A University of Michigan researcher has developed antispyware technology that doesn't try to stop spyware from entering your computer -- it targets it after it's on the machine.

"It's nearly impossible to prevent your computer from being infected with spyware or other malware, especially [if you're] not an expert user," says Kevin Borders, who is now trying to patent the so-called Web Tap technology, which he created as part of his PhD. "So instead of trying to prevent [infection], the goal of Web Tap is to detect spyware once it's gotten into the computer and send out information to a spyware host."

Web Tap can also detect rootkits, which often send information via Web requests, says Borders, president and founder of Web Tap Security, the startup that will market the product. It can also help companies detect an employee leaking sensitive corporate data, he says. But Web Tap doesn't eradicate spyware or rootkits; it leaves the cleanup to host-based malware removal software, and even recommends which tools to use.

Most antispyware packages use signatures to scan for known threats, but Web Tap can detect unknown spyware. It sits at the edge of the network, not in the client, and detects spyware based on outgoing Web traffic. "It looks for general activity characteristics for spyware on the network," says Borders, such as outbound bandwidth in Web requests, or regular visits to certain Websites.

Spyware can be detected by its unusual network behavior, Borders explains. Unlike a typical user browsing an external Website and getting data, "spyware doesn’t need to go get information... It needs to send [the user's] personal information away from the Web server."

Anomaly detection accuracy in IDS/IPS products has been spotty, notes Jeremiah Grossman, CTO of White Hat Security. "It's possible Web Tap found a better way to identify spyware at the HTTP layer versus looking at the network generically."

But Randy Abrams, director of technical education for antivirus vendor Eset, says the trouble with Web Tap's approach is that not all spyware programs send large amounts of data.

"I think this type of approach may have the potential for good application to threats such as bot-infected machines, but not for a lot of spyware," Abrams says. "Many spyware programs send relatively little data compared to streaming video, music, and pictures. Bot-infected machines that are used to send spam, DDOS, or host porn seem more likely candidates for this type of approach."

So how does Web Tap differ from an IDS/IPS? It doesn't use signatures nor try to catch spyware at the door. "This looks for hosts that are already compromised with spyware. It assumes you're going to get spyware," Borders says. To avoid false positives, Borders says Web Tap plans to add a whitelist function to the software as well, so you can allow Webmail, for instance, which could be mistaken for spyware activity.

Web Tap Security is currently offering free beta versions of Web Tap Enterprise and Web Tap Personal that find and alert users to spyware, but don't yet provide recommendations for how to eradicate it. Both run on Windows, but Web Tap plans to add Fedora Core 4 and 5 versions, as well as a virtual appliance that runs with VMWare.

— Kelly Jackson Higgins, Senior Editor, Dark Reading