Spyware Triples During 2005


Spyware tripled during 2005, a security company said Tuesday, became ever-more sophisticated and stealthy, and attached itself to U.S. computers at rates above any other country.

According to Boulder, Colo.-based anti-spyware developer Webroot, 2005 ended with 400,000 spyware-distributing sites and a global count of 120,000 different traces, or spyware components. At the start of the year, Webroot had identified only 40,000 traces, a tripling Webroot credited to the increasing sophistication of spyware.

"In December 2004, the numbers were skewed by a big spike of Trojan horses and keyloggers, but then we weren't sure if that was a trend or just temporary," said Richard Stiennon, Webroot's director of threat research. Now, he added, it's clear that the uptick in late 2004 was just the prologue to 2005.

In the enterprise, the percentage of business machines infected with the worst forms of spyware -- dubbed "system monitors" by Webroot, a category that includes keyloggers -- climbed from 2 percent in the second quarter of 2005 to 6 percent in the fourth quarter. (The worst quarter, however, was the first, with 8 percent.)

Consumer machines, said Stiennon, remained at the most risk of spyware infection, simply because fewer of home machines are protected by anti-spyware software. Eighty-one percent of consumer machines harbored at least one piece of spyware, with the average system containing 25 traces. Although the former figure is down from 2004's 91 percent, the latter is up slightly from that year's average of 24.4 traces per machine.

"Even with the availability of anti-spyware software, there hasn't been much of a change in the overall infection rate," said a disappointed Stiennon.

While Webroot painted a dark picture of spyware in 2005, another recently-released study, this one from researchers at the University of Washington, claimed that one of the most malicious methods of spyware deliver -- called "drive-by downloading" -- actually declined during the year.

Four researchers from the Seattle university's Department of Computer Science and Engineering created Web crawlers to scour the Internet for spyware, and found that the number of domains using drive-by downloading had been halved between May and October 2005.

Drive-by downloading is the term given to the hacker practice of using browser vulnerabilities -- almost always those in Microsoft's Internet Explorer -- to surreptitiously install software without any user action.

Its May survey found 3.4 percent of the 45,000 URLs crawled ready to infect users with spyware; October's numbers were down to 1.6 percent.

"Overall, the density of drive-by download attacks on the Web has declined," concluded the researchers.

Webroot's Stiennon, however, disputed the apparent decline in drive-by downloading. "We've seen large swings in the number of malicious sites, even on a day-to-day basis," he said. "It's a very very very noisy curve." It's not unusual, he said, for the number of sites serving out spyware to increase or decrease by 10 percent in just one day.

"If they're taking just two snapshots, that could explain their findings," he said.

Webroot's numbers, gathered daily by its own Web crawler-based technology, showed a constant increase in the number of malicious sites during 2005.

Not that everything is doom and gloom, he added. This year, in fact, should be the tipping point.

"In 2006, spyware will become known as an annoyance, much like spam is now. Spam hasn't disappeared, but users have adjusted their habits." Same with spyware this year, Stiennon predicted. "Most will have some anti-spyware solution on the desktop. It will become just another cost of using Windows."