Slashdot Mirror
When Does Software Start Becoming Malware?
New submitter Da w00t writes: Talos security researchers detected a malicious shockwave flash file that not only bypasses pop-up blockers, but also accurately fingerprints computers with the help of some JavaScript. The 'Infinity Popup Toolkit' is a prime example of software that falls into this gray area by bypassing browser pop-up blocking. In deciding to classify the toolkit as malware, the researchers pondered where the line lies between software that's harmful and software that's not. Quoting: "Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware."
>> When Does Software Start Becoming Malware?
When I didn't ask to install it. Toolbars (like this), automatic update services (that are silently added) and anything else that impacts my resources or distributes my information in a way I didn't choose is malware, IMHO.
Looking at you, Windows 10...
When the ratio nuisance / benefits is larger than some threshold (>=1)?
when it becomes malicious? tbh, I think it's when software does something that the user wasn't expecting or want and feels that they can't trust that software anymore.
Here is the test: Does the software do anything that I want it to do? Did I install it or did I have a choice in installing it (a real choice, not a tricky dialog box). And finally, the true test... if someone UNINSTALLED or stopped this software from functioning, would I actively try to re-enable it.
If it doesn't meet these criteria, then it is spyware, crapware, malware, or junk, and should be classified as malicious. This includes almost all programs and web pages. This is Sturgeon's law, 90% of everything is crap. But in computer science you can take it one step farther. 90% of everything is crap, and 90% of the stuff that is worthwhile is designed to keep away the crap.
Based on Skype and now Windows 7-10, I'd say that Microsoft-owned --> Malware.
coming from windows and mac, its hard to imagine youd need a definition. For a linux user, the answer is simply whenever the application does something i did not tell it to do.
when i read its changelog and its now, for example like firefox, going to include a targeted advertising system. If the application lies about its intended function, or prevents me from using my computer as I've set out to use it.
For some of us, malware is an ethos, foretold by Richard Stallman. in Linux the word of root is sacrosanct. there are no upgrades, no updates, and no communication from the system or its processes that is not controlled by or intrinsically authorized by root. For myself, Windows and Mac have been malware for quite some time.
Good people go to bed earlier.
When the software behaves counter to the stated purpose, or the company behind it lies about the what they are doing with data collected by the software, it is malware.
Sadly Windows appears to fall into this with all their recent auto-downloading of Windows 10, and extra monitoring being added to 7 and 8. I welcome a broader definition that shames such behavior, if not criminalizes it. Google is a little more upfront about this being their business model, but I still squirm at their cavalier collection of every piece of information they can get their paws on.
Toolbars are just the tip of the iceberg. All major browsers are malware because they don't isolate cookie storage (or all storage, really) between origin domains, breaking the same-origin policy. Third-party cookies then become data trojans. Intent is important here. It isn't just a vulnerability, but a design flaw continued by the fact that all major browser development is funded by advertising companies.
See for yourself how Mozilla refuses to fix a security vulnerability that is enabling billions to be made from stolen user data: Bugzilla bug 565965
# make clean sig
Does it do what it is supposed (and documented/advertised) to do, and nothing else? Probably not malware.
Does it do all kinds of stuff that it isn't documented as doing (especially if it does it unasked)? Probably malware.
And yes, I regard programs that call home looking for updates -- if they haven't asked for and received permission to do that -- to be a (mild) form of malware, although their benefits might outweigh that.
Is this article posting Dice's way to introduce the Dice Toolbar?
.
- it does things to your computer that you did not ask it to do
- it downloads software you did not ask it to download
- it gathers data from your computer and sends it to distant servers without your knowledgeable permission (agreeing to a fine-print multi-page EULA is not knowledgeable permission)
I will go by the definition of malicious as "characterized by malice; intending or intended to do harm"
:)
Oracle has the intent of causing harm by installing the ASK toolbar? Yes -> malware, No -> not malware.
ASK has the intent of causing harm with the toolbar? Yes -> malware, No -> not malware.
Buuuuuuut....
I will also go by the definition of pernicious as "having a harmful effect, especially in a gradual or subtle way" To bring up a new classification perniciousware (or pernware)
Is ASK toolbar causing a gradual, subtle harmful effect on the user's computer? I don't think it's possible to answer no to this question. For me it's of course, at the very least by consuming resources (disk space, memory, cpu time) on unwanted software. So it's pernware
Is Oracle causing a gradual, subtle harmful effect on the user's computer by including the ASK toolbar, specially when it's the default installer behavior to install it? Yes (not no here either)-> Java installer is pernware.
Both Malicious and Pernicious definitions supplied by Google search
As a side note, I would say most big players are having serious pernicious behaviour on software distribution. By automatically configuring the startup of their apps/services without asking; bundling software which has little to nothing to do with the provided one (i.e: Flash including an antivirus...) etc. And ofc the well known un readable by general layman EULAs which gives them superpowers to do mostly anything they want with YOUR computer, software, and data.
Worst thing is. The smaller players uses these as excuses to do the same, and people has "accostumed" to this, and pay no longer any notice. Opening wide breaches in most security and allowing anyone with malicious intent to do anything they want...
The Universe is shrinking all around my head.
Putting anything on my computer for your benefit without making absolutely sure I know what is going on, is MALWARE.
Or will you let me put a key logger on your PC in order to 'ensure quality'.
excitingthingstodo.blogspot.com
...it's called iTunes.
When it:
1. Installs without permission
2. makes any unnecessary network connections
3. tracks the user and uploads any data not relevant to functionality (with or without permission, mandatory or not)
4. injects code into the bootloader, filesystem, or anywhere else that's not strictly necessary
5. localfunction/desktop software that requires the user to 'log on' to a vendor portal and/or has 'dead man' switches that require subscriptions (adobe suite)
6. abuses system GUI conventions (skinned applications)
7. is bundled with irrelevant 3rd party plugins, addons, or extensions for marketing purposes (browser search toolbars, apple itunes/quicktime on windows etc)
When the software changes how some other software that is already installed on the computer behaves when the user did not expressly indicate that they desired it, it is malware.
It is insufficient to conclude that the user desires how such software might modify the behavior of other software when it is bundled by default with with yet another piece of software that the user did express intent to want to use . In many ways, such software would resemble a trojan.
File under 'M' for 'Manic ranting'
Grayware, also known as PUPs (Potentially Unwanted Programs). It's these programs that may not be malware in of themselves in terms of causing direct damage within their own code, but rather act as a conduit to other forms of malvertisements. For example, Adobe Flash or JRE would be, or rather should be called a form of Grayware.
Life is not for the lazy.
When it's written by Symantec?
Think I'm kidding? Ever try to REMOVE Symantic "antivirus" crap?
-Styopa
This is just like the define obscenity problem. You know it when you see it.
Windows "telemetry". Malware--and after years of zealots on this site tossing that around and me disagreeing, this is not something I say lightly.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
1. ads
2. tries to lure you into installing additional, non-wanted software (such as bundling McAfee with Flash Player, or Safari with iTunes, or the ask toolbar)
3. Has a nag screen (WinZIP "I agree")
4. its sole purpose is to spy on you (the ask toolbar again fall into that category)
1. If it installs without my permission
2. If it ignores me when I turn off certain settings.
Not that I can think of anything that meets those. ;)
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Suing a company under the Computer Misuse Act would require a private prosecution under criminal law and would probably cost a lot of money. You would also have to prove 'beyond all reasonable doubt'.
You would certainly be able to file a claim, alleging a tort (England/Wales) or delict (Scotland), which would be decided on the balance of probabilities.
(IANAL but I did work for one for a couple of years).
Backup not found: (A)bort (R)etry (P)anic
If it does something that a reasonable user would not expect, it is malware. I don't care if it's documented because those bastards will bury their evil deeds in twenty pages of legalese.
-- Will program for bandwidth
Answer: When it's Windows 10.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
The above rant brought to you by a malware author.
Do not look at laser with remaining good eye.
If the software serves anyone other than the user of the device it's running on, then it's malware.
The Ask toolbar is not a gray area. It's malware. Oracle knows it's malware, but they don't care. I don't even believe Talos security researchers are confused about the Ask Toolbar. They are simply afraid to go against a 600 lb. Gorilla in the industry. It takes Microsoft to force Oracle to do the right thing.
There are a lot of posts about bundled software being installed by default (like toolbars), but this is just the example from the article's intro. The article is actually about the "Infinity Popup Toolkit". This is not an application that you install on your PC - it's a bunch of JavaScript and Flash code that runs from a web page. Its purpose is to bypass your popup/ad blocker and security controls so that it can show you popup ads.
The question was whether this should be considered malware, since the definition of malware is somewhat vague. The conclusion was that it clearly is malware and should be blocked. This is seems quite obvious, since the software's intention is to ignore your wishes (blocking popups) in order to show you ads. It's quite clear that no one would WANT to run this software, because if they wanted to see popups (which is no one ever), then they wouldn't turn on their popup/ad blocker in the first place.
While I largely agree, the issue is not quite as black and white as you paint.
There are something around 2 Billion users with Windows installed on their computer. Regardless of your personal opinion about updates, they should be enabled by default, with no user prompt asking them at install time if they want updates. This is the same argument for mandatory immunization; the species as a whole benefits from herd immunity. If you are arguing against automatic updates, and malware-scanning-by-default, then I think you have a fundamental confusion about how the Internet will survive when infected devices are counted in the billions rather than the millions. Regardless of your distaste for the business practices of companies like Adobe and Oracle, their auto-updaters save the world billions in damages by reducing the number of vulnerable users.
There are other areas where best practices should not be up for debate by the user. My car doesn't ask me if I want to use my ABS brakes when I stop, nor does it stop dinging at me if I drive without a seatbelt on. You may value your personal freedom to choose, but society at large benefits when fewer people crash or die. The needs of the many outweigh the needs of the few, or the one.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
1. Software that is installed without the fully informed consent of the user.
2. Software that performs previously unknown or other functions not specifically alluded to, in a repeatable manner.
3. Software that performs functions nonconducive to the secure functionality of a host computer system.
4. Software that installs other software without the fully informed consent of the user.
5. Software that communicates with other hosts without the fully informed consent of the user.
6. Software that degrades the performance of the host system with no clear benefit to the user.
Examples and notes:
1. sideloaders such as the Ask Toolbar and other Browser Helper Objects (Bonzi Buddy and Gator spring to mind) which are bundled with software that you actually ask for, such as when you download installers from SOURCEFORGE and CNET.
2. Such as when Microsoft disabled SSL3 by default in the February 2015 IE11 Security Rollup rather than fix the SSL3 vulnerability.
3. Such as when software opens a port through the firewall and leaves it open (sorry no examples spring immediately to mind but I have known this to happen).
4. See #1.
5. Microsoft's "security" updates that are actually CEIP and other telemetry daemons.
6. Full-on antivirus packages that absolutely HAVE to scan EACH and EVERY file, library, script, document and bitmap on opening! Not sure if the ones that HAVE to run a full scan in the background when the system starts up is worse but that can be demonstrated to increase waiting time for a usable desktop from a couple minutes to several HOURS.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
- it does things to your computer that you did not ask it to do
Like a bug?
- it downloads software you did not ask it to download
Like all Google software that auto-updates?!
- it gathers data from your computer and sends it to distant servers without your knowledgeable permission (agreeing to a fine-print multi-page EULA is not knowledgeable permission)
This is a good one though.
Tuesday.
I think you have to be setting out to cause harm in order for it to count as malicious. As such, I would concede that GNOME made a mistake, but I would think it hyperbolic to say that they that GNOME 3 is malicious.
I think if you want to call something malicious, you have to have set out in the first case with intentions to subvert the user's sovereignty over their own property. Install something I didn't ask for and would have specifically rejected? Malicious. Make it difficult to opt out? Malicious. Report my local drive searches that are none of your business? Malicious. Lock me out of content I bought? Malicious. Bloat my phone with a bunch of apps I can't install? Malicious. Make a dumb-ass design mistake? Dumb-assed, but not malicious.
To conflate bad design with malice dilutes the discussion of things that genuinely are malicious -- that genuinely mean us harm.
www.wavefront-av.com
There is a difference between software that tracks, and collects information about you and redirects you to sights in order to gather advertising revenue, and software that implements functionality in a way that you don't agree with. When you implement something you have to choose a way implement it, some people may not agree with that implementation but does make it malware, choices have to be made. Systemd may have been the wrong choice but I don't believe it was a bad choice made out of malice, or a desire to make money of its users.
Malware is any software that functions to benefit a third party rather than the user.
If your installer/updater is installing some app/toolbar/etc in addition to the application I want it to install -- that's malware.
If your installer/app/updater is changing settings in my browser or any other application on my system -- that's malware.
I want to write a letter, if your "letter writing app" is sending a copy of the letter or meta-data about the letter or my writing of the later to a third party -- that's malware.
If I'm playing your off-line single-player game and you're collecting data on how I play it -- that's malware.
If I'm playing your on-line multi-player game and you're doing anything with the data I'm sending you other than sending it to the other players -- that's malware.
If your search engine is doing anything with the search request I'm sending you other than fulfilling my search request -- that's malware.
If your app is displaying ads -- that's malware (unless it's an ad locator application).
"Grab them by the pussy" -- President of the United States of America
Yes, that too. They can better standardize their headers, and/or they can add some noise to the signal to throw off the fingerprinting, which can be done without any kind of concerted effort.
Just mentioning this for completeness: there is also the IP address, but that has other solutions, and isn't a web browser's responsibility.
# make clean sig
Next question!
Software becomes malware whenever it does anything the user, had he been given an informed choice, would have chosen to reject.
(This includes surreptitious installation, hidden misfeatures, information leakage, etc.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Um, like how Microsoft by default makes Bing your search engine in IE, Firefox, Chrome, and Safari? And changes your homepage to be MSN.com?
Like that?
So does Microsoft consider Microsoft to be malware?
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I know it when I see it. But it's an interesting question.
The simplest is "it does something the user doesn't want". But this gets bogged down in questions.
I propose that any software that fits (1) AND (2) is malware, *no exceptions*.
1- The software does ANY of the following:
- Hides its presence from the user (registry malarkey, malicious RAM stuff, etc)
- Tricks the user into being installed (packaged in other software, straight up virus piggyback, checkbox you must unclick)
- Is inside a package via sponsorship, deception, or coercion of the pacakger, as an addition to an actual product (including most of the download.com stuff)
- Fights user attempts to uninstall (including disabling unrelated features, reinstalling itself, etc)
*Sponsorship should handle all cases where a packager includes an element in the package that is not why you chose to get the package. Coercion includes, say, a government or company that forces by law or other method to include code in such a package, and deception involves a packager who is not aware of the malware they are packing along.
2- The software does EITHER of the following:
- Is not strictly needed for the operation the user intends, offering a data leak (personal data, envelope information about user activity) or unarguably malicious feature (blackmail, data deletion, display of advertisements) instead of its advertised or apparent purpose.
- Is installed entirely in secret and from an activity that should not result in software installation.
By this definition, you could argue that some elements of Windows 10 qualify (and they probably do), that the Ask.com garbage pile qualifies (and it definitely does), along with drive by downloads. This excludes a game that shows you advertisements, but includes one that installs an advertising thing on your desktop.
What am I missing? Gimme some false positives or false negatives with this pls.
There are a number of recurring themes I see here, and I see examples that muddy the waters further.
"Installs without user consent" /v/qn switch, so I never see any form of "consent", but I've consented to install a game that requires this runtime version in order to function. Malware?
Counterargument: I install a game from Steam. A copy of the required version of MS VC++ Runtime is installed with a
"Sends data to a third party without user consent"
What *exactly* lives in the usage data that Microsoft gets? It's unclear, but I'd like to think that if Microsoft realized that 90% of its users clicked 'start' at least five times a day, the people in the planning meetings for Windows 8 would have had a hell of a lot more leverage. If Microsoft got data that read, "user 1363959 clicked 'start' a total of 418 times in the last 30 days", I'm fine with that. If Microsoft gets data that says "Voyager529 clicked 'start' 418 times, and then typed the following 15 sentences...", I'd be less okay with that. Is the issue here the fact that, even if I look at the data dumps, they're not terribly user readable the ultimate problem? Would something like the Steam Hardware Survey be viable for Microsoft? Is "allow telemetry [accept/decline]" enough either way?
"Is bundled with other software"
Ghostscript is bundled with PDFCreator, and it's wonderful. AVG Secure Search is questionable - it ultimately shows Google search results, along with different sets of ads, but it at least gives a 'safe/unsafe' indicator which is probably a good idea for many people. Many Slashdotters have Chrome installed, is Chrome 'not malware' when installed from Google.com/chrome, but malware when installed with CCleaner? Comodo Dragon has a few extensions bundled in to assist in safe browsing. Malware? The aforementioned VC++ Runtime - malware? Bundling alone is not enough.
Conversely, "not-bundled" isn't a dead giveaway, either. Cyberlink's installers of paid-for software, by default, changes your default autoplay settings and has a super-difficult-to-disable 'feature' of regular pop-up notifications letting you know that you don't have their latest, greatest, kitchen-sink edition...malware?
"Buggy code"
This goes hand-in-glove with the concept of "Microsoft deciding what is and what isn't". The Ask toolbar was flagged as a result of working as intended. Having buggy code is a matter of human error and is (hopefully) intended to be rectified.
Here's how I would judge whether a piece of software is malware or not:
1. Explain what your program is intended to do, and who gets copies of any data the software is privvied to, to a five year old. Are you uneasy with writing that description on the front page of your website?
2. Does the CEO of the company have this software installed on his/her computer? Did he/she do so by hitting 'next' repeatedly?
3. During the installation, were there any questions unrelated to the nature of the installation of the code you wrote? If so, was the nature of its requirements reasonably explained, and was any form of opt-out clearly labeled (i.e. not using quadruple-negatives to confuse users who would otherwise intend to opt-out)?
4. Does your software include an uninstaller that leaves the computer in a state that is indistinguishable from a computer that never had it installed in the first place?
While I agree on systemd as the default being utterly demented for Debian and a complete violation of the principle that Debian stable must be rock-solid, you can replace it with sysvinit after installation, or even before if you give the installer some configuration.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Hehehehehe. Well, sane init-systems usually manage to give you a shell so you can find out what is wrong, but systemd finds that this is beneath it as you have obviously insulted its creator by using it not exactly as was ordained.
And that is the real core of the criticism on systemd: It is a misanthropic POS, that does not respect its users one bit. Resembles its creator in that way.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Malware is software I don't want it on my machine and cannot uninstall easily.
"Easily", in this case, being using the mechanism appropriate for that particular OS. Uninstall a program dialog / apt-get uninstall / whatever.
That's it. Crap I don't want, and can't get rid of easily. Yes, that means I may call IE is malware (it increases surface attack area on my machine, and I cannot remove it), while someone else does not.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
How do you determine whether the author KNEW the code was buggy?
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Programmers and software creators will do whatever benefits them the most (and makes them money). It's a safe bet someone is paying someone to help get their spyware and other adware type crap onto our PCs in any way possible!