Author Topic: "Spycar" anti-spyware test tool released  (Read 7819 times)

0 Members and 1 Guest are viewing this topic.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
"Spycar" anti-spyware test tool released
« on: May 05, 2006, 12:20:04 PM »
The following information was released May 5th 2006 by Intelguardians. It concerns a testing package that you can use to check the effectiveness of your anti-spyware software and has been written by two of the leading lights in Information Security.

If you do try it please feed back your observations by appending a post to this thread.

Quote
FOR IMMEDIATE RELEASE


WASHINGTON, DC.  On Friday, May 5, 2006, Intelguardians (www.intelguardians.com) announced the release of a free anti-spyware testing tool called Spycar.  Spycar is a suite of programs designed to mimic spyware-like behavior, but in a benign form.  "Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool," said Ed Skoudis, co-founder and senior security analyst with Intelguardians. 


Tom Liston of Intelguardians, the lead developer of Spycar, provided further detail, "Many anti-spyware tools focus on signature-based detection.  That is, the vendor detects spyware by including thousands of signatures looking for specific sequences of bits on your hard drive or in memory.  Behavior-based detection, another approach, lets anti-spyware stop malicious software based on its actions, not a specific set of signatures."  Throughout early 2006, Intelguardians tested several enterprise anti-spyware tools, and found that their behavior-based defenses did not stop several spyware-like actions on a machine.  "As long as no signature has been defined for a given piece of spyware, many anti-spyware tools offer virtually no protection," said Liston.  Spycar allows individuals and organizations to evaluate their anti-spyware capabilities with a series of benign tests.


Every change made by Spycar is benign, designed simply to measure whether an anti-spyware tool can block or detect the change.  Furthermore, Spycar includes a scorebot/clean-up application called TowTruck that measures how well an anti-spyware tool defended the system, and automatically undoes every alteration made by Spycar. Spycar, the name, is in homage to the venerable EICAR anti-virus file.  The EICAR group (www.eicar.org) created this file about a decade ago so that anyone could test their anti-virus solution to verify it was working.  In honor of EICAR’s fine work, Intelguardians called its anti-spyware testing tool Spycar.


Spycar can be downloaded for free at www.spycar.org


------


Intelguardians is a Maryland-based information security research and consulting firm.  Founded in 2004, Intelguardians performs comprehensive assessments, architecture reviews, incident handling services, and digital forensics for organizations in the financial services, high-technology, legal, government, and military industries.  Intelguardians Labs performs deep research on topics including spyware and bot-net malicious code, virtual machine environment security implications, and the interstitial points between software and hardware including drivers and firmware.

"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14907
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "Spycar" anti-spyware test tool released
« Reply #1 on: May 05, 2006, 10:59:30 PM »
Ok, I'm game.  Let's see what happens.  My notes as I ran the tests are first with the results from SpyCar below.   

Autostart Tests:

Ad-Watch popped up and allowed me to block.

Click here to make Spycar try to install a Registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Click here to make Spycar try to install a Registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Click here to make Spycar try to install a Registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Click here to make Spycar try to install a Registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Both Ad-Watch & WinPatrol allowed me to block the last two:

Click here to make Spycar try to install a Registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Click here to make Spycar try to install a Registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Internet Explorer Config Change Tests

Both Ad-Watch and SpywareGuard blocked:

Click here to make Spycar try to change your default home page in IE
 
Oopsie:  Nothing popped up here to stop these --
Click here to make Spycar try to lockout users from changing the default home page in IE
Click here to make Spycar try to remove the Advanced Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Programs Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Connections Tab in your IE Internet Options Screen
 
This resulted in prompts from Ad-Watch, WinPatrol & SpywareGuard:

Click here to make Spycar try to change your default search page in IE

That was strange.  All three (A-W, WinPatrol, SpywareGuard) popped up when I ran these but with the message about changing the default search site again: 

Click here to make Spycar try to remove the Content Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Privacy Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Security Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the General Tab in your IE Internet Options Screen

Network Config Change Tests -- nothing.  Where's SpyBlocker?

Spycar Scoring
HKCU_Run : Spycar test not performed
HKCU_RunOnce : Spycar test not performed
HKCU_RunOnceEx : Spycar test not performed
HKLM_Run : Spycar change blocked
HKLM_RunOnce : Spycar test not performed
HKLM_RunOnceEx : Spycar test not performed

Since I use Firefox, I borrowed Coyote's IE and these are the results:

IE-HomePageLock : Spycar change allowed
IE-KillAdvancedTab : Spycar change allowed
IE-KillConnectionsTab : Spycar change allowed
IE-KillContentTab : Spycar change allowed
IE-KillGeneralTab : Spycar change allowed
IE-KillPrivacyTab : Spycar change allowed
IE-KillProgramsTab : Spycar change allowed
IE-KillSecurityTab : Spycar change allowed
IE-SetHomePage : Spycar change blocked
IE-SetSearchPage : Spycar change blocked

AlterHostsFile : Spycar change allowed (Looks like I have to find out what's happening with SpyBlocker.  <Corrine pages DoK!>)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline JOSEPH

  • Blogging In 2006
  • Full Member
  • ***
  • Posts: 148
    • View Profile
Re: "Spycar" anti-spyware test tool released
« Reply #2 on: May 06, 2006, 03:03:37 PM »
Excuse me, but doesn't this FREE program too also perform along the same levels? Mind you SpyCar seems ok so far as the basics go but then i don't find it much different than what's been around for what seems eons of time.
http://www.woundedmoon.org/win32/regtickpro.html
By the way, none of those even make it out of the gate with System Safety Monitor on duty! as they are INTERCEPTED!!!


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14907
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "Spycar" anti-spyware test tool released
« Reply #3 on: May 06, 2006, 03:38:50 PM »
Quote
REGTICK is a simple windows registry tweak tool which allow you to change many hidden settings about windows itself and other applications.

It is FREEWARE.

Note:
Modifying the registry can cause serious problems, Use RegTick at your own risk!!!

SpyCar is a testing package, not a registry editor.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline JOSEPH

  • Blogging In 2006
  • Full Member
  • ***
  • Posts: 148
    • View Profile
Re: "Spycar" anti-spyware test tool released
« Reply #4 on: May 07, 2006, 12:32:32 AM »
1,195 hits on yet another Spycar topic being reviewed and discussed at Wilders

http://www.wilderssecurity.com/showthread.php?t=129548

Offline BillPStudios

  • Visiting Experts
  • Full Member
  • *****
  • Posts: 70
    • View Profile
    • WinPatrol
Re: "Spycar" anti-spyware test tool released
« Reply #5 on: September 04, 2006, 04:16:41 PM »
One of the problems with test programs is that programs like Ad-Watch, WinPatrol,etc... are frequently smart enough to know it's only a test.

It's kinda like the Star Trek episode where Data tried to prove the Nanobots were alive but they knew enough to beat the test.
 Wow, now I really sound like a geek.    :tease:

In this case, Scotty knows it's just a test program.

The Real-time Detection in WinPatrol does differentiate and will not warn you immediately if a test program that you allowed to run makes the change.
If we hooked into every registry change the system would crawl.

The methodology behind WinPatrol PLUS (R.I.D) is based on particular events which occur when programs try to execute or infiltrate your system. Manually editing the registry or changing program options may not trigger a R.I.D. alert but infiltrations by 3rd party programs will. This way you'll enjoy optimal performance during your normal computing tasks but Scotty will still wake up when significant changes have been made.

In our testing we hired a third party to infect their system based on well known infections.
The results are at http://www.winpatrol.com/rid.html

It's a shame that Consumer Reports and others are using test programs like Spycar.  Of course we may have done really bad except because WinPatrol doesn't advertise it doesn't seem to make it into the main stream magazine conparisons anyway.