Problematic, Unloved and Argumentative: What is a potentially unwanted application (PUA)?



Similar documents
F-Secure Anti-Virus for Mac. User's Guide

F-Secure Anti-Virus for Mac 2015

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

BE SAFE ONLINE: Lesson Plan

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Make it tight, protect with might, and try not to hurt anyone. Michael Johnson, MMPC

Top tips for improved network security

Malware & Botnets. Botnets

STOP. THINK. CONNECT. Online Safety Quiz

Saheel KHOYRATTY. Partner Technology Advisor

G DATA MOBILE MALWARE REPORT

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Spyware. Summary. Overview of Spyware. Who Is Spying?

Real World and Vulnerability Protection, Performance and Remediation Report

Sophos Endpoint Security and Control Help

Spyware: Securing gateway and endpoint against data theft

Welcome to Part 2 of the online course, Spyware and Adware What s in Your Computer?

Countermeasures against Bots

Guideline for Prevention of Spyware and other Potentially Unwanted Software

F-Secure Internet Security 2012

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

F-Secure Mobile Security. Android

FAKE ANTIVIRUS MALWARE This information has come from - a very useful resource if you are having computer issues.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Sophos Endpoint Security and Control Help. Product version: 11

Sophos Enterprise Console policy setup guide. Product version: 5.2

WHITE PAPER. Understanding How File Size Affects Malware Detection

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

October Is National Cyber Security Awareness Month!

Security A to Z the most important terms

Don t Fall Victim to Cybercrime:

F-Secure Anti-Virus for Windows Servers. Administrator's Guide

Internet tools and techniques at this level will be defined as advanced because:

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

What you need to know to keep your computer safe on the Internet

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

ESET NOD32 Antivirus. Table of contents

Streamlining Web and Security

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Internet threats: steps to security for your small business

No filter is perfect. But with your help, MailCleaner may aim at perfection. Case Description Solution

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

Top five strategies for combating modern threats Is anti-virus dead?

Cyber Security Awareness. Internet Safety Intro.

Countermeasures against Spyware

Network Security and the Small Business

Sophos Anti-Virus for Windows, version 7 user manual. For Windows 2000 and later

How to stay safe online

CSG & Cyberoam Endpoint Data Protection. Ubiquitous USBs - Leaving Millions on the Table

ANDRA ZAHARIA MARCOM MANAGER

Advanced Online Threat Protection: Defending. Malware and Fraud. Andrew Bagnato Senior Systems Engineer

Open an attachment and bring down your network?

The current case DNSChanger what computer users can do now

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

ESET Mobile Security Business Edition for Windows Mobile

National Cyber Security Month 2015: Daily Security Awareness Tips

General Security Best Practices

Network Security. Demo: Web browser

Sophos for Microsoft SharePoint startup guide

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Contents. McAfee Internet Security 3

F-Secure and Server Security. Administrator's Guide

What's the difference between spyware and a virus? What is Scareware?

Computer infiltration

How Do People Use Security in the Home

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

CHAPTER 10: COMPUTER SECURITY AND RISKS

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

7 Cs of WEB design - Customer Interface

McAfee Labs Combating Fake Alert infections. - Amith Prakash, Global Threat Response

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Module 5: Analytical Writing

Get Started Guide - PC Tools Internet Security

Security Practices for Online Collaboration and Social Media

G Data Mobile MalwareReport. Half-Year Report July December G Data SecurityLabs

Computer Viruses: How to Avoid Infection

ESET SMART SECURITY 6

Promoting Network Security (A Service Provider Perspective)

NOD32 Antivirus 3.0. User Guide. Integrated components: ESET NOD32 Antivirus ESET NOD32 Antispyware. we protect your digital worlds

AVG AntiVirus. How does this benefit you?

Business Phone Security. Threats to VoIP and What to do about Them

Transcription:

Problematic, Unloved and Argumentative: What is a potentially unwanted application (PUA)? Revised 11-29-2011 Aryeh Goretsky, MVP, ZCSE

Table of Contents Introduction 3 The formal definition 3 Here s a real-world example of such an application 3 PUAs in the home and office 3 Examples of PUA behavior 3 Potentially unwanted: It s your decision 5 Meet the potentially unsafe application 7 Conclusion 8 Author bio 8 References 9 2

Introduction This paper was started as the result of a rather innocuous request: A co-worker asked for an explanation of what the class of software ESET calls potentially unwanted applications (PUAs) also known as potentially unwanted programs (PUPs) or potentially unwanted software (PUS) does. While he was already familiar with the more well-known types of malicious software, such as computer viruses and worms, he wanted to understand the difference between the outright threats posed by these types of malware and those that are classified as being potentially a threat. So, with question that in mind, just what is a potentially unwanted application? The formal definition A potentially unwanted application (PUA) is a type of computer program and a set of associated behaviors (which we will discuss in more detail later). While a PUA may not perform the same type of malicious activities typically associated with computer viruses or worms such as causing damage to programs, altering data, spreading illicitly across network shares and so forth it may instead install additional unwanted software, change the behavior of the digital device, or perform activities not approved or expected by the user. Here s a real-world example of such an application: A company in a heavily regulated industry (such as banking or health care) may restrict its employees use of instant messaging (IM) due to regulatory concerns. To bypass this restriction, a new employee who wishes to chat with friends while at work brings in a USB flash drive with a portable instant messaging (IM) program on it. While free, the program is supported by advertising. It turns out that a criminal bought space on the advertising network used by the program, and uses a maliciously crafted advertisement to inject malware into the new employee s computer, which then acts as a springboard for stealing the company s intellectual property. PUAs in the home and office Potentially unwanted applications are not limited to the office. Imagine the following scenario: A child using a family computer downloads a utility program in order to add additional features to his or her instant messaging program. The child clicks through the program s installation process, ignoring the end user license agreement (EULA), and thus doesn t realize that installing the program will also install adware that monitors user behavior and displays targeted advertising, and that replaces standard search recommendations with paid search results. The adware may then go on to redirect search results to sites from which additional malicious software can be deployed. Examples of PUA behavior: Many types of program can be classified as potentially unwanted applications. Here are some of the most common reasons: Programs that install toolbars in the web browser. Such add-ons are not necessarily malicious, but if they install without clearly informing the user of their presence, don t offer the opportunity to opt out of installing, provide no means to effect a clean uninstall or fail to provide assistance with uninstalling; then they join the category of potentially unwanted applications. 3

Programs that contain an adware component but do not clearly indicate the presence of such a component or provide a method or instructions for removing the adware after the parent application has been uninstalled. Software of dubious quality and reputation, including programs that make outlandish, unverifiable and unsupportable claims about their efficacy and/or generate deceptive false-positive alarm reports of threats that do not exist in order to mislead people into purchasing something they do not really want or need. Sometimes such programs make claims so misleading that they actually border on or step across the border of outright fraud. Programs sold through spam and/or sold through rogue affiliate marketing networks that pay a commission based on software installations (the pay-per-install business model). Programs that make changes to web browser settings such as the default home page or search engine selection in an unannounced or otherwise deceptive fashion. Programs compressed with packers or protectors that are widely used (or abused) by malicious software. Legitimate programs that are misused by malware to perform malicious activities. The latter case is interesting because it involves a program that is legitimate, or that might at least otherwise normally be classified as a potentially unsafe application (a category we will discuss further on). In these instances, a program that has legitimate uses has been surreptitiously installed onto a computer by other malware in order to perform a clandestine activity. Examples include programs that perform such activities as remote administration, process management and Bitcoin mining. While none of these actions may itself qualify as unwanted activity by the computer user, when a specific version of such as program is installed by malware to such an extent that its presence stands a good chance of indicating an infection, it is classified as a PUA. This provides the user with an opportunity to be alerted to the presence of additional malicious software that might otherwise be undetected. Programs that fall into this category are subject to careful scrutiny: If only one particular version of a program is widely distributed by malware, ESET will only classify that particular version as a PUA. If, on the hand, multiple versions of the program are used by malware, it may be necessary to flag all versions of the program, including future versions. Another emerging case is the use of software wrappers. A software wrapper is a program that wraps or encapsulates another program. The technology itself is not new and has been used for various purposes over many years. Back during the DOS era, parasitic file-infecting viruses commonly infected their host files by prepending and/or appending malicious code to them, and runtime file packers have also been used to compress executable files to make them smaller or resistant to reverse engineering. However, unlike a computer virus, software wrappers have no replicating component, and unlike a runtime packer, they do not seek to compress or obfuscate the original program file. What software wrappers do have, though, is a potentially unwanted application as their payload, which means they install a program or perform an activity such as those described, above. While this makes software wrappers de facto members of the potentially unwanted application family, it is important to distinguish between the two components: The PUA, in this case, is the software wrapper, not the encapsulated program, which may be a legitimate application. It is also important to note that in most instances, software wrappers are not applied by the original developer of a program but rather by someone seeking to benefit from distributing it for download and installation. Of course, because any program can, in theory, be wrapped, it is possible we might one day come across a PUA that has been wrapped in another PUA. These, then, are some of the most frequently observed types of potentially unwanted programs. But it is important to keep in mind that there are additional reasons for classifying a program as potentially unwanted. More examples can be found in Robert Lipovský, Daniel Novomeský and Juraj Malcho s paper from the Virus Bulletin 2011 Conference, Fake but Free and Worth Every Cent. 1 4

Potentially unwanted: It s your decision There are some situations in which a person may consider that the benefits of a potentially unwanted application outweigh its risks, and this is the reason ESET antivirus software assigns such applications to a lower-risk category than other types of malicious software, such as trojans or worms. In fact, ESET s antivirus software requires the user to determine whether potentially unwanted applications should be looked for when the security program is installed. (See Figure 1.) Figure 1: PUA detection configuration 5

This is not a permanent option, and can be toggled on and off as the user desires. For instructions, see ESET Knowledgebase article # 2198, How do I configure my ESET security product to detect or ignore unwanted or unsafe applications? 2 Additionally, ESET users are able to decide what actions should be taken upon detection of a potentially unwanted application. (See Figure 2 for a simulated screenshot.) Figure 2: Detection of a PUA Clicking on the Show Advanced Options item allows the user to white list (ignore) programs categorized as lower-risk threats so they may run on the computer. 6

Meet the potentially unsafe application Closely related to potentially unwanted programs are potentially unsafe applications. This classification may include illegal software or software from unknown or untrustworthy vendors, but is generally applied where use is commonly accepted and is only a cause for concern in certain specific situations, such as when deployed by malware or used by a person with malicious intent. Potentially unsafe applications include the following: Software cracking tools and license key generators: These programs may be used to bypass copy protection. In some cases, this may be permissible (for example, if the software author is no longer in business). Hacking tools: These programs are used to compromise a digital device or network. A company might want to restrict access to such programs to security personnel. Product key finders: Typically, a user will never have to enter the serial number for software after it has been installed if the software was pre-installed with the computer, he or she may not even know the serial number. There are times, though, when it may be necessary to look up a serial number, such as when hardware is being replaced. However, such programs might be misused to steal serial numbers for software. Remote control programs: A company s IT department might use this type of program to access a computer in a server room or repair a computer at a remote location, but they might not want their other employees to run such programs, which are, for instance, commonly used by fake support service centers. Software that displays advertising: This sort of software (i.e., adware) can feature advertising, possibly through a toolbar, or change the displayed pages or search query results in a web browser. This may or may not be acceptable to the user. These examples are mainly geared towards inappropriate software use in a business environment; however, they also may be relevant in the home. 7

Conclusion Malicious software has long since moved beyond traditional black or white, malicious or innocent, and has instead adopted varying shades of gray. Determining when to classify a program as being either unwanted or unsafe can be particularly challenging, because a researcher has to look not just at what a program does, but what the intent is behind it. Business, ethical and legal questions come into play, too. For more information on this, I refer you to the head of ESET s virus lab, Juraj Malcho, who discussed this thoroughly in his virus conference paper from VB2009, Is there a lawyer in the lab? 3 Recognizing that users may have legitimate reasons to occasionally run programs whose use might normally be considered questionable, ESET antivirus software allows for maximum flexibility in regards to filtering PUAs. For additional information on potentially unwanted applications, I would suggest looking at our previous blog entry on potentially unwanted applications 4, as well as reading Wikipedia s entry 5 on potentially unwanted applications and this description 6 from Virus Bulletin magazine. If you are interested in some other categories of threat detected by ESET s software, the glossary in ESET Knowledgebase Article # 186, Viruses and other malware defined 7, is an excellent starting point. A special thanks to my colleagues David Harley and Daniel Novomeský for their assistance with this article. If you have any questions or feedback, please feel free to contact us via the AskESET@eset.com mailbox. Author bio Aryeh Goretsky holds the position of Distinguished Researcher at global security provider ESET, where he is responsible for a variety of activities, including monitoring the threatscape, investigating technologies, working with ESET s developers, QA and support engineers, and liaising with other research organizations. He was the first employee at McAfee and is a veteran of several software and networking companies, including instant messaging pioneer Tribal Voice and VoIP hardware manufacturer Zultys Technologies. He is the recipient of Microsoft s Most Valuable Professional Award for contributions to making computing safer. 8

References 1. Lipovský, R., Novomeský, D. and Malcho, J. Fake but Free and Worth Every Cent. Proceedings of the 21st Virus Bulletin International Conference. 2011: http://go.eset.com/us/resources/white-papers/fake_but_free.pdf 2. ESET Knowledgebase article #2198, How do I configure my ESET security product to detect or ignore unwanted or unsafe applications? http://kb.eset.com/esetkb/index?page=content&id=soln2198 3. Malcho, J. Is there a lawyer in the lab? Proceedings of the 19th Virus Bulletin International Conference. 2009: http:// go.eset.com/us/resources/white-papers/lawyer_in_the_lab.pdf 4. ESET Threat Blog: http://blog.eset.com/?s=possibly+unwanted 5. Wikipedia, Privacy Invasive Software : http://en.wikipedia.org/wiki/potentially_unwanted_application 6. Virus Bulletin, Possibly Unwanted : http://www.virusbtn.com/resources/glossary/potentially_unwanted.xml 7. ESET Knowledgebase Article # 186, Viruses and other malware defined : http://kb.eset.com/esetkb/ index?page=content&id=soln186 9

www.eset.com ESETPUAWP20111129 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information