How do you determine if an app is safe or evil?
Links: home · search · speed test · login · more ·
Links: Reply New Topic
Forums » Security » Security » How do you determine if an app is safe or evil?
page: 1 · 2
Link Logger @ 30th Oct 03:53AM:
How do you determine if an app is safe or evil?
In an effort to avoid hijacking another thread I'm going to suggest we split off the discussion of how do you prove or disprove that an app is malicious or not.
Lots of people make claims that apps are safe or malicious, but what do they base such claims on, facts, personal experiences, hearsay, like/dislike for a particular company, technology etc. Now some people might not have noticed but I'm typically a believer of social systems (as bad as they might be, they often exist because nothing better is available), and this applies somewhat to my approach to applications (ie an app is innocent until proven guilty, but to do that we must prove an absence of guilt as that is the only way to prove innocence, burden of proof is on the prosecutor not the defendant, but of course if the defendant has a rap sheet in the software world then we don't use any of their software case closed).
So what do I do when I get a new application that I/we might want to use. First certainly I consider the source of the application and if I have any personal experience with that developer and secondly other people's comments (of course I consider the apparent credibility of the source, see below). If a second party makes a claim about an app, I then seek evidence to back their claim as IMHO too many people in IT (including IT spectators) just spew BS for BS reasons, which is hugely wasteful as then I have to spend time figuring out if its a valid claim or just someone wearing too much tin foil etc or if perhaps there are valid circumstances around their claim which may or may not apply to our situation.
Next depending on the application and the risk factor involved we will pen test the app ourselves and monitor its installation impact (ie what does it install and where, what/when/where/how stuff is started etc, also a good time to scan the heck out of it with X virus scanners etc and see if any of them report it as evil), and monitor it execution (ie what files does it touch, what network activity etc I might even consider fuzz testing it or using other tools to poke it to see how it reacts). This is also when we test its functionality and ultimately suitability for our needs (including other forms of testing including load testing etc). Now certainly virtual machines have drop the bar for applications entering pen testing as it used to be a real hassle setting up real machines and networks for testing (I've had companies in the past where we had multiple labs doing nothing more then testing), long live virtual machines. Now if an app is really 'interesting' etc I might pop the hood on the code and take a look at the exe, disassemble it, reflect it, whatever the technology it was written in requires to explore the app.
If an app passes these requirements we might decide to deploy or likely limited deploy in a test environment again monitoring various activities (including updates etc).
Now the point is after all of this is the application truly 100% safe, not a chance, but this is a fact of reality, that there is no way to prove an application is safe, but we have tested enough to claim due diligence. If someone knows of a way to prove an app 100% safe, I'd love to hear about it and build a company around that as I could use another gazillion dollars which is what the company would make being the only one in the world who could do this. So the assumption is that an app is safe (otherwise we would just skip it altogether, unless we are just feeling playful and wanted to experiment with evil which can be fun in and of itself), and then see if we can prove it unsafe, hence in the end all we can say about an app is based on our experience and testing (which being bound by reality is limited), the application appears to be safe (ie innocent until proven guilty).
Now this is why I hate unsubstantiated claims as to if software is malicious as then I have to look for evidence for their claim and often I can find nothing. So for example when I hear people claim that SysInternal's tools have become malicious since they were taken over by Microsoft, and I can find no evidence and my own testing isn't able to find evidence of this either, then ultimately their claim has resulted in little more then a huge waste of my time and resources and marks that source of information as a write off in the future.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
nwrickert @ 30th Oct 08:01AM:
Re: How do you determine if an app is safe or evil?
Thanks. Good post.
Yes, in general, it is very difficult to tell whether a program is safe. Recommendations by people who have proven trustworthy can be useful. If the program is an application with no special privileges, and run only as a limited user, then I won't be as concerned as I will be with software that runs with greater privileges.
So for example when I hear people claim that SysInternal's tools have become malicious since they were taken over by Microsoft, ...
When I hear that kind of comment about software I take it as really saying, in exaggerated language, that the person is unhappy with the current version of the software.
It's unfortunate that people use such exaggerated language. But when they are angry their emotion sometimes overrule their reason. If they provide credible documentation that the program is malicious, I might then take it a bit more seriously.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14
reply
dave @ 30th Oct 09:34AM:
Re: How do you determine if an app is safe or evil?
I use pretty much the same procedure I use when buying anything: read reviews and comments.
Sure, commentators can be biased, be clueless, etc., but I think you can get a good sense of how trustworthy they are by examining their commentary in general.
I suppose someone, somewhere, has to do the primary research. I guess you're one of those someones. Thanks on behalf of the rest of us.
reply
anon @ 30th Oct 11:24AM:
msg deleted
deleted by a moderator
reply
caffeinator @ 30th Oct 11:53AM:
Re: How do you determine if an app is safe or evil?
I'm no coder, so I can't look at it from that perspective.
But, if I'm in doubt...
1. google around for issues people may have had
1a. decide on risk vs need.
2. send to Virustotal of BEFORE installing if it's small enough
3. scan the heck out of it before installing if it's not.
4. disable Internet while installing and watch for hinky connections.
5. use Winpatrol, ProcessMonitor and TCPview to monitor during/after install for activity and new services or processes.
That's about it.
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages
reply
Rebirth @ 30th Oct 12:48PM:
Re: How do you determine if an app is safe or evil?
Good question.
Even if software is quite, or even well known, it doesn't automatically make it safe or bad.
Here's an example of a fairly new app written by someone most of us had never heard of before.
PE GUARD V1.2 : A new program, to protect your exe files from viruses, also it will protect you from rootkits/new viruses with no updates needed;).
»opaida.110mb.com
As you can see from the www screenie it might not inspire confidence straightaway. If you discovered it from somewhere like softpedia you might be more likely to trust.
»www.softpedia.com/get/Antivirus/···RD.shtml
PE GUARD description
A handy application that protects your executable files from viruse infections, with no updates needed.
PE GUARD is a small program that protects you from:
· A virus/program trying to copy itself to your PC.(POWER mode only)
· A virus/program trying to inject itself into one of your PE(Portable Executable) files.(POWER & NORMAL mode)
· Any rootkit/program trying to write a new Driver (.sys) file in your PC. (POWER mode only)
How do I use PE GUARD ?
When an alert appears, the user can choose one action from three available actions:
· "ALLOW": Allow the process to get write access to the requested file.
· "REVOKE WRITE ACCESS": The process is allowed only to get read access to the
requested file.
· "PREVENT ANY ACCESS": Send Access Denied to the process.
Even then it's wise to try and check up some more, if you could ?
But i and others first discovered it on Wilders which has a good reputation for trying/testing new apps.
»www.wilderssecurity.com/showthre···=peguard
Sometimes you just get a good feeling about things and trust on intuition based on previous experiences. I havn't been dissapointed with it either, as it's a worthwhile lightweight addition.
Also take ALL those ARK's AntiRootKits that have appeared in the last 4-5 years wriitten by mostly unknown people. Not one of them was evil, in fact several then and since are still way better than mainstream products, and free.
reply
OZO @ 30th Oct 03:35PM:
Re: How do you determine if an app is safe or evil?
What is a definition of an "evil" application? What makes it "evil"?
--
Keep it simple, it'll become complex by itself...
reply
Smokey Bear @ 30th Oct 04:05PM:
Re: How do you determine if an app is safe or evil?
said by OZO :
What is a definition of an "evil" application? What makes it "evil"?
That are really good and valid questions.. :)
reply
swhx7 @ 30th Oct 05:36PM:
Re: How do you determine if an app is safe or evil?
The other thread referenced above may be one where I posted, and I apologize if I was too dogmatic there and offended anyone.
Two questions are blended in your initial post, LL.
(a) what are the criteria for a program being "safe or evil"
(b) given a set of criteria, how can you tell whether the program meets them or not.
The title and most of your discussion address (b), but obviously you have to have an answer to (a) first, and it will to some degree influence the answer to (b). I think this is what OZO and Smokey Bear are getting at.
reply
Link Logger @ 30th Oct 07:28PM:
Re: How do you determine if an app is safe or evil?
said by OZO :
What is a definition of an "evil" application? What makes it "evil"?
That is sort of personal now isn't it and ultimately part of the problem given the classic answer is something like:
quote:
but my concept of malware is any software that is designed to behave contrary to its documentation, or to evade control and monitoring by the computer owner
but of course this is an open domain problem as often it is easier to define what something does, rather then what it doesn't do (or what you think it doesn't do). Its like I tell you that guy over there might be a risk, but what kind of risk, a gun, bomb, bio weapon, or he is going to steal your pet, its an open domain problem, so you frame the consequences that you think are reasonable give the environment in which the software operates and go from there. In the case of software often we describe a particular function the software performs and then based on that, deem it 'evil' (again we are back to the claim/proof thing).
So given the linage of this thread lets say 'evil' is whatever people claim SysInternal's software does now that Microsoft has taken them over, but this again highlights the problem, people labeling a piece of software without proof. Now my statement of proof that it wasn't 'evil' is based on my personal experience, and some testing but is still somewhat limited to my own personal experience, but its enough to make me feel comfortable with using SysInternal's software and question the abilities of others (or myself in that perhaps I'm missing something they aren't).
Ultimately there must be a public opinion definition of evil as people chuck it around like candy on Halloween.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
EGeezer @ 30th Oct 09:47PM:
Re: How do you determine if an app is safe or evil?
If Glenn Beck and freerepublic says it's malicious, I can be pretty sure it isn't. »www.freerepublic.com/focus/chat/···45/posts
reply
DaMaGeINC @ 30th Oct 11:41PM:
Re: How do you determine if an app is safe or evil?
For me, it depends on the site that it comes from. Say I visit a site for a program and get bombarded with ad's, I immediately leave and try another. My reason is that a site with a program and relies heavly on ad's to make money, whos to say they wont put adware in their programs too?
--
Have a Networking problem or question? Stop by the Networking Forum and let us help you.
reply
Erg @ 31st Oct 03:49AM:
Re: How do you determine if an app is safe or evil?
From a regular user's point of view, I usually rely on reviews and comments from the app's page or download page. I tend to download from Filehippo, Softpedia and CNET. I also check with dslr first since I know that folks here are pretty security-savvy. Doing a scan wont hurt too :)
--
"Ye shall know the truth, and the truth shall make you mad."
-Aldous Huxley
reply
Serbtastic @ 31st Oct 08:22AM:
Re: How do you determine if an app is safe or evil?
I usually check the good/evil switch on the back.
reply
dave @ 31st Oct 08:26AM:
Re: How do you determine if an app is safe or evil?
I'm just now reconsidering the title of this thread. It's a little strange since 'evil' is not the opposite of 'safe'.
You can, for example, have an evil app that's safe, because it is designed by the clueless. (For a non-app example, the average Nigerian scam email is both evil and safe).
You can have a non-evil app that is not safe, because it is designed by the clueless and wrecks your system.
I think I'm mostly interested in the safe/unsafe axis: will it do bad things to my system?
reply
aefstoggaflm @ 31st Oct 12:20PM:
Re: How do you determine if an app is safe or evil?
If it is open source, by looking at the source code. And as need be, getting help understanding the code..
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.
reply
KodiacZiller @ 31st Oct 12:43PM:
Re: How do you determine if an app is safe or evil?
said by aefstoggaflm :
If it is open source, by looking at the source code. And as need be, getting help understanding the code..
That doesn't count because we are talking about Windoze software, most of which is closed-source and will always be. Even so-called "freeware" is often times closed-source.
reply
swhx7 @ 31st Oct 12:46PM:
Re: How do you determine if an app is safe or evil?
How about some examples? These are based on the above-quoted criterion.
* Hypothetically, let's say Sysinternals Process Explorer purports to list all the processes on Vista (by implication if not by an explicit claim), but in reality it omits some from the list.
- Verdict: "evil" (LL term) because it intentionally deviates from (implicit) documentation.
* Sony rootkit
- Verdict: "evil" because it is designed to evade knowledge and control by the system owner.
* WGA: Maybe I install this voluntarily, and its documentation discloses what it does. But then, later, I decide I don't want it anymore.
- Verdict: "Evil" because it is designed to obstruct control (in this case removal) by the system owner.
* IceWeasel: Installed, then later, because of a bug, it deletes data or is hijacked by cyber-criminals.
- Verdict: Not "evil": The bug was accidental; the app was not designed to do this, nor was it knowingly represented.
reply
OZO @ 31st Oct 04:52PM:
Re: How do you determine if an app is safe or evil?
Good examples!
Here is yet another one:
* Microsoft Word 2003 (or Excel, for that matter).
From one side it's a "good" application. But from the other side time to time it makes unsolicited Internet connections.
- Verdict: "evil" because it exhibits completely unexpected behavior for such application (word processor) and there is no way to stop it except to run outbound firewall and make a specific rule for that application... And, BTW, it may require a special "cleanup" tool to remove your personal data from the files saved, which you may not expect either... Certainly "evil"
--
Keep it simple, it'll become complex by itself...
reply
Link Logger @ 1st Nov 12:20AM:
Re: How do you determine if an app is safe or evil?
Would unsolicted internet connections to check for updates be consider 'evil'?
One man's evil, another man's gold.
So I see the crew over at SubSeven is starting work on version 2.3, is SubSeven considered evil?
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
Link Logger @ 1st Nov 01:31AM:
Re: How do you determine if an app is safe or evil?
I hate the internet sometimes, especially when it loses a post for me, so lets try this again.
said by dave :
I'm just now reconsidering the title of this thread. It's a little strange since 'evil' is not the opposite of 'safe'.
You can, for example, have an evil app that's safe, because it is designed by the clueless. (For a non-app example, the average Nigerian scam email is both evil and safe).
You can have a non-evil app that is not safe, because it is designed by the clueless and wrecks your system.
I think I'm mostly interested in the safe/unsafe axis: will it do bad things to my system?
Now I would agree that unsafe might be a better word, but sometimes software is unsafe because of how its installed/used so when I say evil I really mean designed and intended to be unsafe. I see software as a spectrum of designed to be safe and is safe in all situations (still looking for one of these), to it provides a useful function with good intentions but wasn't particularly designed to be safe, to designed and intended to be pure evil and will empty your bank account and rape your dog while you sleep sort of thing. Most software tends to fall in the middle somewhere with a lean towards safe.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
anon @ 1st Nov 07:09AM:
Re: How do you determine if an app is safe or evil?
I will download and install any program that I find interesting, just to check it out. It doesn't really matter to me where it comes from. I would rather download it from a reputable source but sometimes that's not possible, so where ever I can get it is fine if I want it bad enough.
Sometimes I'll check the hashes if that's an option, or send it off to Virustotal. Google I always do before install to get opinions or comments about problems beforehand.
I have all kinds of security apps to check it before I install and while it is installing. As far as disassembling the code to see what makes it tick that's not an option for me.
When I'm ready to click the install button and the program after all my checks still seems iffy to me or if I don't want it leaving things all over my hard drive , I am only doing a test run after all, I turn on Power Shadow. Install the program and check it out. Works for me, haven't had any infections yet.
The only drawback is I can't do a reboot without losing everything just installed. So if the program needs a reboot to work properly then that's out. Then I have to decide if from what I've seen if I want to install the program in real time or let it go.
reply
anon @ 2nd Nov 04:00PM:
Re: How do you determine if an app is safe or evil?
I believe the answer to the question is based in the foundation of each user's definition of safe (or secure to use another word).
That, in combination with their own efforts to assure the security of a given computer will yield many points of view.
If you'll bear with me, I'll try to stay on topic with a few examples.
1. Adobe systems, creative suite 2 premium web bundle.
Adobe put their best efforts into this package with (very deeply rooted) DRM protection, not creating a better product for the user. It created a nightmare for a huge number of paying customers rendering an expensive purchase useless (at least until activation issues are resolved). In addition, long before purchasing omniture, they were making use of 2o7.net in a very sneaky way with this package. Don't know if this qualifies as evil or unsafe, but leaves the software as untrustworthy to me (or more accurately, requiring the use of nanny controls in my security setup to keep an eye on it).
2. While recently preparing for a possible cleanup request, I was following the steps from the faq page. When I got to the msrt tool, I discovered the link is only good for 32 bit tool. I have a legit xp x64 here (no WGA), so I googled, and dl'd the 64 bit version from an MS location, installed and ran it. I do realize that the tool can be obtained from several venues (windows update, etc) within MS. Ran it, zero infections found. Now here's the interesting part. Post install, every time a search is performed within windows explorer, explorer flags my firewall (default prompt all) that explorer.exe is attempting to connect to 65.55.11.179 HTTP via TCP 80. A search indicated that this is MS in Redmond. I'm not sure if I can substantiate this claim with any further proof, but I'm reporting this accurately. Conclusion is that this is unsafe (not necessarily evil) and leads to a further erosion of trust toward MS by me.
3. Regarding the sysinternals suite, I have observed that some of the tools seek permission to touch the net while in use. It is my belief, that this activity is required in order to accomplish such functions as endpoint mapping and the like. As well, these tools are really quite valuable when attempting to pin down the source of inconsistent activity. I must admit, that when I first discovered that the tools were under the umbrella of MS, I was disappointed. See note above regarding erosion of trust. However I have used them at length, not found any security issues, and am very happy for the developers that they are in a stable employment scenario with MS. Conclusion is safe not evil, but keeping an eye on them anyway.
I could provide another example (unrelated to anything already mentioned), but have no substantial evidence to prove the claim, I'll leave that one alone. I believe that behind the answer you seek is the level of trust that users grant to the software developers. Each of us has our own individual placement on that scale, so an absolute answer is unlikely, even though we can often agree on certain examples. And BTW, good thread with well composed posts.
reply
caffeinator @ 2nd Nov 10:51PM:
Re: How do you determine if an app is safe or evil?
Ok, is Nmap good or evil?
Yes, it's a trick question as it depends who you are. ;)
IMO, it's a silly topic...there's no 'good' or 'evil'...just useage and intent.
The average user barely knows what a monitor is versus a hard drive...they will NEVER, EVER, EVER know what is safe.
EVER.
I can use Windows's, Linux's, OR BSD's own built-in TCP/IP functions for Evil use...so, thus, ALL OS's are evil?
Hell, I could hook up my Mac LC 575 and run a botnet from it if I were so educated. It's been sitting in a closet for 10 yrs, but it'd boot up right now if I chose and it has Ethernet and every capability of the BSD kernel at that time.
Be one hell of a referrer string eh?
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages
reply
Link Logger @ 2nd Nov 11:43PM:
Re: How do you determine if an app is safe or evil?
said by caffeinator :
Ok, is Nmap good or evil?
Yes, it's a trick question as it depends who you are. ;)
IMO, it's a silly topic...there's no 'good' or 'evil'...just useage and intent.
The average user barely knows what a monitor is versus a hard drive...they will NEVER, EVER, EVER know what is safe.
EVER.
I can use Windows's, Linux's, OR BSD's own built-in TCP/IP functions for Evil use...so, thus, ALL OS's are evil?
Hell, I could hook up my Mac LC 575 and run a botnet from it if I were so educated. It's been sitting in a closet for 10 yrs, but it'd boot up right now if I chose and it has Ethernet and every capability of the BSD kernel at that time.
Be one hell of a referrer string eh?
Whenever I use nMap its always 'safe', never 'evil' ;)
Now agreed user intent is a key component, but I'm more interested in just the software with user intent aside so I'd rank nMap as being safe as there hasn't been much of a history of exploits against it. That said however the Windows version of nMap uses WinPcap and there have been a few advisories concerning it, but I'd still rank it as being safe overall.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
caffeinator @ 3rd Nov 02:53PM:
Re: How do you determine if an app is safe or evil?
I agree it's pretty much safe as an app, but in this weird day and times, it's considered a "hacker" tool...as are most pen testing and network analysis tools.
I've read where IT admins can get busted for just HAVING them...to do their jobs.
»blogs.techrepublic.com.com/networking/?p=263
Meanwhile, the fakeAV industry advertises on network TV every night...
It's all crazyness, IMO.
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC
