Juraj’s presentation discussed the spectrum of applications that come through the labs of anti-virus companies, and how it is becoming more and more difficult to make an absolute decision regarding an executable’s intentions.
He pointed out the increasing frequency with which Eset’s labs must consult with legal counsel about dubious applications that no enterprise would want, yet proclaim enough legitimacy to potentially sue a vendor for suggesting they may be a virus.
At Sophos, we have also had to deal with this problem more and more frequently over the years. Those of you who are customers will recognize that we have a special designation (Potentially Unwanted Applications) for things that are not directly malicious, but might simply be unwanted on your computers.
The decision about what files are designated in which way becomes much more complex when you have fake anti-virus applications deciding to include open source code from projects like Clam AV. This enables the dubious authors of these applications to claim legitimacy while they extort you for cash. I do not believe this is legal under the GPL, but that does not stop the type of people propagating this code.
The most interesting part of Juraj’s presentation was in regards to what is known as “Green” software in China. Chinese computer users accept the concept of software being ad sponsored, no different than the internet.
This software is basically pirated software repackaged to be a self-contained executable that requires no installation. You see applications like Adobe Photoshop being distributed in China via this method. In addition to being modified to not spread files all over your computer, it also has an adware-like component added to “sponsor” the work done by the distributor.
This software may not be legal, and the adware components may share many files, techniques, packers and other methods with malware, but is this software malicious? How do you detect true adware and not detect something that someone clearly sees as normal within their culture?
These questions will certainly not be answered by me, and Juraj’s paper is well written and tries to answer as many questions as possible while leaving the decision to the reader. If you have an opinion, please answer the poll found below.
Creative Commons image courtesy of jmtimages flickr photostream