What You Should Know About Grayware (and What to Do About It)
Grayware is a tricky security problem, but there are steps you can take to defend your organization when you recognize the risk.
November 9, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5509887626dd8910/64f0d4dd62fadc359c497c7f/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Everyone has seen them: applications that come on many new systems offering services with unfamiliar names, or apps that have familiar names but are offered on sites that aren't from their publishers. They're grayware – or "potentially unwanted applications" – and they're an ongoing issue for computer security.
Grayware's nature makes it difficult for organizations to keep it away from their systems. "It's not a technical problem, it’s a classification problem. There is a thin line being malicious or not and the operators play with the line. Which limits what researchers and law enforcement can do," said Vitor Ventura, senior security researcher at Cisco Talos, in an email interview.
Some IT professionals might be tempted to ignore grayware while they focus on more obvious malware and other threats. But there are legitimate reasons not to.
"Oh, it's horrible," says Chet Wisniewski, principal research scientist at Sophos. "Not only are you getting something that's annoying to the user, it's often more than doubling the attack surface of your computer because of the additional amount of Internet-facing code that's often poor quality." That's in addition to the privacy and productivity implications of code that tracks activity and pops up unwanted ads, he says.
IT and security teams need to consider a number of factors about grayware, both in terms of what it is and how to deal with it. Without many automation option to help, response is up to a well-informed staff.
(Image: typographyimages)
Moving a step beyond merely providing a hiding place for malware, grayware can come with malware baked into the package, hiding among the applications, helpers, and services claiming to offer users increased value for their download time.
Among the pieces of malware that travel on grayware's coattails are Trojans that masquerade as antivirus protection, browser helpers that don't, and examples of nearly every sort of malicious payload that come with names and descriptions indicating they're legitimate software.
Most of these malware examples should be caught by antimalware protection, but the software installation routines that launch so much grayware can provide cover for malware long enough for it to take root and gain persistence on the victim machine.
Let's say you were hoping to get iTunes loaded on your computer: You search for the software, take the first suggestion, and end up with a music manager and player called "iPrunes." As long as you can crank your tunes, there's no harm and no foul, right? Not so fast.
One of the reasons to stay with the legitimate software you searched for is that most legitimate software publishers have become much more transparent about their collection and use of customer information. But fake applications that are marginally functional may well collect far more information than expected and put it to far more intrusive uses.
And that "marginally functional" is key: Developing a complex, modern application isn't easy, even for large, legitimate publishers. With grayware, users invite poor functionality, suspect reliability, and software that collides with other, commercially written applications.
Browsers have become much more resistant to unwanted browser helpers than was once the case, but there are still plenty of organizations that, for one reason or another, use older browsers. And where there is information to be found will be attempts to harvest it through any means possible.
Browser attacks take two broad forms, either gathering unauthorized information or sending requests to unwanted destinations. The former has obvious security implications for business IT, and the latter is dangerous because of the variety of malware that can be delivered via a browser. And because of the many third-party ads that infest most websites today, users may not even notice the multiple redirects that can occur as browser add-ons send them to the malicious site and then onto the original destination.
Everyone has seen them: applications that come on many new systems offering services with unfamiliar names, or apps that have familiar names but are offered on sites that aren't from their publishers. They're grayware – or "potentially unwanted applications" – and they're an ongoing issue for computer security.
Grayware's nature makes it difficult for organizations to keep it away from their systems. "It's not a technical problem, it’s a classification problem. There is a thin line being malicious or not and the operators play with the line. Which limits what researchers and law enforcement can do," said Vitor Ventura, senior security researcher at Cisco Talos, in an email interview.
Some IT professionals might be tempted to ignore grayware while they focus on more obvious malware and other threats. But there are legitimate reasons not to.
"Oh, it's horrible," says Chet Wisniewski, principal research scientist at Sophos. "Not only are you getting something that's annoying to the user, it's often more than doubling the attack surface of your computer because of the additional amount of Internet-facing code that's often poor quality." That's in addition to the privacy and productivity implications of code that tracks activity and pops up unwanted ads, he says.
IT and security teams need to consider a number of factors about grayware, both in terms of what it is and how to deal with it. Without many automation option to help, response is up to a well-informed staff.
(Image: typographyimages)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024