Worst Spyware Down, Infected Sites Up

[Big Booger]

Although the worst kind of spyware declined during the first quarter, anti-spyware vendor Webroot monitored a dramatic increase in the number of Web sites that host spyware, ready to infect the unwary visitor, the Boulder, Colo.-based company said Monday.

Webroot, which released the results of its for-free spyware auditing tool during 2004 on an ad hoc basis, formalized its data collection in the first official quarterly report to provide a benchmark going forward, said Richard Stiennon, the director of Webroot's threat research team.

"We want to make sure everyone knows that 'Hey, this is a big problem, even if the stats are showing a decline in system monitors,'" said Stiennon.

According to Webroot, the incidence of system monitors -- the most dangerous spyware category that includes key loggers screen grabbers -- dropped by more than half during the first quarter of 2005 compared to the last three months of 2004.

Webroot's auditor found a system monitor on only 7 percent of the consumer and business PCs scanned during the first quarter, a drop of 60 percent for the consumer machines (from 19 percent infected with system monitors in Q4 2004, and an average of 14.75 percent through 2004) and a decrease of 46 percent for corporate systems (from 13 percent in Q4). However, within some enterprises, infection reached the 12 percent mark, said Stiennon.

"The numbers in 2004 were so high that they could only go down," said Stiennon. But he also attributed the drop in system monitors to several other factors, ranging from broad coverage of spyware and identity theft in the media to anti-virus firms focusing on detecting and deleting spyware-bearing Trojans.

Although the system monitor numbers are encouraging, the reality, said Stiennon, is that spyware will remain a pernicious threat through the year. "It's unacceptable that one in fifteen PCs has a key logger."

Another indicator of rough times, he said, is the number of sites that host spyware. The myth that users "catch" spyware by visiting only a few alternate sites, said Stiennon, is bogus: Webroot's proprietary spyware crawler, dubbed "Phileas," has detected over 220,000 Web sites infected with some sort of spyware. From January to March 2005, Webroot's data showed an increase of 34 percent in the number of malicious sites found that hosted spyware.

"The rapid rise is the strongest indicator that the writers and distributors of malicious adware and other threats are expending considerable effort to infect users with their products," concluded Webroot's report.

The driving force behind that effort is, as always, money, Stiennon said. According to Webroot's analysis and estimates, the adware business -- often dismissed as the lesser evil in the overall spyware category -- generates $2 billion annually from pop-up ads, hijacking home pages, and redirecting searches.

That's more than one-fifth the total amount spent last year on legitimate Internet-based advertising, which totaled $9.6 billion in 2004, according to numbers published last week by the Interactive Advertising Bureau.

"The amount of money to be made in adware and spyware guarantees they'll grow over the next 12 to 18 months," said Stiennon.

Source:
http://www.informationweek.com/story...leID=162100688

[Curio]

The worst thing at the moment is all the sites now seem to be doing a crudbundle of malicious software so you don't just get CWS (for example) you get hit with VX2, WindUpdates, CWS, 180 Solutions, AvenueMedia ..etc..etc all at the same time. These progs aren't generally very big and will sloosh down a decent ADSL connection quicker than you can close 10 popup windows.

Some of the stuff these malicious progs do is very targeted such as

remove access to the Active Desktop settings
disable access to regedit
disable access to the Task Manager
add sites to trusted sites zone
disable control of trusted sites zone
alter IE settings so allows automatic running of unsigned Active-X in all zones

Of course they all add themselves to appinit.dlls, CurVer/run ..etc..etc
I had one which installed a control that prevented removal of the autorun keys for it as well, in fact no access to it's registry keys at all except to view the key names - very inventive.

[Big Booger]

Quote:

Originally Posted by Curio

The worst thing at the moment is all the sites now seem to be doing a crudbundle of malicious software so you don't just get CWS (for example) you get hit with VX2, WindUpdates, CWS, 180 Solutions, AvenueMedia ..etc..etc all at the same time. These progs aren't generally very big and will sloosh down a decent ADSL connection quicker than you can close 10 popup windows.

Some of the stuff these malicious progs do is very targeted such as

remove access to the Active Desktop settings
disable access to regedit
disable access to the Task Manager
add sites to trusted sites zone
disable control of trusted sites zone
alter IE settings so allows automatic running of unsigned Active-X in all zones

Of course they all add themselves to appinit.dlls, CurVer/run ..etc..etc
I had one which installed a control that prevented removal of the autorun keys for it as well, in fact no access to it's registry keys at all except to view the key names - very inventive.

Yeah a multiple bombardment like that sucks. I say limit your searching to sites you can trust, use secure web browser settings, and when in doubt click no.