surface by installing a VNC server - a kind of remote desktop provider - onto machines that it's installed on. This is a tactic used in those "Indian Tech Support" scams, where purported 'support personnel' try to convince you to pay them to fix problems with your computer that either don't exist or which they caused in the first place.
The motivation for rolling out a whole-browser replacement is very similar in both the cases of eFast and Comodo. The security built into today's browsers prevents older tactics from working, so they're forced to fool users into using replacement browsers instead in order to be able to keep performing the same actions.
This isn't entirely new behavior, but there have been several recent examples of antivirus software overstepping bounds and re-opening vulnerabilities that application developers had carefully closed to protect users.
Who Watches the Watchmen?
Incidents like this blur the line between malware and 'legitimate' software, especially when the motivation behind the software’s behavior is the same for both illegal and legal actors. Both the antivirus industry and the scammers are after your money, both of them recognize that certain tactics are effective for maintaining the persistence of their software on your computer, and both of them realize that advances in computer security by the industry at large are threatening their preferred business models.
The reputable part of the antivirus industry still offers some benefits to users, in that it manages to prevent known infections from taking hold - but this benefit is being eclipsed somewhat by both advances in operating system and browser technologies that also work to prevent infections from taking hold, and the actions of less reputable members of the industry.
Unfortunately, the public perception of the reputable part of the antivirus industry ends up becoming tainted by the actions of the unethical part. In a case of "one bad apple spoils the whole barrel", this causes people to be more and more reluctant to install and maintain antivirus software on their systems.
This, in turn, reduces profits for AV vendors and causes them to seek revenue more aggressively using other means, which may ultimately result in once-reputable companies following the examples above, and adopting the malicious practices of the very actors that their products are trying to defeat.
It's a vicious cycle, and one which is likely to continue for some time.
Is An Antivirus Still Worth It?
That's become a difficult question. Ten years ago - even five years - I myself was fully recommending it for everyone, business and personal users alike.
However, as of late, I've become much more cautious. Leaving aside questions of compliance, the fact of the matter is that antivirus has become less and less useful overall, both due to the ways in which the threats have evolved, and the ways in which operating system and application vendors have chosen to mitigate them.
Regularly pushed updates are commonplace now. Reputable vendors typically push updates on a monthly basis, and sometimes (in the case of web browsers especially) even more often. Given that the overwhelming majority of successful infections of people's computers are via vulnerabilities that have been patched but not applied, the single most effective measure that a user or administrator can take is to make sure that their operating system and all applications are properly patched on a regular basis.
After all, if malware attempts to exploit a vulnerability that isn't there, it won't be able to succeed regardless of whether antivirus software is present or absent.
This approach should be combined with certain "best practice" hygiene measures: taking and verifying regular backups; implementing "least privilege" controls, like group policies to prevent users from changing configurations; segmenting networks (if appropriate - it is for businesses, but not necessarily for home); installing and using password managers; installing and maintaining an adblock plugin for browsers or sinkholing ads on the network.
The more you implement such practices, the more dramatically the likelihood of being exposed to a live threat drops, and those threats that do manage to get through will be contained more easily.
In such environments, antivirus software becomes either largely redundant, or if it's one of the examples given earlier, a product that actually undermines security, because it nullifies some of the best-practice hygienic measures listed above.
However, many home users and far too many businesses do not follow these best practices. They put off updates for months (or even years!). They let everyone have an administrator account with unfettered access. They leave their networks flat and wide-open. They don't make regular backups. They allow ads to display. In these situations, where basic hygiene is being ignored, an antivirus program would still have relevance, as there's nothing else in the environment that is providing any security whatsoever.
So while an antivirus is probably not needed in a network that is well-maintained and administered, there are still many networks out there that are not maintained or administered properly. Thus, in limited cases, it may well be appropriate to rig a browser with telltales and have it call home, because those environments are hazardous enough that the increased attack surface of an antivirus program is far eclipsed by the bad practices of the users.
Shadyware is fuzzy, grey and not at all lovable. Shadyware, unlike standard PUPs, is more than just inconvenient. It misleads the user, and increases their risk by disabling security features while telling the user they're helping. While not excusing the bad conduct of the vendors listed above, we do see some perspective as to why they do it and why they are able to get away with it. Infosec professionals have the responsibility to call out bad behavior by vendors as well as educating less-knowledgeable users about issues such as Shadyware.
Cross post by Eric Rand