An interesting comment turned up today to my "Malware du Jour" blog entry at Securiteam (http://blogs.securiteam.com/index.php/archives/1121). The poster asked a couple of questions, based on content from the ESET mid-year Global Threat Report, one of which was ‘How do you define "possibly unwanted applications [PUAs]?"’
My first thought was to refer him to the definition on our own web pages, but I couldn’t actually find one, so that’s something I’ll be addressing forthwith. My second thought was to refer him to the vendor-neutral definition on the Virus Bulletin site, which I did. Good though that is, however, for me it lacks a dimension. There’s an essential distinction to be made between PUAs and other forms of adware and spyware, largely based on the existence and validity of a corresponding EULA (End User License Agreement).
In general, a PUA has some functionality that might just be considered useful by the PC user. Or else the PUA is installed as part of the installation/configuration process for another package that the PC user is consciously desirous of installing: in such a case, the user might accept the intrusive activities of the PUA as a trade-off against the advantages of installing the primary package. Characteristically, the package or packages will include some indication of the intrusive, privacy-compromising, or other less-desirable functionality, though it’s likely to be buried deep in the EULA where the user is less likely to notice it (and is not necessarily fully informative about what a nuisance that functionality is likely to be in practice!)
There is a (sometimes rather hazy) line where we can stop giving a program the benefit of the doubt as being "possibly unwanted" and categorize it as an out-and-out Trojan horse. Some examples of this include:
Before I was assimilated by the anti-malware industry, I regarded the PUA/PUP category as a slightly weaselly way of saying "This describes something you really don’t want on your machine but we’re at risk of legal action if we describe it as malicious." However, the last thing a hard-pressed security company needs is to be harassed by crooks with smart lawyers. And the sad fact is that some people may see usefulness in something that most of us hate with a passion: otherwise, no-one would ever respond to spam…