Sometimes, the worst threats are the ones you cannot see right in front of you. John Malkovich's presidential assassin in the movie In the Line of Fire knew this, smuggling innocuous components past intense security screening then assembling them into a workable gun.
In a worrying case of life imitating art, spyware authors are using similar techniques to hide from malware scanners. Users click on an unsolicited e-mail, link on a compromized Web site or install a small loader piggybacking on shareware or free software. Once it has settled into the PC, that application starts downloading new code onto the system one small piece at a time, until the modules are assembled into a malevolent new threat.
Many users never even know the software is on their systems until scanners pick up the messages the spyware sends - often containing sensitive passwords, logs of keystrokes or other information.
Today we're seeing very sophisticated, technically advanced attacks as blended threats targeted against individuals or companies. One antivirus vendor last year saw a 40 percent increase in PUPs (potentially unwanted programs) - a euphemism to assuage commercial adware developers who bristle at the assumed (although often correct) link between adware and spyware.
Semantics aside, spyware has become a major problem for users. Trend Micro's 2005 Annual Roundup of virus attacks found that spyware, adware, backdoor, rootkit or bot functionality was found in 65 percent of the 15 most prolific online threats during 2005.
Some 11 percent of all attacks were classified as spyware trojans, that class of software that hides itself on your computer for nefarious purposes such as logging keystrokes, damaging files or drives, or stealing passwords. Taken together, trojans TROJ_AGENT and TROJ_DLOADER infected almost as many machines as the high-profile NETSKY virus, which has been around for two years and still weighs in among the most commonly found malware.
Mutating spyware often relies on a complex array of servers that weave and dodge to avoid detection. A system serving innocuous music files six days of the week might distribute downloadable spyware components on the seventh. Anonymous gateways and layer upon layer of obfuscating tools can obscure the trail that spyware takes across the Web.
The sheer tenacity of many types of malicious code shows just how creative malware authors have become. Many new attacks are created like new types of hybrid vegetables: by simply grafting together code bits from other, widely available viruses, trojans and spyware, malfeasants can assemble completely new malware. Particularly effective code may even be bought and sold on the open market. A Russian antivirus vendor recently reported hackers' $US4000 sale of an exploit for Microsoft Windows' WMF vulnerability; at least one purchaser was a developer of spyware and adware.
Many potentially damaging attacks, such as February's overhyped and under-delivering Kama Sutra, fizzle out due to some small error in design. Still, more than enough spread successfully, often with potentially damaging force. WORM_MYTOB, for example, accounted for 26 percent of all security alerts declared in 2005 and was a combination of the previous WORM_MYDOOM and extra components adding "bot" functionality that assumes control of a remote computer.
Whether new attacks are effective or not, antivirus researchers must identify and respond to each new threat, then add its characteristic signature to distributed update files. They certainly have their work cut out for them: readily available toolkits like Virus Creation Station 4.0 and Virus Creator PRO allow even novices to build new spyware and other malware by their hundreds.
Many mass-produced viruses can be detected using common signatures that belie their origins. However, more nefarious authors use on-the-fly encryption, code obfuscation and application packing to change the actual binary representation of their code. Such techniques can allow carefully crafted spyware to avoid detection, giving it time to dig into a victim's computer so deeply that complete removal is virtually impossible.
Fighting the Mutants
For companies that just want to get on with doing business, the thought of letting their network become a playground for self-modifying, camouflaged spyware is worrying to say the least. And while the need for a strong anti-malware defence goes without saying, building a complete response to the threat of mutating spyware requires a broader response.
A clear policy is a good place to start. Employees must learn to be sceptical of things they receive in e-mails and see online. Downloading code from such sites must be conveyed as a policy violation with serious consequences, and education sessions with stand-alone computers can teach employees what to look for.
Spyware education is particularly important for mobile users, whose computers regularly travel outside the protections of the corporate network. Out in the wild, it is easy to pick up a spyware infection that can then bypass border security when the notebook is plugged into the network.
Raising user awareness can reduce the number of inadvertent infections, but technology is also necessary. Scanners on desktop PC and Internet gateways should be updated hourly; Web browsers can be configured to ban execution of unknown code, and key applications must be updated as soon as new security patches are released. Regularly comparing installed software to the corporate standard operating environment (SOE) can identify configuration changes caused by spyware.
It may even be worthwhile downloading a virus toolkit and - on an isolated, non-networked and expendable computer - designing some new malware to see if your current scanning technology can pick it up. If your technical people can get by your own defences, hackers will have even less trouble.
Continued spyware growth is pushing vendors into a more proactive response. Subscription scanning services from major antivirus vendors - and via Microsoft's soon-to-be-released Windows OneCare Live service - move the detection point outside of customer networks, while Microsoft's addition of anti-spyware, anti-phishing and other security tools to Windows Vista will give users more tools to fight back.
Ultimately, the key to surviving mutant spyware is diligence. A successful defence is all about getting the right tools in place and being able to manage your level of risk.