Webroot: Spyware Rampant in the Enterprise

By Paul F. Roberts  |  Posted 08-22-2005

The number of Web sites distributing malicious software has quadrupled in the last year to more than 300,000, as the spyware problem continues to fester on the Internet, according to an upcoming report from Webroot , an antispyware software company.

Webroot Software Inc.'s State of Spyware Report for the second quarter of 2005, claims that 80 percent of enterprise computers are infected with some kind of adware or spyware. Rates of infections of malicious programs such as Trojan horse and keylogging software did not decrease between the first and second quarter, despite more awareness of the danger of spyware.

The report comes as the online criminal groups that are responsible for spyware switch from pay-per-click advertising to identity theft as a way to profit from their activities, said Richard Stiennon, vice president of threat research at Webroot.

The State of Spyware Report presents the results of spyware scans of almost 60,000 systems at 20,000 companies, Webroot said.

The average number of spyware infections on computers increased almost 20 percent to 27 per machine since the last quarter, despite more public awareness of the spyware problem and the availability of a number of new tools for detecting and removing spyware from infected computers, Stiennon said.

The reason may be that spyware makers are wising up to detection tools such as Microsoft Corp.'s Antispyware and Webroot's Spy Sweeper, Stiennon said.

Evidence collected by Webroot researchers indicates that spyware authors are testing their creations against those programs and adopting techniques from stealthy programs known as "root kits" to avoid detection, he said.

Spyware researchers discover ID theft ring. Click here to read more.

Online scam artists are switching their focus from installing advertising software that generates revenue from pop-up ads and pay-per-click advertising to spyware and remote-system monitoring tools that are used to steal identities, Stiennon said.

The spyware can generate far higher revenue, per install, for the online criminals, he said.

"We're seeing adware-type spyware evolving into system monitoring spyware," he said.

Software from mainstream adware vendors was actually less prevalent on systems scanned by Webroot, according to Webroot's data. That may indicate that improved installation practices and end-user license agreements from mainstream adware companies are having an affect. However, the decline in legal adware is offset by the continued strength of malicious spyware such as keyloggers and Trojan horse programs, Webroot.

Cool Web Search, a ubiquitous form of spyware, was found on about 8 percent of the machines Webroot scanned in the second quarter, and keyloggers were on about 7 percent of all machines—comparable to the rates of infection last quarter, Stiennon said.

IT administrators should actively scan and monitor their network hosts for spyware infections. They should also avoid complacency about the problem, Stiennon said.

Sunbelt adds detection for ID theft keylogger. Click here to read more.

Keyloggers, Trojans and other spyware are much more common today than they were five years ago. However, they still pose a serious security risk to enterprises and should be taken seriously.

"I think the data loss news that is hitting us is an indicator of how serious this problem is," Stiennon said.

A new enterprise version of Spy Sweeper, which is being released Monday, will be able to detect and remove sophisticated spyware that changes the configuration of Windows systems and interacts with the operating system at a low level, said Brian Kellner, vice president of enterprise products at Webroot.

Spy Sweeper Enterprise 2.5 has a new spyware scanning engine and CRT (Comprehensive Removal Technology) that can remove even tricky spyware programs such as Look2Me and Cool Web Search variants without harming Windows systems, Kellner said.

Spy Sweeper Enterprise can also scan systems more quickly, uses smaller spyware definition files, and has a Web-based management dashboard with new reporting features and the ability to control and configure Spy Sweeper clients across an enterprise network, he said.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.