An interesting comment turned up today to my "Malware du Jour" blog entry at Securiteam (http://blogs.securiteam.com/index.php/archives/1121). The poster asked a couple of questions, based on content from the ESET mid-year Global Threat Report, one of which was 'How do you define "possibly unwanted applications [PUAs]?"'

My first thought was to refer him to the definition on our own web pages, but I couldn't actually find one, so that's something I'll be addressing forthwith. My second thought was to refer him to the vendor-neutral definition on the Virus Bulletin site, which I did. Good though that is, however, for me it lacks a dimension. There's an essential distinction to be made between PUAs and other forms of adware and spyware, largely based on the existence and validity of a corresponding EULA (End User License Agreement).

In general, a PUA has some functionality that might just be considered useful by the PC user. Or else the PUA is installed as part of the installation/configuration process for another package that the PC user is consciously desirous of installing: in such a case, the user might accept the intrusive activities of the PUA as a trade-off against the advantages of installing the primary package. Characteristically, the package or packages will include some indication of the intrusive, privacy-compromising, or other less-desirable functionality, though it's likely to be buried deep in the EULA where the user is less likely to notice it (and is not necessarily fully informative about what a nuisance that functionality is likely to be in practice!)

There is a (sometimes rather hazy) line where we can stop giving a program the benefit of the doubt as being "possibly unwanted" and categorize it as an out-and-out Trojan horse. Some examples of this include:

  • When it doesn't give any indication whatsoever of the undesirable functionality it includes: for example, when DNS (Domain Name Service) lookup utility or search engines are compromised so that the PC user can only access the sites that a remote attacker wants him to access.
  • When the program is associated with unequivocally malicious or fraudulent activity such as the "infection" of other PCs, or the dissemination of phishing messages.
  • When the program pushes its own agenda, or rather that of its creator or a remote attacker(bombarding the system with advertising material such as pop-up messages, using it as a conduit for the distribution of spam or malware, fake "anti-spyware" packages, and so on) so that the PC owner is unable to use his system for his own legitimate purposes.  A prime example is Virtumonde, which isn't noted for giving the victim any choice about installation, is made deliberately difficult (even unsafe) to remove, and hits an affected PC with so much garbage that it becomes effectively unusable.

Before I was assimilated by the anti-malware industry, I regarded the PUA/PUP category as a slightly weaselly way of saying "This describes something you really don't want on your machine but we're at risk of legal action if we describe it as malicious." However, the last thing a hard-pressed security company needs is to be harassed by crooks with smart lawyers. And the sad fact is that some people may see usefulness in something that most of us hate with a passion: otherwise, no-one would ever respond to spam...

David Harley
Director of Malware Intelligence