State of spyware
Davey Winder is intrigued by this year's report on spyware, which reveals some unexpected results
It's that time of year again when the latest State of Spyware report is published by Webroot Software, developer of Spy Sweeper (currently our A-Listed anti-spyware application). I always look forward to getting my hands on this, because Webroot is perfectly positioned to offer a real view of the spyware problem, by combining data from its customers (corporate and consumer) and its SpyAudit tools, which invite users to scan specific PCs for infection. And not least, because Webroot culls data via its automated online spyware research system called Phileas V: this employs hundreds of bots to seek out spyware variants before they get into corporate networks or home computers, and generates the new definitions (around 300 every week) that the threat research team sends out several times a week to its users.
Webroot analyses all this data, which is extremely helpful for strategic product planning, and as a welcome by-product the State of Spyware report provides us IT security specialists with a trusted overview of threat trends. And make no mistake, the Q2 2006 report was a little depressing, with a bottom line that shows spyware infection rates rising to their highest levels since 2004. No less than 89% of all consumer PCs scanned were infected, on average with a staggering 30 items of spyware - an upward trend from the Q1 2006 report.
Not surprisingly, Webroot lays the blame for this increase on people who rely on free anti-spyware products - Mandy Rice-Davies definitely applies - but the firm does also admit that new distribution channels and maturing spyware technologies have played a part. It does also, in my never humble opinion, have a point as regards free solutions: in all the anti-spyware tests we've done here at PC Pro, never has any free application performed as well as the best commercial ones, although to be fair many commercial ones perform worse than certain free alternatives. The point remains, though, that for best protection you need a commercial anti-spyware product, and experience over the past year means that's either Spy Sweeper or Spyware Doctor, which dominate the top of my testing tables.
As for the other reasons for the upward trend, the fact that criminal payloads, not just malicious intent, are at the forefront of the spyware industry today means that no stone is left unturned when it comes to exploiting potential targets. Social networking sites have become a popular route to victims, as has infection via spam. Spammers have realised that adding a spyware payload - often in the shape of a RAT (Remote Access Trojan) - lets them leverage valuable system resources to build spam distribution bot farms and steal personal/financial data, either to sell to the highest bidder or to use in their own frauds, or sell on any additional payload space to criminal concerns. What's more, they can do all of this within a single spam.
Hard-core phishers, on the other hand, have realised that the number of newbies flooding online courtesy of increased broadband accessibility means an increased opportunity to defraud, and they've responded with a flood of their own: malicious spyware websites, fake corporate and financial websites, and search engine placement ads to drive traffic to them. Phileas V has identified 527,136 such websites as I write, compared to a total of 427,000 at the end of March. It's hardly surprising then that the percentage of trojan-infected consumer PCs rose from 24% during the last quarter of 2005 to 31%. The most prevalent trojan, accounting for more than one million traces found by Webroot during scans, was Zlob. This in itself is very worrying, as Zlob is actually a trojan downloader that downloads further trojans and malware once it's installed. Zlob exploits users' apparent unquenchable thirst for free stuff by masquerading as a free media codec for Windows Media Player - you know the drill: you run across a free video stream online (probably of illegally pirated material) and to view it you need to download a new codec fast. Bad, bad, bad...