Bits and Pieces
Commentary: The Antivirus Industry Reacts to Spyware, and Some Other Stuff, Too
In October 2002, an aggressive marketing scheme was hatched by a company known as FriendGreetings that would cause a mild uproar in the security field and force antivirus vendors to decide how they would handle the detection of spyware programs and gray area programs. FriendGreetings concocted a “greeting card” program that would mass-mail itself out to everyone in the infected user's address book. There was a EULA, but the truth was no one would ever even look through that. The question was, at that time, should it be detected? And, if it should be, as a worm or an “unwanted application” to avoid litigation issues?
The level of bravery in detection varied vendor by vendor. SOFTWIN was the most straightforward, detecting it as a plain mass-mailer. Computer Associates, H+BEDV, MKS, Panda, Symantec, and Trend Micro designated it a worm out of the box. ESET and Network Associates both originally called it an unwanted application, but later detected it as HideMinimized, saying that this particular part of the program was a Trojan Horse. Frisk Software, GeCAD, and Sophos detected it as an unwanted application and still do. Kaspersky Labs detects it as a “flooder” for some reason. To this day, it appears that Dialogue Science, Grisoft, IKARUS, and VirusBuster do not detect it at all. I found the reaction to this interesting.
Many years ago, in the early '90s, there was a large but fairly uninteresting family of kit-based viruses known as NuKE. One strain of NuKE even contained text stating that, as the virus was “copyrighted,” antivirus vendors could not legally add it to detection lists. Every single antivirus vendor detected it anyway. NuKE's kit was mainly used by people we would now called “script kiddies.” There was no legal base for these threats. And there also was little legal base for any threats from Friendgreetings, a country so solid in their business practices that they used a Panamanian address, probably fake.
Now I am happy to say that antivirus companies now commonly detect all sorts of spyware. There was a good degree of discussion about this around the same time that Friendgreetings came out, and the consensus was that detection should be defaultly disabled or not present at all. Nowadays, the worst spyware offenders are detected by mainstream antivirus products. It is good to see that the developers of antivirus programs have realized that having a corporate logo on a malicious program doesn't make it not malicious.
On a similar note, it has been interesting to see the development of the anti-spyware industry. Small developers like PepiMK (Spybot Search & Destroy) and Lavasoft (Ad-Aware) still remain the top names in the game, despite giving their software out for free (PepiMK doesn't even have an enhanced pay version of Spybot - all the money they receive is donations.) Other small developers such as Webroot (Spy Sweeper), Bazooka (Adware and Spyware Scanner), and the Enigma Software Group (SpyHunter) also frequently grace the Download.com Top 50. Many major players have tried to enter the anti-spyware field with pay products with mixed results. Frequently, the “big guys” have received poor reviews for their products. The delay before major security companies entered the field puts them at a major disadvantage, facing free programs that are better than their pay offerings. It will be interesting to see how this field develops over the next few years.