Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Does Software Start Becoming Malware?

Posted by Soulskill on from the when-two-ad-networks-love-each-other-very-much... dept.

New submitter Da w00t writes: Talos security researchers detected a malicious shockwave flash file that not only bypasses pop-up blockers, but also accurately fingerprints computers with the help of some JavaScript. The 'Infinity Popup Toolkit' is a prime example of software that falls into this gray area by bypassing browser pop-up blocking. In deciding to classify the toolkit as malware, the researchers pondered where the line lies between software that's harmful and software that's not. Quoting: "Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware."

24 of 165 comments (clear)

  1. When you didn't ask to install it. by xxxJonBoyxxx · · Score: 5, Informative

    >> When Does Software Start Becoming Malware?

    When I didn't ask to install it. Toolbars (like this), automatic update services (that are silently added) and anything else that impacts my resources or distributes my information in a way I didn't choose is malware, IMHO.

    Looking at you, Windows 10...

    1. Re:When you didn't ask to install it. by thegarbz · · Score: 4, Insightful

      When I didn't ask to install it.

      Oh but you did. Didn't you read the EULA and look for the tiny size 4 "opt-out" text on the screen?

      I would go one step further, any software is malware when it does something other than the user intended. It doesn't matter that the Ask toolbar had a checkbox in the installer, the fact was unless I went to Ask.com and downloaded it there it's malware. Likewise it doesn't matter that I installed Windows 10, the fact that it sends data without the user's intention makes it malware.

    2. Re:When you didn't ask to install it. by war4peace · · Score: 3, Interesting

      When I didn't ask to install it.

      I would go one step further, any software is malware when it does something other than the user intended.

      So... software bugs are all malware?

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    3. Re:When you didn't ask to install it. by mark-t · · Score: 2

      Software bugs are not malware, but they can turn the software in which they exist into malware whenever the software does something other than what the user intended.

      --
      File under 'M' for 'Manic ranting'
    4. Re:When you didn't ask to install it. by jbmartin6 · · Score: 3, Interesting

      Well you are right there is technically a flaw in the definition. But it is a good concept though. How about 'by design does something the user did not intend'

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    5. Re:When you didn't ask to install it. by N1AK · · Score: 2

      Given that pretty much the definition of a bug is doing something the user didn't intend (with a small exemption for doing things the maker didn't want, but the user did intend) that's a pretty pointless distinction.

      If you define malware this ridiculously widely then it achieves nothing aside from making the term pointless.

    6. Re:When you didn't ask to install it. by rtkluttz · · Score: 2

      No, I think its way earlier than that. Software is malware when the device owner isn't in control of the software. If it communicated with anyone or anything in a way that you are unable to view, start and stop communications then it is malware. If it does things without asking you telling it to or at least authorizing automated activity, it is malware. If it enables secrecy between your device and a 3rd party that you aren't privvy to, it is malware.

      --
      Digital is, by definition, imperfect. Analog is the way to go.
    7. Re:When you didn't ask to install it. by sconeu · · Score: 5, Insightful

      Then Malware is DESIGNED to do something other than what the user intended.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    8. Re:When you didn't ask to install it. by mrchaotica · · Score: 5, Insightful

      The difference is malicious intent. A bug is when the programmer is trying to make the software do what the user wants, but accidentally fails. Malware is when the programmer is trying to make the software do what the programmer wants, user's wishes be damned.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    9. Re:When you didn't ask to install it. by im_thatoneguy · · Score: 2

      That doesn't work either. Because 'by design' Windows prefetch uses system resources to allocate memory so that something the user will arguably like (have applications load faster). Users are so ignorant of the workings of their computers we couldn't have computers only do "What the user intended" to happen.

      My proposed definition would be:
      "By design works against the user's best interests."

      For instance in Windows 10 users intend for their touch keyboard to work well. In order for a touch keyboard to work well it really needs to learn your typing patterns and correct for them. That means you have to share that data. So is collecting anonymous typing pattern data to improve the accuracy of your keyboard something the user intended? I would argue no.

      Similarly if you use SafeScreen on windows it'll upload a hash of the download to Microsoft to see if it's a known virus or a known safe file. Does the user intend to install viruses? No. Does the user know to ask for a service which performs a hash check on all of their downloads? Probably not.

      So while the user might intend to use SafeScreen or Prefetch or even the notorious 'keylogger' in Windows 10 I would argue that they aren't caught up by false positives in the definition:
      "By design works against the user's best interests."

      They arguably are working for the user's best interests not a third party's. Even telemetry data then gets into a debatable position where we can have an honest conversation. "Is anonymous telemetry which improves stability at the cost of some marginal privacy in the user's best interest?" Some can argue yes some can argue no but it's clear that we at least acknowledge and agree on the same definition.

      It also works in relationship to Windows 10 pre-downloading installation files without an opt-in. Whose interest is upgrading to Windows 10 serving? If it's exclusively Microsoft's then it's malware. If it's legitimately helping the user by moving them off of an unsupported OS into one which is perhaps more secure then it's maybe an overzealous protection but not malware. If however though it consumes $40 worth of bandwidth on a LTE connection because the user didn't have it set to a metered connection then it's malware since it's not working in the user's best interest. Again it gets into that lovely gray zone of what's an accident, what's a bug, what's by design and what's in the user's best interest. By debating the specifics we can have an empirical and yet robust debate on whether it meets the criteria.

    10. Re:When you didn't ask to install it. by thsths · · Score: 2

      Bingo. And this definition is not even contentious - but it clearly includes Java. It also includes many "freemium" games.

    11. Re:When you didn't ask to install it. by ewibble · · Score: 2

      The users best interest is far to vague, you could say the NSA spying on you is in the users best interest as well because they are trying to protect you. You could say selling your information to advertisers is in the users best interest because it lets you buy product that you want.

      There needs to be a list of user rights that should not be violated unless granted explicit opt-in rights. Here is a list of some.

      1. Right to privacy, no information should be recorded unless it is apparent to the so. So entering data in a form on a web page is ok, recording keystrokes when using your computer in your text editor is not.
      2. Do not use the users computing resources, CPU, memory, bandwidth, for anything other than the stated intent of the applications.

    12. Re:When you didn't ask to install it. by Jane+Q.+Public · · Score: 2

      think about your OS and installed software, and really, think hard if you explicitly asked for them to them to do everything they do. you don't even know everything they do.

      You opted in to your OS when you bought or installed it. That's not quite the same thing.

      If a piece of software writes persistent-id-cookie-type information to my hard drive, and I did not explicitly give it permission to do that (as I do with my OS and any DRMed purchased software I install... which is damned little), it's malware. I don't give a damn about any other definition.

  2. When... by Arkh89 · · Score: 2

    When the ratio nuisance / benefits is larger than some threshold (>=1)?

  3. Simple malware test by netsavior · · Score: 2

    Here is the test: Does the software do anything that I want it to do? Did I install it or did I have a choice in installing it (a real choice, not a tricky dialog box). And finally, the true test... if someone UNINSTALLED or stopped this software from functioning, would I actively try to re-enable it.
    If it doesn't meet these criteria, then it is spyware, crapware, malware, or junk, and should be classified as malicious. This includes almost all programs and web pages. This is Sturgeon's law, 90% of everything is crap. But in computer science you can take it one step farther. 90% of everything is crap, and 90% of the stuff that is worthwhile is designed to keep away the crap.

  4. as a linux user, i can explain. by nimbius · · Score: 3, Insightful

    coming from windows and mac, its hard to imagine youd need a definition. For a linux user, the answer is simply whenever the application does something i did not tell it to do.
    when i read its changelog and its now, for example like firefox, going to include a targeted advertising system. If the application lies about its intended function, or prevents me from using my computer as I've set out to use it.

    For some of us, malware is an ethos, foretold by Richard Stallman. in Linux the word of root is sacrosanct. there are no upgrades, no updates, and no communication from the system or its processes that is not controlled by or intrinsically authorized by root. For myself, Windows and Mac have been malware for quite some time.

    --
    Good people go to bed earlier.
    1. Re:as a linux user, i can explain. by CannonballHead · · Score: 2

      So, you specifically told every single Linux program what to do? You actually told gdm to start? You told your web browser to cache data? You told vi to automatically make backup files?

      I get your primary point. But the way you put it may be a little bit simplistic for a complex system. My Linux boxes do a lot of things that I didn't actually tell it to do. Cron runs, and I didn't tell it to. I know it does it, but I didn't TELL it to. It's default behavior. Some distros have sudo automatically setup. Some distros have ntp setup. Some automatically check (but don't install) for updates. All of that, I didn't tell it to do. Unless that also counts as malware?

    2. Re:as a linux user, i can explain. by Catiline · · Score: 2

      I have a laptop running Gentoo as its' sole OS. The fact there is a cron service installed at all is because I wanted one. Whether the system boot manager is OpenRC or systemd was my choice, not somebody in charge of the distribution. For any compilation option that can be turned on or off, there is a good chance that it is exposed to the package manager and thus I chose its' state when installing. (If not, portage is the simplest manager I've seen when altering installation scripts, so overriding that choice is very easy.) Most packages don't automatically include their software into a runlevel: you also choose if (and when) they would run.

      That control was why I chose Gentoo: not for privacy or a protest against "stealth software" (the Steam client is installed), but because by having to touch each and every part of the system I get a clearer idea of how these parts mesh. I would highly recommend setting up a machine in this fashion: it's a very educational experience.

      --
      Do you like Japanese imports?
  5. Lies by Moof123 · · Score: 4, Insightful

    When the software behaves counter to the stated purpose, or the company behind it lies about the what they are doing with data collected by the software, it is malware.

    Sadly Windows appears to fall into this with all their recent auto-downloading of Windows 10, and extra monitoring being added to 7 and 8. I welcome a broader definition that shames such behavior, if not criminalizes it. Google is a little more upfront about this being their business model, but I still squirm at their cavalier collection of every piece of information they can get their paws on.

  6. non-isolated third-party cookies are data trojans by lambsonic · · Score: 4, Interesting

    Toolbars are just the tip of the iceberg. All major browsers are malware because they don't isolate cookie storage (or all storage, really) between origin domains, breaking the same-origin policy. Third-party cookies then become data trojans. Intent is important here. It isn't just a vulnerability, but a design flaw continued by the fact that all major browser development is funded by advertising companies.

    See for yourself how Mozilla refuses to fix a security vulnerability that is enabling billions to be made from stolen user data: Bugzilla bug 565965

    --
    # make clean sig
  7. When Windows - Windows 10? by QuietLagoon · · Score: 4, Insightful
    Software is malware when:

    .
    - it does things to your computer that you did not ask it to do

    - it downloads software you did not ask it to download

    - it gathers data from your computer and sends it to distant servers without your knowledgeable permission (agreeing to a fine-print multi-page EULA is not knowledgeable permission)

  8. The second is does something for THEIR benefit by gurps_npc · · Score: 5, Insightful
    rather than the customer's benefit, without making it very clear and expressly asking permission.

    Putting anything on my computer for your benefit without making absolutely sure I know what is going on, is MALWARE.

    Or will you let me put a key logger on your PC in order to 'ensure quality'.

    --
    excitingthingstodo.blogspot.com
  9. easy. by epyT-R · · Score: 3, Interesting

    When it:
    1. Installs without permission
    2. makes any unnecessary network connections
    3. tracks the user and uploads any data not relevant to functionality (with or without permission, mandatory or not)
    4. injects code into the bootloader, filesystem, or anywhere else that's not strictly necessary
    5. localfunction/desktop software that requires the user to 'log on' to a vendor portal and/or has 'dead man' switches that require subscriptions (adobe suite)
    6. abuses system GUI conventions (skinned applications)
    7. is bundled with irrelevant 3rd party plugins, addons, or extensions for marketing purposes (browser search toolbars, apple itunes/quicktime on windows etc)

  10. Defining obscenity by istartedi · · Score: 2

    This is just like the define obscenity problem. You know it when you see it.

    Windows "telemetry". Malware--and after years of zealots on this site tossing that around and me disagreeing, this is not something I say lightly.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?