Robert Lipovsky ESET
Daniel Novomesky ESET
Juraj Malcho ESET
In his 2009 paper 'Is there a lawyer in the lab?', Juraj Malcho discussed the thin boundary between legitimate and malicious applications, and presented the difficulties AV companies have encountered dealing with greyware or potentially unwanted applications (PUAs). The severity (and sensitivity) of the situation has been borne out by numerous legal cases.
Two years later, the state of affairs is an even greater pain in the butt. The swindlers have noticeably improved their scam plots and social engineering and the challenge for the anti-malware industry is as great as ever. And the technical aspects of the adware or other potentially unwanted applications is not what we have in mind. We're talking about the effort that the authors invest into trying to convince people that their software is legitimate. They're trying to persuade not only the potential victim - which is basically what every trojan does - but also those of us who are responsible for malware detection! In effect, deciding whether or not to detect a PUA is often peculiarly difficult for anti-malware researchers.
In this paper we discuss a range of issues from various blatant online scams to applications which are much less useful than they may seem at first glance. The common factor here is selling a pig in a poke to the everyday, trusting computer user. The shift from rogue security software towards various PC tuning applications is just one example of an obvious trend.
Indeed, the surface characteristics of such software differentiate it from typical trojans and other malware. But aren't the goals of the perpetrators in both cases fundamentally the same? And what is the role of an AV today? Just preventing infections of PCs from viruses, worms and trojans? Don't we also have a responsibility to keep the Internet clean and free of junk? This is about boxing the ears of those software vendors who only care about raking in the profits, but offer no value in return.
