8 Out Of 10 Enterprise PCs Spyware-Infected

Even as spyware has become a dirty word and users have been bombarded with stories about its pervasive, pernicious nature, criminals have dramatically expanded their distribution channels and infected an overwhelming majority of enterprise PCs, anti-spyware vendor Webroot said Tuesday as it rolled out its latest stats.

The number of malicious sites hosting spyware has quadrupled since the start of the year, said Richard Stiennon, Webroot's director of threat research, and now number over 300,000 URLs.

On average, enterprise PCs have 27 pieces of spyware on their hard drives, a 19 percent increase in the last quarter alone, while a whopping 80 percent of corporate computers host at least one instance of unwanted software, whether that's adware, spyware, or a Trojan horse.

Worse, said Stiennon, evidence is accumulating that spyware is becoming more malicious than ever.

"The actual maliciousness of it is increasing," he noted. "There's simply more malicious activity per piece of spyware. They're not satisfied with making their seven cents a click by flooding systems with adware; now they're focusing on identity theft, sometimes from within an organization. Spyware's being used by insiders to, in essence, hack their employer or boss."Instances of such activity during the second quarter included a scandal in Israel and a stymied multi-million dollar bank robbery in the U.K. that was based on spyware.

Part of the bump-up in spyware infection rates and most of the reason behind its increasing nastiness is due to pressure on spyware-as-a-business, Webroot claimed.

"There's an underlying principle that often gets overlooked: spyware's a business like any other," said C. David Moll, the chief executive of Boulder, Colo.-based Webroot. "Like any business, spyware developers are committed to increasing their profit margins by expanding their distribution channels, utilizing new products, and entering new markets."

Legislation, increased media attention, and the occasional Federal Trade Commission action are putting spyware in the public eye. And when a business, any business, is threatened, it either defends its turf or finds new markets.

Webroot's second quarter statistics say that spyware criminals are doing both. Spyware traces, the components of a given piece of spyware that do the real dirty work, have doubled since January, according to Webroot's statistics, and the numbers of system monitors -- the most dangerous kind of spyware that includes, for instance, key loggers -- reached an all-time high in the second quarter.Criminals are making the most aggressive spyware even more sophisticated and hard to detect, Webroot said, by injecting code into necessary .dll files within Windows or encrypting their malicious code using proprietary algorithms. Some spyware is even altering registry settings on system level executables to fool Windows into thinking that the spyware is needed to run core executables.

"Essentially, Windows promotes the spyware to a 'valid and necessary' file, thus making it difficult to remove," read Webroot's report.

Spyware authors are also targeting new markets by distributing their wares on an ever-wider variety of sites, ranging from music sites to previously-safe e-commerce sites.

The bad guys also learn fast, said Stiennon. "They've learned, for instance, that it's better to infect more machines with fewer pieces of spyware than it is to load fewer machines with more spyware. There's a [spyware] saturation point at which a PC starts to act strangely, dramatically slowing down, for example, or crashing constantly. That's when users start to pay attention and reach for an anti-spyware solution. We've reached that saturation point."

On Monday, Webroot launched version 2.5 of its Spy Sweeper Enterprise, which includes something the company calls "Comprehensive Removal Technology" to detect spyware that uses the most advanced techniques to hide, such as the already-mentioned injection into core processes.A free 30-day trial of Spy Sweeper 2.5 can be downloaded from Webroot's Web site.