One lesson I remember learning during my teen years was the world is really shades of gray, not so much the black and white it seems when you’re younger. The same principal applies to malware, what really is…bad? If an AV scanner asks for payment before clears your spyware cookies and removes other fake AV installs is it malware? What if separate 3rdparty affiliates install it w/o your or manufacturer’s permissions, through an exploit, social engineering, or by forcing you to opt-out? What if they steal other companies detection DBs as in the iobit and malwarebytes saga? Apple installs file sharing software (Bonjour) w/o notification and with opt-out techniques (Google Toolbar, Quicktime) when installing iTunes. Does that make Apple a spyware purveyor? Again, shades of gray.
So what is the user/IT tech to do? Well there’s no easy answer, and in my humble opinion you have to trust but verify with research. Check already trusted forums/websites of whitehats and coworkers along with other trusted IT user’s opinions. In short, do your homework before installing any software on your machine.
Along these lines an interesting thing happened while I was dealing with a small outbreak of Vundo.Trojan at work. Our AV vendor didn’t detect the sample yet so I recommended for the IT staff to install update and run malwarebytes in safemode. For various reasons one infected computer had no immediately available IT rep so it was left up to the user. When getting to the download link he was tricked by a deceptive (my opinion) advertisement on download.com (Right hand “Bad Link” in screenshot below) to install a “shades of gray” program called CyberDefender instead of malwarebytes (a trusted whitehat community supported malware scanner).
Some issues that make me dubious to install the software…
- Inflates the severity of the findings (ie. Detected sysinternals processmonitor as a HIGH risk)
- Opens a high tcp port and listens on it. (In 2 separate installs and 1 reboot on a clean VMware image I saw 1stcdas.exe listening on tcp/5710, 2ndcdas45.exe on tcp/5754, and 3rdon reboot saw tcp/5779 (from THE SAME installer file))
- Advertises with shady deceptive ads
- Finds different threats with a program uninstall/reinstall and subsequent rescan with Cyberdefender
- Offered me to buy the product for 250.00 after an add/remove programs uninstall (clearly a ripoff)