Spyware sharing and analysis group planned

Security vendors that have long shared virus samples and specimens to identify them in a common way now say they want to try and apply similar procedures to spyware, which could run the gamut from malicious keyloggers to controversial adware.

McAfee, Symantec, Trend Micro, ISCA Labs and Thompson Cyber Security Lab are spearheading the effort to come up with shared methodologies to share and define spyware samples. Common naming structures could eventually make it easier for customers of anti-spyware products to get a clearer understanding of the protection the products provide, say supporters of the effort.

“It would make it easier to communicate about specific threats,” says Joe Telafici, director of operations at McAfee’s Avert Labs research arm. For well over a decade, McAfee has shared virus specimens with competitors that include Symantec. Much of this sharing and analysis of virus samples is carried out by a small circle of researchers with expertise and speed in identifying new forms of malicious code so that the anti-virus industry could react quickly to a new virus or worm outbreak.

This collaboration on virus specimens contrasts with the less-friendly marketplace where anti-virus vendors compete fiercely to win customers, especially since running more than one anti-virus product on a single desktop usually produces technical conflicts and system crashes.

Larry Bridwell, content security programs manager at ICSA Labs, a division of Cybertrust, said today’s announcement is simply a “call to action” to share samples and analysis on spyware in a manner similar to anti-virus.

He acknowledged the situation with spyware presents some obstacles such as the fact that adware sometimes is packed with legal “end-user licensing agreements” (EULAs) that may prohibit code-sharing.

Nevertheless, the security vendors backing the effort on sharing spyware samples intend to meet the day after the Anti-Spyware Coalition meeting on Feb. 9 in Washington, D.C. to discuss the logistics and possibilities of spyware code-sharing and analysis.

Bridwell noted that the Anti-Spyware Coalition, sponsored by Washington-based Center for Democracy and Technology, has had the mission of defining spyware in linguistic terms and as a threat but not doesn’t get involved in actual code-sharing and analysis.

“This is the first time we’ve tried to get organized in this way as far as spyware goes,” said Bridwell.

However, several anti-spyware vendors, especially smaller firms that focus on spyware and have less to do with anti-virus, have expressed reluctance in the past to share their samples and analysis techniques with McAfee and Symantec, both traditional anti-virus vendors making a huge push into spyware proection.

Alex Eckelberry, president of Clearwater, Fla.-based Sunbelt Software, which markets enterprise anti-spyware software, expressed a preference “to maintain our independence.”

He added, however, that Sunbelt would want to “maintain friendly relations with such groups.”

Eckelberry said this new group launched by the “anti-virus community” did not consult with the “anti-spyware community.”

“This was done in a vacuum,” he said.

In the past, the up-and-coming anti-spyware vendors have kept their research secret and occasionally admit they harbor suspicions that the traditional anti-virus vendors simply want to grab their ideas.

Eckelberry today expressed distrust, saying the group “appears to be a clever attempt by the anti-virus community to gain credibility in a market that most have historically been behind in: spyware.”