Saturday, February 02, 2008

when is a PUP not a PUP?

when it hides itself...

i came across a post on the mcafee avert labs blog the other day talking about potentially unwanted programs adding 'rootkit' functionality and i was struck by the absurdity of it...

if a PUP is using stealth and taking steps to avoid detection, why are we bothering with the euphemistic classification of 'possibly unwanted program'?

that a program is possibly unwanted implies that there is also the possibly that it is wanted, but taking steps to avoid detection implies that the program's creators don't care if the user wants the program or not and are in fact anticipating that the user won't want it...

if the creators of the software don't genuinely believe people want their software, why are we giving them the benefit of the doubt? i can see some legitimate reasons for software to hide other things on a system (to protect them from uninformed alteration, for example) but i can't see any legitimate reason for a program to hide it's own presence...

i'm not going to call a spade a spade, i'm going to call it a god damned shovel - if what used to be called a potentially unwanted program has added stealthkit functionality then it's no longer a potentially unwanted program, it's fully fledged malware... not all spyware/adware/what-have-you qualified as potentially unwanted programs in the first place, it was always a very special and very tenuous distinction that applied only to the most benign instances... actively avoiding detection isn't the mark of something benign...

4 comments:

Anonymous said...

Sometimes we *have to* call something a 'PUP' even though we know its malicious. Mostly because of legal complications with ad/spyware companies.

kurt wismer said...

well i guess i can add that to my list of reasons why i'm glad i'm not part of the industry... i'm not bound by any such constraints...

Unknown said...

I wonder if attackers get mired in such 'theological' issues such as tiptoing around what to call programs or tools...or how many lawyers and stakeholders they have to suffice and get approval for all their whims and direction.

Oh wait... no, I don't really wonder all that much about something so obvious. :)

kurt wismer said...

@lonervamp:
yeah, that's one of those little asymmetries - good guys have to worry about rules and bad guys don't...