Security Experts:

Into the Fog of Greyware

There are Tons of Applications and Code out there that are not Overtly Malicious, yet do Spyware-like Things Without the user’s Knowledge and Reduce the Security Posture of the Client Machine. 

Malware has been making headlines for the last few years, and quite a lot of the coverage has rightly focused on the very sophisticated end of the malware spectrum. Targeted malware designed to break into organizations and steal corporate secrets and malware capable of taking over SCADA systems is news no matter how you look at it. However, there are interesting things going on at the grey end of the malware spectrum as well, which also have the potential to make a similarly large impact to network security.

Adware, GreywareCustomer data is one of the most valuable assets on the Internet. Remember that the titans of the Internet (think Google and Facebook) primarily make money by selling advertising. They command the attention of the most people on the Internet, and so they can command advertising fees for granting access to them. Privacy and security issues around these platforms have already gained quite a bit of attention, and the expectation is that this watchfulness will continue. Yet things get more complicated, because other companies want to build their own social environment and get access to all your data as well, but don’t have the natural advantages of a ubiquitous search platform or a social networking hub. As a result, you see lots of browser add-ons, toolbars and other applications that more or less mimic the behavior of spyware by collecting information about the user and may even be changing security settings on the user’s device.

Take the recent example of Download.com. CNET’s Download.com has long been a place where many would go to download freeware or shareware because there was some modicum of confidence that the download was free of malware. This is obviously a big benefit because freeware provides a great vehicle for a hacker who is building a Trojan. So it was more than a little bit surprising when we observed downloads from Download.com behaving like spyware. What had happened was that Download.com had begun delivering freeware downloads in a wrapper that enticed users to click during the install in order to receive special offers and deals.

What happened in the background was a little scarier. When a user clicked on this option, the application took several steps that lowered the security of the user’s system, such as making changes to the security settings in the browser, changing proxy settings and also installed a service that leaked user information over HTTP POSTs. As it turns out, Download.com was under new management and had then intentionally developed this wrapper with those functions as a method to collect shopping data from their users. This led to a miniature scandal as antivirus vendors began rightly classifying the code as spyware, and Download.com then quickly reversed course.

However, this is an example of a very broad problem. If you do sandbox analysis of new and unknown applications you will quickly realize that there are tons of applications and code out there that are not overtly malicious, yet do very spyware-like things without the user’s knowledge. Changes to security settings, browser settings, listening on backdoor ports, changing personal firewall settings. This is dangerous because it is unlikely that this type of behavior is going to be flagged as malicious, and yet it is materially reducing the security posture of the client machine. These things don’t compromise the host directly, but it certainly softens up the target for more malicious code or attackers.

This type of insight is eventually going to become a priority for enterprise IT teams, because we will need to the ability to quickly determine which sorts of downloads and applets are safe for users to download in just the same way we are safely enabling applications today, applications such as webmail, SharePoint and other collaborative apps. Anything that affects the security posture of the client or the network needs to be seen by IT, and IT needs the policies in place that clearly define what sorts of behavior are allowed and which are not.

The lesson here is that until we gain a credible level of control here in the grey end of the spectrum, we are simply trusting the Internet to provide reasonably safe code that doesn’t endanger users, and that prospect should be enough to make any IT security manager’s skin crawl.

Read Wade's other columns on Malware here.

Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.