ESET had quite a strong representation at Virus Bulletin this year in Barcelona, as David Harley mentioned in his post prior to the conference.
On the first day, Pierre-Marc Bureau presented his findings about the Kelihos botnet, David Harley and AVG’s Larry Bridwell discussed the usefulness and present state of AV testing, and to finish the day, Juraj Malcho gave an exciting presentation on the current situation in the AV industry.
On the second day, our Russian colleagues Eugene Rodionov and Aleksander Matrosov explained modern bootkits’ capabilities for bypassing security features of 64-bit versions of Windows (mainly kernel-mode code signing policy), using the examples of Win64/Olmarik (TDL4) and Win64/Rovnix.
And before the closing of the conference on the last day, when Pierre-Marc took part in a panel discussion on the strategies of tackling botnets, I presented the current situation regarding grayware – the problematic category of software that includes ad-supported software, PUAs (potentially unwanted applications), and so forth.
This kind of malware is quite distinct from the typical trojans, worms and viruses, and poses its own difficulties for our Malware Research Lab. The challenges are not of a technical matter, such as we face with advanced rootkits, or viruses that require cleaning, but each of these “gray” or dubious applications requires us to carefully consider whether it should be detected or not. And another big difference is that, unlike the authors of regular trojans, the companies behind grayware are known and often legitimate-looking. These issues, obviously, lead to a conflict of interests, and rarely do grayware authors not complain about the detection of their software.
Juraj Malcho already addressed this topic in his presentation Is there a lawyer in the lab? from Virus Bulletin 2009. This year, we looked at how the grayware situation has evolved in two years, how we are handling the difficult struggle against scareware and potentially unwanted applications, and asked whether there is hope for a “junk-free” Internet.
The whitepaper can be downloaded here, courtesy of Virus Bulletin, which holds the copyright: Fake but free and worth every cent and further details on how ESET interprets the PUA category can be found in the whitepaper by Aryeh Goretsky: Problematic, Unloved and Argumentative: What is a potentially unwanted application (PUA)?