The Spycar Project
What is Spycar?
Spycar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool. Spycar runs only on Windows, the same platform most targeted by spyware developers.
Why did you create Spycar?
Many anti-spyware tools put all of their eggs in the signature basket. That is, the vendor detects spyware by including thousands of signatures looking for specific sequences of bits on your hard drive or in memory. Behavior-based detection, another approach, lets anti-spyware stop malicious software based on its actions, not a specific set of signatures. We wanted to see how anti-spyware tools could cope with new spyware for which they didn’t have a signature. In our own laboratory, we tested a bunch of enterprise anti-spyware tools, and found that their behavior-based defenses were seriously lacking. As long as no signature has been defined for a given piece of spyware, a lot of anti-spyware tools offer virtually no protection. We wanted to give you a chance to evaluate your own anti-spyware tool, so we released Spycar.
Is Spycar evil?
No. Every change made by Spycar is benign, designed simply to measure whether your anti-spyware tool can block or detect the change. Furthermore, Spycar includes a scorebot/clean-up application that tells you how well your anti-spyware tool defended you, and automatically undoes every alteration made by Spycar. And, remember, these alterations are all benign, and will not impact the way your machine works.
Who made Spycar?
Spycar is an outgrowth of a research project at Intelguardians Labs. Ed Skoudis came up with the idea and the name, but Tom Liston did the actual implementation, taking the wacky idea and making it real. Mike Poor did all of the infrastructure work.
Why did you call it Spycar?
Spycar, the name, is in homage to the venerable EICAR anti-virus test file. This file was an historic project, created by CARO and published by EICAR. If your AV product does not alert you in the presence of the EICAR file, your anti-virus tool isn’t functioning properly (or, it was not designed to detect the EICAR file, a substantial unlikelihood for most modern anti-virus tools). In honor of the fine work of CARO and EICAR, we called our anti-spyware testing tool Spycar.
It is vital to note that the Spycar suite and the EICAR file are different types of things. Spycar is NOT an EICAR file for evaluating anti-spyware tools. The EICAR file can be used to verify that your anti-virus tool is alive and running. Spycar tests behavior-based alerting and blocking. Consider this analogy to illustrate the difference. You’ve got a smoke detector, and you want to see if it is working. The EICAR file is like the big red test button on the smoke detector. When you push the button, the smoke detector beeps, telling you that the battery is charged and everything seems to be working properly. Using Spycar, on the other hand, is more akin to blowing smoke into the smoke detector, then lighting a match by it, and so on. With Spycar, you are using a tool that mimics the behavior of a real fire (again, in a benign fashion) to see if your smoke detector is protecting you.
Is Spycar a Comprehensive Test of Anti-Spyware Tools?
No. Spycar models some behaviors of spyware tools to see if an anti-spyware tool detects and/or blocks it. But, spyware developers are very creative, adding new and clever behaviors all the time. Spycar tests for some of these common behaviors, but not all. Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool. Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is. We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products. A comprehensive review of anti-spwyare tools should utilize a whole toolbox, of which Spycar may be one element. Ed Skoudis and Tom Liston wrote an article for Information Security Magazine comparing various enterprise anti-spyware tools, and Spycar was a small subset of our more comprehensive tests. You can see that article here.
What’s New with Spycar?
Spycar was initially released on May 4, 2006. We’ll be adding new modules to it for additional tests over the next several weeks. At its inception, Spycar performs 17 different tests associated with Autostart Programs, IE Config Changes, and Network Settings changes. All Spycar tests focus on Windows machines, the most popular target for spyware today.
How can I get to Spycar?
First, you’ll have to agree to some words from our lawyer. Click here to take a step closer to Spycar.
