INDUSTRY REPORT
First State of Spyware Report Shows Bad Guys Winning

Consumers and enterprise IT managers have to become more vigilant about spyware and adware infections to stay ahead of new threats. However, greater awareness of security issues since last year has tipped the scales slightly against intruders.

That's a lesson to be learned from an analysis of data collected since January by Webroot Software, which markets an anti-spyware package called SpySweeper 3.5. The analysis, released May 3 as a State of Spyware report, shows a slight decline in overall spyware penetrations in the first quarter of this year.

However, Howie Markson, vice president of marketing for Reflectent Software, which provides end-user systems management, including anti-spyware, said his company's enterprise customers noted no difference or a slight rise in spyware intrusion.

Constant Battle

"We see things as being at about the same level as last year. But it is a constant battle to maintain protection," Markson told TechNewsWorld. "Our customers know what to expect on their desktops. When they see something different, it is probably spyware."

Frederick Felman, senior vice president of Marketing for Tenebril, said spyware creators are escalating the war between the writers of malicious code and those trying to remove it. Tenebril, a security and privacy solutions company, markets the anti-spyware software SpyCatcher.

"Spyware creators are constantly searching for techniques to evade the anti-spyware vendors. Spyware creators are applying the techniques used by security software vendors and authors of viruses and Trojans to make their spyware more resilient," Felman told TechNewsWorld.

As for the Webroot analysis, the company compiled the data using bots to find spyware buried deep within distribution centers. Called "Phileas," the system is the anti-spyware industry's first automated spyware research system designed specifically to root out and identify spyware anywhere on the Web.

Annual Spyware Report

Webroot promises that its State of Spyware report will be an annual accounting of the spyware situation. The inaugural edition is the first comprehensive collection and analysis of consumer and enterprise spyware research.

"The report doesn't say anything that we didn't already suspect. But this is the first time we have the numbers to prove it," Richard Stiennon, vice president for Threat Research at Webroot, told TechNewsWorld.

The basis for the comparison involves the results Webroot acquired late last year of the enterprise industry's first spyware audit. To conduct the survey, Webroot used its Corporate SpyAudit tool.

This opt-in audit program was designed to scan enterprises for various forms of spyware. That audit found more than 20 spyware elements per corporate computer.

Equation Research conducted another industrywide survey, on behalf of Webroot. That survey showed that corporate networks were being bombarded with spyware infiltration in record numbers. However, it showed that relatively few corporations deployed adequate solutions to combat the threat.

Within those infected machines, Webroot's SpyAudit found more than 25 instances of spyware. Excluding cookies, the number of infections averaged out at 7.2 per machine.

Spyware Infections Widespread

According to Webroot's State of Spyware report, 92 percent of all computers were infected with spyware in the last quarter of 2004. That number dropped slightly to 88 percent in the first quarter of 2005.

However, that slight drop is less telling than the differences the report highlighted between consumer and enterprise infections.

The overall trend shows that 90 percent of all consumer computers have spyware, while only 82 percent of all enterprise computers are infected, Webroot's Stiennon said.

The report charts the occurrence of spyware and adware infections in three categories. The results were mixed.

The number of system monitors detected in the audit is dropping. Adware and cookie infections are holding relatively steady. Trojan penetrations are on the increase.

Biggest Threats

According to Webroot, spyware called CoolWebSearch remains king of the hill as the most aggressive and prevalent threat on the Internet. CoolWebSearch holds a penetration onto computers nearly four times higher than any other competitor.

Three other intrusive products fall in line under CoolWebSearch. However, these competitors have much less penetration.

Gator (GAIN) has a penetration of 2.2 percent. 180SearchAssistant has a penetration of 2.0 percent. Powerscan has a penetration of 1.7 percent.

The bots discovered proof that the source of spyware and adware programs are far more widespread than previously thought. It is no longer true that only a few "bad" sites are spawning all the infections.

According to the report, spyware infections occur across a large number of sites. In March, Phileas -- the automated spyware research system -- identified 4,294 Web sites with 89,806 total associated Web pages containing some form of spyware, according to the report.

"The biggest surprise was the rate at which spyware is spreading," Stiennon said. He said, "144,000 URL's contained adware and spyware at the end of March."

The result, Stiennon noted, is that adware and spyware writers are greatly expanding their network of compromised computers.

Cookie Monstrous

According to Webroot, SpyAudit identified more than 30 million instances of tracking cookies in the last 15 months.

The worst cookies in terms of having the greatest presence come from online ad server and tracking organizations. Webroot identified Web site organizations such as Atlas DMT (a unit of aQuantive), DoubleClick (Nasdaq: DCLK), Mediaplex, 2o7.net and Atwalla as among the biggest servers of adware.

"Seventy-six percent of consumer SpyAudit scans in Q1 of 2005 identified tracking cookies. The average cookie count was more than 20 on those machines and actually increased in the percentage of penetration during the last 15 months," the report said.

Recent legislation and the threat of new legislation is helping to force commercial adware vendors into compliance, Stiennon asserted. Commercial adware vendors are starting to add removal tools to their products and are making other changes in their operation," he said.

However, while commercial adware vendors are cleaning up their acts, hard-core malfeasance doers will gain a greater stronghold, Stiennon added.

Tenebril's Felman offered as examples the fact that spyware creators are tunneling deeper into the operating system and spreading spyware code virally. Also, spyware writers are now able to monitor and protect their spyware installations from attack in the same way that personal firewalls and antivirus software reinforce themselves.

User Behavior Critical

While some operating system flexibility, openness and extensibility play a part in the success of rogue programs, user behavior is the biggest issue in spyware, Felman said.

"Regardless of how well the operating system is protected, managed or cleaned, the operating system is a host for applications and must remain so in order to be useful," Felman said.

Users are subject to social engineering scams, which Felman described as being the easiest way to infect PC's.

"Even the least savvy spyware writer can entice users into downloading and running a 'bright-shiny' piece of code in the form of a game, utility or 'desirable' prize," Felman said.

In the enterprise workspace, information might be secure from spyware's prying if layer solutions are in place. However, lost productivity from stolen system resources might be the bigger price businesses pay to spyware.