Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Confessions of a Spyware Author - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Confessions of a Spyware Author
I was sitting next to Ed Skoudis in the front row of the Anti-Spyware Coalition Workshop in Washington, D.C. this past February 9th.  Ed and I had been working together during the previous days, testing enterprise anti-spyware applications for a "shootout" article that we were co-authoring for Information Security magazine.  In preparing the various tests for that article, I had developed 25 small applications that each performed a single "spyware-like" behavior - dropping an executable and installing a key in the Windows registry to launch it on boot, changing the user's wallpaper, changing the user's homepage, etc...

Ed was scheduled to speak on one of the many panels that presented that day, and right before he took the stage, he turned to me and said, "Whatever I say, just go with it..."  

More frightening words have seldom been uttered.

When Ed's turn to speak came, he stood before an assembly of several hundred lawmakers, policy professionals, and anti-spyware vendors and asked a simple question: by a show of hands, how many in the audience were "spyware authors"?

"Come on," he continued, "I know that there is at least SOMEONE here who has written spyware."

Then he turned and stared at me.

Thanks, Ed.

Hello.  My name is Tom, and I'm a spyware author.

Unlike the truly Evil spyware authors who want to steal your private information or monitor your surfing habits, I'm here to help.  The 25 mini spyware-like applications that I wrote are designed to test the effectiveness of your anti-spyware solution at detecting and alerting you to behaviors that can indicate that software may not be on the up-and-up.  While most anti-spyware applications have some signature based capabilities, as the spyware menace grows, behavior based detection and blocking are a must.

The suite of test applications will be released in conjunction with our article on May 1st, and is dubbed SPYCAR -- an homage to the European Institute for Computer Antivirus Research (EICAR) antivirus test file.  While it won't be available until May 1st, SPYCAR will be located here.

Tom Liston
Intelguardians
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!