There are three major categories in this area, Prevention (prevent people from downloading and installing), Detection (detect infected users), Removal (clean infected systems). I am trying to summarize the options we discussed in each of these areas, if I miss something please let me know so that I can update the document.

To complicate the issue, there are several types of software that fall into the SpyWare category, including: spyware, adware, keyloggers, dialers, downloaders, backdoors, etc.

The most prevalent are obviously adware, which is funded by advertisers. Many of their advertisers may not even know that they are participating in an .adware. campaign. Adware companies get paid for the advertisements they serve, and in turn pay a portion of the revenues to the company that installed the adware.

For instance, if you install Kazaa, it installs CyDoor, IncrediFind, Peer Points, NewDotNet, PerfectNav, P2P Networking, n-Case, SaveNow, Gator, b3d Projector and others. When you installed Kazaa, you agreed to this in the license agreement, so all of this is entirely legal. Now, when the user accesses the Internet, and a Gator ad pops up on his desktop, Gator is paid for the advertisement. Since Gator also knows that this installation was done using Kazaa, Gator pays a fee to Kazaa.

Since the installer (person or corporation) of the adware is paid for ads served on their pages, they have an incentive to install as much adware as possible onto each system. If I can get ten adware companies to pop-up advertisements on your screen, I get paid ten times as much. Additionally, if I can figure out how to get adware on more users' computers, I can make more money.

The result is that companies (and individuals) are getting more and more aggressive in finding ways to install spyware on your computer, and since the company doing the advertising and providing the software is often not the company that does the installation, their liability is limited.

This creates an incentive for people to exploit vulnerabilities in your system, like those used by the Scob virus or the JS.Exception virus to install code on your machine. Both of these viruses take advantage of exploits in order to infect target systems, but the viruses themselves are detected by most antivirus vendors. However, it is a relatively simple task to modify these viruses with encryption or encoding schemes to avoid detection.

The problem with a virus is that viruses need to spread from one computer to another, and any system of encryption, encoding or polymorphism is going to spread as part of the virus. The system will remain the same for each instance of the virus as it spreads, so once the virus is in the wild, an antivirus engine knows the system, and can detect it.

In the case of Spyware, or simply a hacker trying to infect your system, the problem is more complex. The polymorphism or encoding engine can be implemented on the server that is attempting to infect another machine. Not only can each user get a different encoding key, but a different encoding type and a different number of iterations of that encoding. It is a simple task to implement this in a way that can only be detected by running the infector in a virtual machine.

However, in the case of the Scob virus for example, the vulnerability it is exploiting is an error in the Microsoft Internet Explorer browser, which allows entering the local security zone by redirecting to a file on most computers at

ms-its:C:\\WINNT\\Help\\iexplore.chm::/iegetsrt.htm

This problem has been patched, but it turns out it can still be exploited by using URL:ms-its:C:\\WINNT\\Help\\iexplore.chm::/iegetsrt.htm