Sometimes, the worst threats are the ones you cannot see right in front of you. John Malkovich's presidential assassin from the movie In the Line of Fire knew this, smuggling innocuous components past intense security screening then assembling them into a workable gun.
In a worrying case of life imitating art, spyware authors are using similar techniques to hide from malware scanners. Users click on an unsolicited email, link on a compromised website or install a small loader piggybacking on shareware or free software. Once it has settled into the PC, the application starts downloading new code onto the system, one small piece at a time, until the modules are assembled into a malevolent new threat.
Many users never even know the software is on their systems until scanners pick up the messages the spyware sends - often containing sensitive passwords, logs of keystrokes or other information.
Today we are seeing very sophisticated, technically advanced attacks as blended threats targeted against individuals or companies. One antivirus vendor last year saw a 40 per cent increase in potentially unwanted programs (PUPs) - a euphemism to assuage commercial adware developers who bristle at the assumed (although often correct) link between adware and spyware.
Semantics aside, spyware has become a major problem for users. Trend Micro's 2005 Annual Roundup of virus attacks found that spyware, adware, backdoor, rootkit or bot functionality was found in 65 per cent of the 15 most prolific online threats.
Some 11 per cent of all attacks were classified as spyware trojans, the class of software that hides itself on your computer for nefarious purposes such as logging keystrokes, damaging files or drives, or stealing passwords. Taken together, trojans TROJ_AGENT and TROJ_DLOADER infected almost as many machines as the high-profile NETSKY virus, which has been around for two years and still weighs in among the most commonly found malware.
Mutating spyware often relies on a complex array of servers that weave and dodge to avoid detection. A system serving innocuous music files six days of the week might distribute downloadable spyware components on the seventh. Anonymous gateways and layer upon layer of obfuscating tools can obscure the trail that spyware takes across the Web.
The sheer tenacity of many types of malicious code shows just how creative malware authors have become. Many new attacks are created like new types of hybrid vegetables: by simply grafting together code bits from other, widely available viruses, trojans and spyware, malfeasants can assemble completely new malware. Particularly effective code may even be bought and sold on the open market. A Russian antivirus vendor recently reported hackers' $US4000 sale of an exploit for Microsoft Windows' WMF vulnerability; at least one purchaser was a developer of spyware.
Many potentially damaging attacks, such as February's over-hyped and under-delivering Kama Sutra, fizzle out due to some small error in design. Still, more than enough spread successfully, often with potentially damaging force. WORM_MYTOB, for example, accounted for 26 per cent of all security alerts declared in 2005 and was a combination of the previous WORM_MYDOOM and extra components adding bot functionality that assumes control of a remote computer.
Whether new attacks are effective or not, antivirus researchers must identify and respond to each new threat, then add its characteristic signature to distributed update files. They certainly have their work cut out for them: readily available toolkits like Virus Creation Station 4.0 and Virus Creator PRO allow even novices to build new spyware and other malware by their hundreds.
Many mass-produced viruses can be detected using common signatures that belie their origins. However, more nefarious authors use on-the-fly encryption, code obfuscation and application packing to change the actual binary representation of their code. Such techniques can allow carefully crafted spyware to avoid detection, giving it time to dig into a victim's computer so deeply that complete removal is virtually impossible.