So what makes spyware so different from viruses? Why is perfect prevention possible for viruses but not spyware? The answer is far from simple, and it involves an understanding of how uninvited software can take up residence on a PC. It also involves differentiating viruses, with the urges to reproduce from spyware, which harvests user information and secretly shares it with third parties. In general, however, what makes these two large classes of malicious software different also helps to explain why one may be somewhat easier to corral and detect than the other.
There are too many differences to explain here, but here are the highlights:
Packaging: Viruses essentially send themselves around and include the code necessary to reproduce as part of their contents. Spyware is reproduced through the agency of active Web content or other transient programs that users run on their machines (usually without their knowledge or consent). Viruses are thus quite self-contained and may be definitively identified by their contents.
Spyware includes various types of packages that may run on a user's desktop, but is neither self-contained nor completely identifiable. It can only be identified from traces that remain behind after active content has run and is gone. Also, a virus can be sent somewhere for inspection and analysis; spyware requires identifying, finding it in your system and then visiting a source of infestation.
Self-documentation: Viruses can usually be identified and conquered by those who can disassemble a PC. There, it will reproduce and possibly create new directories in which the new copies can reside. Likewise, changes to configuration files, the Windows Registry and other activity all result from chunking through the virus payload. Because the active content that deposits spyware on a PC must be "caught in the act," the remaining changes can only be discovered by rigorous, painstaking analysis of "before" and "after" snapshots of clean machines deliberately exposed to infestation.
Spyware investigators may never see the source code for the afflictions they seek to cure. Virus investigators invariably get to dig into that code directly.
Distribution: Viruses transport themselves around and seek to reproduce in many ways. Spyware waits for visitors to specific Web sites and pages. Here, the active content that delivers spyware will then run on a user's machine to download related software elements and make related Registry and configuration changes. With viruses, the mountain (the virus) comes to Mohammed (the countermeasures investigator); with spyware, Mohammed (the countermeasures investigator) must go to the mountain.
Complexity and ease of change: Because viruses propagate on their own after leaving their creators' hands, they survive or die out based on their contents and payloads. (Some viruses may be described as self-mutating, where mutations usually deal with forms of disguise, not with outright changes to activity.) Spyware remains available to its creators over time, so they can tinker with it at will. This explains why spyware changes so quickly and changes its activities and modes of infection.
Analysis, identification and repair: Anti-virus companies can generally update their anti-virus signatures within 24 hours of discovering a new virus or determining that a known virus has a new variant. Anti-spyware companies must find a source of infection before they can begin the comparison processes needed to identify the spyware activity and changes. Then they must work through file replacements, updates or deletions necessary to remove the infection. Responses tend to take at least 72 hours to complete, and can sometimes take as long as a week. Thus, spyware has more opportunities to spread.
The final answer
Self-contained packages and definite signatures for viruses are the keys to perfect recognition and handling for viruses. For spyware, the transient, nonportable and often unavailable code for varying traces and symptoms give us a "close is the best we can come" answer for now.
Most major vendors, including Webroot, Microsoft and Sunbelt Software to name a few, either have or will have robots working 24/7, scanning the Web ceaselessly looking for signs of malicious active content that could be spyware. The only sure way to keep up with the bad guys in this case is to keep looking at what's out there. Begin analysis as soon as something suspect shows up on a Web page. Until this kind of technology is fully developed and understood, virus cops will always have the edge on spyware investigators.
Ed Tittel is a full-time freelance writer, trainer, and consultant who specializes in information security, markup languages, and networking technologies. He's a regular contributor to numerous TechTarget Web sites, technology editor for Certification Magazine, and crafts twice-monthly Web content for CramSession called "Must Know News." He's also the author of a Wiley book released in December 2004 entitled The PC Magazine Guide to Fighting Spyware, Viruses, and Malware (ISBN: 0764577697).