Print

Print


This article is from Windows Secrets Newsletter edited by Brian Livingston.

According to this article most malware removal tools are not very
effective and Spybot Search & Destroy and Adaware are no longer the most
effective tools--even together:

Kor

*Anti-adware misses most malware*

By Brian Livingston

*Now that 80% of home PCs in the U.S. are infected with adware and
spyware, according to one study
<http://WindowsSecrets.com/links/36983d/361c84h/?u=www.staysafeonline.info%2Fnews%2FNCSA-AOLIn-HomeStudyRelease.pdf>,
it turns out that nearly every anti-adware application on the market
catches less than half of the bad stuff.*

That's the conclusion of a remarkably comprehensive series of
anti-adware tests conducted recently by Eric Howes, an instructor at the
University of Illinois.

Howes, a well-known researcher among PC security professionals,
collected 20 different anti-adware applications. He then infected a
fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen
adware programs in separate stages. Finally, he counted how many active
adware components were removed by each anti-adware product.

(Note: I use the single term "adware" in this article to refer to both
"adware" and "spyware." Since it's not necessary for a spyware program
to "call home" to be disruptive, the distinction between adware and
spyware is meaningless. All such programs display ads or generate
revenue for the adware maker in some other way. )

Howes's tests were conducted over a period of weeks in October 2004. His
results were mentioned at the time in several places, including Slashdot
<http://it.slashdot.org/article.pl?sid=04/11/23/0331228&tid=172&tid=158&tid=201&tid=218>
and eWeek
<http://WindowsSecrets.com/links/36983d/2a320eh/?u=www.eweek.com%2Farticle2%2F0%2C1759%2C1731474%2C00.asp>.


Unbelievably, however, none of these commentators bothered to print a
simple chart showing which anti-adware application did the best job at
removing the unwanted components. Even Howes himself hasn't posted such
a summary. In a telephone interview, Howes exhibited both modesty and
perfectionism, implying that his work wasn't yet done to his
satisfaction  despite the fact that his tests are some of the most
extensive I've ever seen.

Howes's test results sprawl over six long Web pages, with no overall
totals or summary of the figures. It's a daunting body of data, but its
bottom line is explosive. Adware seems to be evolving much faster than
anti-adware, and the battle is so far being won by the adware side.

For this issue of the Windows Secrets Newsletter, therefore, I've
complied Howes's figures into a straightforward chart, shown below. I
removed five products that didn't complete all of Howes's tests for a
variety of reasons. What's left is a revealing rating, from the top to
the bottom of the anti-adware heap.

Each anti-adware application, according to Howe, removed a certain
percentage of "critical" adware components. These are executable .exe
and .com files, dynamic link library (.dll) files, and Windows Registry
entries (autorun commands and the like).

Almost all the anti-adware programs that were tested removed fewer than
half of the hundreds of adware components Howes cataloged. The best at
removing adware was Giant AntiSpyware, but even that program removed
less than two-thirds of a PC's unwanted guests.

*Giant AntiSpyware catches 63%, tests say*

Howes's tests were conducted before the Microsoft Corp. announced
<http://WindowsSecrets.com/links/36983d/b30337h/?u=www.microsoft.com%2Fpresspass%2Fpress%2F2004%2Fdec04%2F12-16GIANTPR.asp>
in December that it was purchasing Giant Company Software outright. For
that reason, the tests use the version of Giant AntiSpyware that was
available in October and not the newer Microsoft beta version that's
currently available.

Even so, with Giant's application removing 63% of a PC's adware
components, and its nearest competitor, Webroot Spy Sweeper, removing
less than 50%, it's clear that Microsoft has a potential winner on its
hands.

In the following table, which was reviewed by Howes himself before its
publication here, the *Adware Fixed* column represents the percentage of
critical components successfully removed, not just detected, by each
product (higher percentages are better). The *False Positives* column
shows the number of benign Windows files that were incorrectly reported
by a product as adware (lower numbers are better):

        *Product*       *Adware Fixed*          *False Pos.*
        Giant AntiSpyware       63%             0
        Webroot Spy Sweeper     48%             0
        Ad-Aware SE Personal    47%             0
        Pest Patrol     41%             10
        SpywareStormer  35%             0
        Intermute SpySubtract Pro       34%             0
        PC Tools Spyware Doctor         33%             0
        Spybot Search & Destroy         33%             0
        McAfee AntiSpyware      33%             9
        Xblock X-Cleaner Deluxe         31%             1
        XoftSpy         27%             3
        NoAdware        24%             0
        Aluria Spyware Eliminator       23%             3
        OmniQuad AntiSpy        16%             1
        Spyware COP     15%             0
        SpyHunter       15%             1
        SpyKiller 2005  15%             2


Howes didn't test the anti-adware programs in the above list against a
program called CoolWebSearch (CWS). This little bugger mutates every few
days, it seems. CWS actually requires a completely separate anti-adware
program, CWShredder, which is constantly evolving along with the
nuisance. This is explained in more detail later in this article.

The fact that anti-adware products fail to remove all or even most
adware components has been an open secret among security professionals
for some time. For this reason, tech writers often say, "You should
install two different programs and run both of them for maximum protection."

To test this assertion, I compiled Howes's raw data into a new table
showing the removal rate of the best app, Giant AntiSpyware, with every
other tested product. According to this analysis, combining Webroot Spy
Sweeper with Giant AntiSpyware did the most to remove unwanted
components. But the combination of the two apps increased Giant's 63%
success rate only 7 percentage points, to 70%:

        *Giant AntiSpyware plus...*     *Total Adware Fixed*
        Webroot Spy Sweeper     70%
        Ad-Aware SE Personal    69%
        PC Tools Spyware Doctor         68%
        Pest Patrol     67%
        Spybot Search & Destroy         67%
        Spyware Stormer         67%
        Spyware COP     66%
        Aluria Spyware Eliminator       65%
        Intermute SpySubtract Pro       65%
        NoAdware        65%
        XsoftSpy        65%
        McAfee AntiSpyware      64%
        OmniQuad AntiSpy        64%
        SpyHunter       64%
        SpyKiller 2005  64%
        Xblock X-Cleaner Deluxe         64%


Finally, the computer press often recommends that the two anti-adware
products that should be used together are Ad-Aware SE Personal and
Spybot Search & Destroy. That preference may have become the
conventional wisdom because both of these products have low-end,
freeware versions. PC World
<http://WindowsSecrets.com/links/36983d/211307h/?u=www.pcworld.com%2Freviews%2Farticle%2F0%2Caid%2C115939%2Cpg%2C6%2C00.asp>,
PC Magazine
<http://WindowsSecrets.com/links/36983d/6095b4h/?u=www.pcmag.com%2Farticle2%2F0%2C1759%2C1618804%2C00.asp>,
and other publications have recommended this combination as recently as
June and August, respectively.

Ad-aware and Spybot may have been a great combo back then. But adware
apparently moves much faster than these two companies do. According to
Howes's data, the two programs together barely removed half the adware
components on an infected PC:

        *Ad-Aware SE Personal plus...*  *Total Adware Fixed*
        Spybot Search & Destroy         54%


I found no combination of any two anti-adware programs that removed more
adware components than Giant AntiSpyware and Webroot Spy Sweeper, based
on Howes's data. Removing only 70% of adware, unfortunately, isn't good
enough. A much better strategy is to prevent adware from getting into
your systems in the first place. I'll cover that next.

*How to defend yourself against adware*

First, let me make my opinion clear: The installation of adware should
be illegal and harshly punished. Adware has exploded because it offers
big economic incentives for its sponsors. They'll never adequately
inform PC users about their software before it's installed. This
troubling aspect of adware will never be wished away.

Only software that a PC user specifically consents to should legally be
able to install  and "end-user license agreements" that stretch off the
screen should never be counted as consent. (This isn't a knock on
"ad-supported software," such as the Opera browser. Such legitimate
software is clearly integrated with its advertising and makes it easy to
shut off the ads by registering.)

In reality, today's tech-illiterate legislatures will never ban adware 
if they could even think of an effective legal approach to do so. We
need to engage the battle on a technical level instead.

To understand adware, you first need to know how PCs get it. The ways
that Howes obtained the adware he used in his tests provide us with some
perfect examples:

    * *Software downloads.* For one group of tests, Howes downloaded and
      installed Grokster, a popular peer-to-peer file-sharing program,
      from CNET Download.com. Installing Grokster and clicking OK in its
      subsequent dialog boxes loaded 15 separate adware programs,
      containing 134 "critical" executable components, by Howes's count.
      This source of infection would compromise even Windows XP with its
      new Service Pack 2 (SP2).
    * *Drive-by downloads.* To set up another group of tests, Howes used
      Internet Explorer to visit the following Web locations: 007 Arcade
      Games (a games site), LyricsDomain (a song lyrics site), and
      Innovators of Wrestling (yup, a wrestling site). This resulted in
      23 different adware programs being installed, carrying 138
      components, Howes says. Drive-by downloads such as these are now
      less of a problem for users who've installed XP SP2.
    * *You can't step into the same river twice.* For yet another test,
      Howes visited the wrestling site again, but on a different date.
      The makers of adware must have signed a lot of distribution
      contracts with the site in the interim. Howes says his PC picked
      up 25 adware programs and 153 components on that one visit alone.
      (You'll notice that I didn't link to the examples I cited above,
      and I strongly recommend that you avoid trying any of them.)

It's not enough to say "PC users should be more careful." Computer
professionals, instead, have a duty and an obligation to prevent adware
from infecting their PCs or anyone else's. Here are some steps to take:

    * *Use Giant AntiSpyware (or install the MS beta), Webroot Spy
      Sweeper, and CWShredder.*
      At the moment, this is the short list of programs that appear to
      remove the largest number of adware components. I recommend that
      you buy the registered versions of these applications and keep
      them constantly updated. The few dollars involved are well worth
      it, compared to the damage that can be done by a rogue program
      controlling your PC.

      Microsoft hasn't yet announced whether its version of the Giant
      application will cost money or be free after the beta period is
      over  stay tuned. (Note: The MS beta is incompatible
      <http://WindowsSecrets.com/links/36983d/2ba995h/?u=support.microsoft.com%2F%3Fscid%3Dkb%3Ben-us%3B892374>
      with the MS Media Center Extender and has other 0.9-type issues.)

      See Giant AntiSpyware download
      <http://WindowsSecrets.com/links/36983d/421893h/?u=www.download-ware.com%2FUtilities%2FSecurity%2FGIANT_AntiSpyware_31269.html>,
      Microsoft AntiSpyware beta
      <http://WindowsSecrets.com/links/36983d/5f5deah/?u=www.microsoft.com%2Fathome%2Fsecurity%2Fspyware%2Fsoftware%2Fcurrentcustomers.mspx>,
      Webroot Spy Sweeper
      <http://WindowsSecrets.com/links/36983d/2ab345h/?u=www.webroot.com%2F>,
      CWShredder
      <http://WindowsSecrets.com/links/36983d/e3bd4bh/?u=www.intermute.com%2Fspysubtract%2Fcwshredder_download.html>.


    * *For prevention, install IE-SPYAD and Spyware Blaster. * IE-SPYAD
      is a list maintained by Eric Howes of approximately 8,900 Web
      sites that are known to do things like install adware, hijack your
      browser home page, etc. Merging the list into your Windows
      Registry puts these sites into IE's Restricted Sites zone. They
      can't do much of anything to you then. The list, as of this
      writing, requires manual updating, but Howes hopes to automate the
      process soon.

      Spyware Blaster is freeware by Javacool Software that Howes
      recommendeds to guard against adware installs. A registration fee
      of $9.95 USD enables the auto-update feature of the software,
      which Howes encourages. Javacool also makes a related program,
      SpywareGuard.

      As commercial anti-adware programs develop their own always-on
      defenses, they may conflict with alternatives such as Spyware
      Blaster. Check the maker's documentation for possible
      incompatibilities before installing multiple products.

      See IE-SPYAD
      <http://WindowsSecrets.com/links/36983d/527e23h/?u=netfiles.uiuc.edu%2Fehowes%2Fwww%2Fresource.htm>,
      Spyware Blaster
      <http://WindowsSecrets.com/links/36983d/78b990h/?u=www.javacoolsoftware.com%2Fspywareblaster.html>.

    * *Read up on Eric Howes's site.* Aside from Howes's postings about
      his anti-adware test suite, linked to below, a particularly good
      read is his analysis of so-called anti-adware programs that are
      actually Trojan horses. People are so desperate to get rid of the
      adware that's slowing their systems to a crawl, Howes says, that
      too often they grasp at anything that promises a fix. See his list
      of rogue/suspect anti-spyware
      <http://WindowsSecrets.com/links/36983d/0bb122h/?u=www.spywarewarrior.com%2Frogue_anti-spyware.htm>.

    * *For big problems, consider stronger tools.* HikackThis, for
      example, is a deep-analysis utility that examines the Registry and
      sectors of hard disks where adware often lurks. It's not a tool
      for novices, but a serious scalpel for those who are faced with
      major surgery on their PC. It produces log files that can be
      analyzed by experts, many of whom help PC users by volunteering
      their time in online forums. HijackThis quick start
      <http://WindowsSecrets.com/links/36983d/8e8962h/?u=www.tomcoyote.org%2Fhjt%2F%23Top>

    * *Keep your security baseline updated.* In this issue of the
      Windows Secrets Newsletter, we've begun a regular section on the
      six elements needed to protect your PC. This section appears below
      <imap:[log in to unmask]:993/fetch%3EUID%3E/INBOX%3E77317#baseli>.

It's absolutely absurd that PC users must download, install, and update
multiple programs just to keep their machines from silently accumulating
crapware from morally-challenged Web sites. It's criminal that the
leading ISPs and software giants of the world didn't move earlier to
prevent these nuisances from taking over the majority of consumers' PCs.

The underlying reason that adware has compromised the entire Internet is
that there's big money to be made. The best analysis of this I've seen
is by Benjamin Edelman, a Harvard Law School student. He's documented
almost $140 million in recent investments by Silicon Valley venture
capitalists in just four of the largest adware makers. See list of
adware angels
<http://WindowsSecrets.com/links/36983d/8b80c9h/?u=www.benedelman.org%2Fspyware%2Finvestors%2F>

For those who are interested in deeper research on adware, links to Eric
Howes's raw data on his comparative tests are posted on his anti-spyware
testing
<http://WindowsSecrets.com/links/36983d/7ee031h/?u=spywarewarrior.com%2Fasw-test-guide.htm>
page.

To send us more information about adware, or to send us a tip on any
other subject, visit WindowsSecrets.com/contact
<http://WindowsSecrets.com/links/36983d/37ef18h/?u=WindowsSecrets.com%2Fcontact>.
You'll receive a gift certificate for a book, CD, or DVD of your choice
if you send us a comment that we print.