White Paper | September 2005 Potentially Unwanted Programs Spyware and Adware www.mcafee.com McAfee System Protection Solutions | October 2005 Page 2 Table of Contents What Are Potentially Unwanted Programs (PUPs)? 3 Behavior of Malicious Software 3 Types of PUPs 4 What Are the Risks Associated with PUPs? 6 How Do You Get PUPs on Your System? 7 How PUPs Work When Installed on a System 8 How Big Is the Problem? 9 McAfee VirusScan Online Figures and Trends 9 What Can Be Done about It? 10 Host-Based Products 10 Network-based IPS Products 11 Management and Policy Enforcement 11 McAfee Research 12 References 12 www.mcafee.com McAfee System Protection Solutions | October 2005 Page 3 Spyware and Adware What Are Potentially Unwanted Programs (PUPs)? 2004 saw a marked shift in the motives for malware writing Over the years, there have been a number of cases from political or mischievous purposes towards fi nancial gain. Identity theft, phishing, extortion by threatening where a commercial entity of some kind produced distributed denial-of-service (DDoS) attacks, intellectual a piece of code that was intentionally detected by property theft, and selling compromised machine lists to anti-virus software, including McAfee®’s. Usually spammers have become a common theme in malware. these fell into categories like: This trend began with the banking-specifi c autodialing in Bugbear.b and widespread utilization of Sobig..f-infected • Utility programs repackaged and distributed as part of a machines for spamming in 2003, and has become de rigueur root kit or remote access Trojan, and scripted or altered in 2004, with widespread proliferation of keylogging, in such a way to hide them or bypass all of the normal password-stealing, remote DDoS capabilities, and backdoor safeguards of the original application. Examples include installation amongst most major threats in 2004. IRC clients, FTP servers, sniffers, etc. It is unclear whether the malware authors are adopting • Products which, by their very nature, are designed to ease techniques used by aggressive marketing companies, or administration by circumventing security measures or whether marketers are using ideas spawned by malware allowing remote administration. These sorts of programs, authors, but there is clearly a war going on for the use of like password crackers, remote control programs, remote YOUR computer system and its data and resources. Today process creators, and the like, are natural backdoors for we have: hackers or malware authors, and many users want to know if these programs are present on their systems • Adware removing other adware • Applications that began as hacker tools or Trojans, but • Viruses removing other viruses and backdoors were good enough to fi nd legitimate use as administrator • Viruses distributing adware software, e.g., Netbus • Bot armies being stolen or compromised and re-purposed Today a signifi cant number of programs are using aggressive marketing techniques, akin to those long employed by • Viruses and PUPs intentionally shutting down, disabling, spammers, to create more intrusive and, the developers or weakening security tools like IE security settings, would say, more effective products and services. The clear fi rewall settings, and anti-virus products gap between malicious code written by anti-social teenagers McAfee Research has for some time applied the technology and non-malicious code written by legitimate corporations developed for virus and Trojan detection to software is rapidly dwindling, where it exists at all. This aggressive products, that for whatever reason, our customers fi nd marketing stance is even touted as “viral marketing,” a term objectionable. McAfee scan engines since version 4100 perhaps more appropriate than intended. Viral marketing include an additional detection type (beyond virus or can be defi ned as using a consumer’s resources to generate Trojan) called appp or program. more interest than could be achieved by direct marketing, with or without the consumer’s knowledge and consent. So what exactly is this stuff, and what does it do? At a high level, PUPs are any piece of software which a reasonably security- or privacy-minded computer user Behavior of Malicious Software may want to be informed of, and, in some cases, remove. There are essentially six types of behavior seen by our PUPs are usually made by a legitimate corporate entity for researchers in traditional malware: some benefi cial purpose (to whom they may be benefi cial is debatable), but so alter the security state of the computer • Installation—getting onto a system and modifying that on which they are installed, or the privacy posture of the system so the code runs frequently or every time the user using the computer, that most users will want to be computer starts up aware of them. www.mcafee.com McAfee System Protection Solutions | October 2005 Page 4 • Surveying—fi nding new targets; seen only in viruses • Interception, redirection, or retransmission of non- personal data (search keywords, URL history, etc.) to or by • Replication—getting onto those new targets; seen third parties (Payload) only in viruses • Interception, redirection, or retransmission of personal • Concealment—hiding the presence of or preventing the data (names, addresses, passwords, account names, removal of the software banking information, etc.) to or by third parties (Payload) • Injection—getting inside the code or data of other innocuous processes on the system to gain additional Types of PUPs privileges, achieve concealment, or deliver payload McAfee Research breaks PUPs down into six major • Payload—doing something to the host computer, categories and an “other” category. Most PUPs are communicating data to third parties, or receiving functionally similar, if not identical, to Trojan horses. In commands from third parties some cases, the software is innocuous by design, but can Surveying and replication are only ever seen in viruses, but be easily misused in ways that have unintended security or the other techniques used by both true malware and PUPs privacy impacts. can be virtually identical. In fact, in McAfee Research’s experience, there are few or no functional differences Spyware between many PUPs and many Trojan horses except for the Software whose function includes the transmission of distribution of the former by a legitimate entity with an end- personal information to a third party without the user’s user license agreement (EULA). knowledge and explicit consent. Software that does one or more of the following is likely to Adware be considered a PUP by McAfee Research: Software whose primary function is to make revenue through • Bundling with other software, especially where the host advertising targeted at the person using the computer on software comes with additional components is not spelled which it is installed. This revenue can be made by the vendor out very clearly (Installation) or partners of the vendor. This does not imply that any • Installing by taking advantage of an exploit (Installation) personal information is captured or transmitted as part of the software’s functioning, though that may be the case. • Failure to show taskbar or tray icons when running (Concealment) Password Crackers • Hiding of processes, fi les, services, registry keys, or other Software designed to allow a legitimate user or evidence (Concealment) administrator to recover lost or forgotten passwords from • File names, resources attempt to mimic system fi les or accounts or data fi les. When in the hands of an attacker, other third-party fi les (Concealment) these same tools allow access to confi dential information and represent a security and privacy threat. • Lacks of clear and obvious uninstall function (Concealment) Remote Administration Tools • Uninstall fails to work correctly, or installs or deletes fi les unrelated to the software (Concealment) Software designed to allow remote control of a system by a knowledgeable administrator. Remote administration • Uninstall requires long surveys or other tricks to tools, however, when controlled by a party other than the accomplish (Concealment) legitimate owner or administrator are a large security threat. • Firewalls, anti-virus software, or other security measures disabled (Concealment) Dialers • Application (e.g., Internet Explorer) or operating system Software that redirects Internet connections to a party (e.g., Windows® Firewall) security settings altered other than the user’s default ISP for the purpose of securing (Concealment) additional connection charges for a content provider, vendor, or other third party. • Injection into other running processes (Injection) • Downloading and execution of arbitrary third-party content (Payload) www.mcafee.com McAfee System Protection Solutions | October 2005 Page 5 Jokes browser helper objects. McAfee does not detect all browser helper objects, though many adware components that Software that has no malicious payload or use, and does happen to be browser helper objects are detected. not impact security or privacy states, but that may alarm or annoy a user. Browser Hijackers Other PUPs Browser hijackers are programs that replace the browser home page, search page, search results, error message Many innocuous pieces of software, such as FTP servers, pages, or other browser content with unexpected or have been misused to assist the replication or payload unwanted content. Browser hijackers may install cleanly behaviors of traditional malware. and obviously, uninstall correctly, and make it very clear