Written by Richard Stiennon, Contributor

One aspect of viruses that spyware does not share is that they announce their presence to the world in an overt way. Researching and discovering new viruses involves listening at many points. Email accounts, IM accounts, network sniffers are all ways to capture new viruses. The major anti-virus vendors also rely on end user customers to alert them to new stuff. It would be unfair to call this process completely passive but it does not involve the type of research required to find spyware.

There are over two thousand pieces of known spyware but there are hundreds of thousands of websites that distribute them. The research process for discovering spyware involves browsing to those web sites, allowing them to install their payloads, then analyzing the results to see if some sort of malware was installed. If a threat exists then the infected machine is compared file by file, registry key by registry key, memory process by memory process to a pristine machine. The differences are traces that combined make up a spyware definition. Don’t forget that every piece of spyware can be picked up and modified by someone else, and that the original writers are constantly improving them so, unlike the virus world where there are only a few dozen mainline viruses and a few hundred actively spreading variants at any one time, in the spyware world most of the spyware is active *AND* changing continuously.

The one aspect of virus research that is much more challenging than spyware research is the race against time. Anti-virus researchers have only hours sometimes minutes to discover a new virus and get new signatures out. Whereas, a new version of Cool Web Search only spreads as fast as people can browse to whatever site contains the exploit. Spyware shields are effective against most infections. Researching spyware is more difficult than researching viruses.

