In the field of computing, the term spyware refers to a broad category
of malicious software designed to intercept or take partial control of a
computer's operation without the informed consent of that machine's owner or
legitimate user. While the term taken literally suggests software that
surreptitiously monitors the user, it has come to refer more broadly to software
that subverts the computer's operation for the benefit of a third party.
In simpler terms, spyware is a type of program that watches what users do
with their computer and then sends that information over the internet. Spyware
can collect many different types of information about a user. More benign
programs can attempt to track what types of websites a user visits and send this
information to an advertisement agency. More malicious versions can try to
record what a user types to try to intercept passwords or credit card numbers.
Yet other versions simply launch popup advertisements.
History and development
The first recorded use of the term spyware occurred on October 17,
1994 in a Usenet post that poked fun at Microsoft's business model. Spyware
later came to refer to espionage equipment such as tiny cameras. However, in
early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press
release for the ZoneAlarm Personal Firewall.
 Since then, computer-users
have used the term in its current sense.
In early 2000, Steve Gibson of Gibson Research realized that advertising
software had been installed on his system, and he suspected that the software
was stealing his personal information. After analyzing the software he
determined that they were adware components from the companies Aureate (later
Radiate) and Conducent. He eventually retracted his claim that the ad software
collected information without the user's knowledge, but still chastised the ad
companies for covertly installing the spyware and making it difficult to remove.
As a result of his analysis in 2000, Gibson released the first anti-spyware
program, OptOut, and many more software-based antidotes have appeared since
then.  International Charter
now offers software developers a Spyware-Free Certification program.
According to a November 2004 study by AOL and the National Cyber-Security
Alliance, 80% of surveyed users' computers had some form of spyware, with an
average of 93 spyware components per computer. 89% of surveyed users with
spyware reported that they did not know of its presence, and 95% reported that
they had not given permission for the installation of the spyware.
As of 2006, spyware has become one of the preeminent security threats to
computer-systems running Microsoft Windows operating-systems (and especially to
users of Internet Explorer because of that browser's collaboration with the
Windows operating system).
Some malware on the Linux and Mac OS X platforms has behaviour similar to Windows
but to date has not become anywhere near as widespread. In an estimate based on
customer sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9
out of 10 computers connected to the internet are infected and 86% of those
surveyed suffered a monetary loss due to spyware.
Netbooks from Amazon.co.uk
Large Range Of NetBooks available. Small, light and inexpensive laptop computers suited for general computing and accessing web-based applications
Spyware, adware, and tracking
The term adware frequently refers to any software which displays
advertisements, whether or not it does so with the user's consent. Programs such
as the Eudora mail client display advertisements as an alternative to shareware
registration fees. These classify as "adware" in the sense of
advertising-supported software, but not as spyware. Adware in this form does not
operate surreptitiously or mislead the user, and provides the user with a
Many of the programs frequently classified as spyware function as adware
in a different sense: their chief observed behaviour consists of displaying
advertising. Claria Corporation's Gator Software and Exact Advertising's
BargainBuddy provide examples of this sort of program. Visited Web sites
frequently install Gator on client machines in a surreptitious manner, and it
directs revenue to the installing site and to Claria by displaying
advertisements to the user. The user experiences a large number of pop-up
Other spyware behaviours, such as reporting on websites the user visits,
frequently accompany the displaying of advertisements. Monitoring web activity
aims at building up a marketing profile on users in order to sell "targeted"
advertisement impressions. The prevalence of spyware has cast suspicion upon
other programs that track Web browsing, even for statistical or research
purposes. Some observers describe the Alexa Toolbar, an Internet Explorer
plug-in published by Amazon.com, as spyware (and some anti-spyware programs
report it as such) although many users choose to install it.
Spyware, virus and worm
Spyware differs from viruses and worms in that it does not usually
self-replicate. Like many recent viruses, however, spyware — by design —
exploits infected computers for commercial gain. Typical tactics furthering this
goal include delivery of unsolicited pop-up advertisements; theft of personal
information (including financial information such as credit card numbers);
monitoring of Web-browsing activity for marketing purposes; or routing of HTTP
requests to advertising sites.
Routes of infection
Spyware does not directly spread in the manner of a computer virus or worm:
generally, an infected system does not attempt to transmit the infection to
other computers. Instead, spyware gets on a system through deception of the user
or through exploitation of software vulnerabilities.
The most direct route by which spyware can infect a computer involves the
user installing it. However, users tend not to install software if they know
that it will disrupt their working environment and compromise their privacy. So
many spyware programs deceive the users, either by piggybacking on a piece of
desirable software such as Kazaa, or by tricking the users to do something that
installs the software without them realising. Recently, spyware has come to
include "rogue anti-spyware" programs, which masquerade as security software
while actually doing damage.
Classically, a Trojan horse, by definition, smuggles in something dangerous
in the guise of something desirable. Some spyware programs get spread in just
this manner. The distributor of spyware presents the program as a useful utility
— for instance as a "Web accelerator" or as a helpful software agent. Users
download and install the software without immediately suspecting that it could
cause harm. For example, Bonzi Buddy, a spyware program targeted at children,
- He will explore the Internet with you as your very own friend and
sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no
other friend you've ever had! He even has the ability to compare prices on the
products you love and help you save money! Best of all, he's FREE!
Spyware can also come bundled with shareware or other downloadable software,
as well as music CDs. The user downloads a program (for instance, a music
program or a file-trading utility) and installs it, and the installer
additionally installs the spyware. Although the desirable software itself may do
no harm, the bundled spyware does. In some cases, spyware authors have paid
shareware authors to bundle spyware with their software. In other cases, spyware
authors have repackaged desirable free software with installers that add
A third way of distributing spyware involves tricking users by manipulating
security features designed to prevent unwanted installations. The Internet
Explorer Web browser, by design, prevents websites from initiating an unwanted
download. Instead, a user action (such as clicking on a link) must normally
trigger a download. However, links can prove deceptive: for instance, a pop-up
ad may appear like a standard Windows dialog box. The box contains a message
such as "Would you like to optimise your Internet access?" with links which look
like buttons reading Yes and No. No matter which "button" the user
presses, a download starts, placing the spyware on the user's system. Later
versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system by attacking security holes in the Web
browser or in other software. When the user navigates to a Web page controlled
by the spyware author, the page contains code which attacks the browser and
forces the download and installation of spyware. The spyware author would also
have some extensive knowledge of commercially-available anti-virus and firewall
software. This has become known as a "drive-by download", which leaves the user
a hapless bystander to the attack. Common browser exploits target security
vulnerabilities in Internet Explorer and in the Microsoft Java runtime.
The installation of spyware frequently involves Microsoft's Internet
Explorer. As the most popular Web browser, and with an unfortunate history of
security issues, it has become the largest target. Its deep integration with the
Windows environment and its scriptability make it an obvious point of attack
into Microsoft Windows operating systems. Internet Explorer also serves as a
point of attachment for spyware in the form of browser helper objects, which
modify the browser's behaviour to add toolbars or to redirect traffic.
In a few cases, a worm or virus has delivered a payload of spyware. For
instance, some attackers used the W32.Spybot.Worm worm to install spyware that
popped up pornographic ads on the infected system's screen.
 By directing traffic to ads set up
to channel funds to the spyware authors, they can profit even by such clearly
Effects and behaviours
A piece of spyware rarely "lives" alone: an affected computer can rapidly
become infected with large numbers of spyware components. Users frequently
notice unwanted behavior and degradation of system performance. A spyware
infestation can create significant unwanted CPU activity, disk usage, and
network traffic which thereby slows down legitimate uses of these resources.
Stability issues, such as application or system-wide crashes, are also common.
Spyware which interferes with networking software commonly causes difficulty
connecting to the Internet.
In some cases of spyware infection, the user has no awareness of spyware and
assumes that the system performance, stability, and/or connectivity issues
relate to hardware, to Microsoft Windows installation problems, or to a virus.
Some owners of badly infected systems resort to contacting technical support
experts, or even buying an entire new computer system because the existing
system "has become too slow." Badly infected systems may require a clean
reinstall of all their software in order to restore the system to working order.
This can become a time-consuming task, even for experienced users.
Only rarely does a single piece of software render a computer unusable.
Rather, a computer rarely has only one infection. As the 2004 AOL study noted,
if a computer has any spyware at all, it typically has dozens of different
pieces installed. The cumulative effect, and the interactions between spyware
components, typically cause the stereotypical symptoms reported by users: a
computer which slows to a crawl, overwhelmed by the many parasitic processes
running on it. Moreover, some types of spyware disable software firewalls and
anti-virus software, and/or reduce browser security settings, thus opening the
system to further opportunistic infections, much like an immune deficiency
disease. Documented cases have also occurred where a spyware program disabled
other spyware programs installed by its competitors.
Some other types of spyware (Targetsoft, for example) modify system files to
make themselves harder to remove. (Targetsoft modifies the "Winsock" Windows
Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will
interrupt normal networking usage.) Unlike users of many other operating
systems, a typical Windows user has administrator privileges on the system,
mostly for convenience. Because of this, any program which the user runs
(intentionally or not) has unrestricted access to the system. Spyware, along
with other threats, has led some Windows users to move to other platforms such
as Linux or Apple Macintosh, which such malware targets far less frequently.
Many spyware programs reveal themselves visibly by displaying advertisements.
Some programs simply display pop-up ads on a regular basis; for instance, one
every several minutes, or one when the user opens a new browser window. Others
display ads in response to specific sites that the user visits. Spyware
operators present this feature as desirable to advertisers, who may buy ad
placement in pop-ups displayed when the user visits a particular site. It is
also one of the purposes for which spyware programs gather information on user
behaviour. Hence, pop-up advertisements lead to some of users' most common
complaints about spyware.
Many users complain about irritating or offensive advertisements as well. As
with many banner ads, many spyware advertisements use animation or flickering
banners which are visually distracting and annoying. Pop-up ads for pornography
often display indiscriminately, including when children use the computer
(possibly in violation of anti-pornography laws).
A further issue in the case of some spyware programs has to do with the
replacement of banner ads on viewed web sites. Spyware that acts as a web proxy
or a Browser Helper Object can replace references to a site's own advertisements
(which fund the site) with advertisements that instead fund the spyware
operator. This cuts into the margins of advertising-funded Web sites.
"Stealware" and affiliate fraud
A few spyware vendors, notably 180 Solutions, have written what the New York
Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms
affiliate fraud, also known as click fraud. These redirect the payment of
affiliate marketing revenues from the legitimate affiliate to the spyware
Affiliate marketing networks work by tracking users who follow an
advertisement from an "affiliate" and subsequently purchase something from the
advertised Web site. Online merchants such as eBay and Dell are among the larger
companies which use affiliate marketing. In order for affiliate marketing to
work, the affiliate places a tag such as a cookie or a session variable on the
user's request, which the merchant associates with any purchases made. The
affiliate then receives a small commission.
Spyware which attacks affiliate networks does so by placing the spyware
operator's affiliate tag on the user's activity—replacing any other tag, if
there is one. This harms just about everyone involved in the transaction other
than the spyware operator. The user is harmed by having their choices thwarted.
A legitimate affiliate is harmed by having their earned income redirected to the
spyware operator. Affiliate marketing networks are harmed by the degradation of
their reputation. Vendors are harmed by having to pay out affiliate revenues to
an "affiliate" who did not earn them through a contractual agreement.
Affiliate fraud is a violation of the terms of service of most affiliate
marketing networks. As a result, spyware operators such as 180 Solutions have
been terminated from affiliate networks including LinkShare and ShareSale.
Identity theft and fraud
One case has closely associated spyware with identity theft.
 In August 2005, researchers from
security software firm Sunbelt Software believed that the makers of the common
CoolWebSearch spyware had used it to transmit "chat sessions, user names,
passwords, bank information, etc." ,
but it turned out that "it actually is its own sophisticated criminal little
trojan that’s independent of CWS." 
This case is currently under investigation by the FBI.
Spyware has principally become associated with identity theft in that
keyloggers are routinely packaged with spyware. John Bambenek, who researches
information security, estimates that identity thieves have stolen over $24
billion US dollars of account information in the United States alone
Spyware-makers may perpetrate another sort of fraud with dialer
program spyware: wire fraud. Dialers cause a computer with a modem to dial up a
long-distance telephone number instead of the usual ISP. Connecting to these
suspicious numbers involves long-distance or overseas charges which invariably
result in massive telephone bills that the user is liable for. Dialers are
somewhat less effective today, now that fewer Internet users use dialup modems.
Digital rights management
Some copy-protection schemes, while they do serve the purpose of attempting
to prevent piracy, also behave similarly to spyware programs. Some digital
rights management technologies (such as Sony's XCP) actually use trojan-horse
tactics to verify a user as the rightful owner of the media in question.
Sony has been sued for using virus-like techneques to prevent users from
copying its CDs. A Rootkit technique was used to embed Sony's software deep
inside the Windows operating system to make it hard to find by antispyware
software and difficult to uninstall.
Spyware and cookies
Anti-spyware programs often report Web advertisers' HTTP cookies as spyware.
Web sites (including advertisers) set cookies — small pieces of data rather than
software—to track Web-browsing activity: for instance to maintain a "shopping
cart" for an online store or to maintain consistent user settings on a search
Only the Web site that sets a cookie can access it. In the case of cookies
associated with advertisements, the user generally does not intend to visit the
Web site which sets the cookies, but gets redirected to a cookie-setting
third-party site referenced by a banner ad image. Some Web browsers and privacy
tools offer to reject cookies from sites other than the one that the user
carrying ads from the same firm and thus to build up a marketing profile of the
person or family using the computer. For this reason many users object to such
cookies, and anti-spyware programs offer to remove them.
Typical examples of spyware
A few examples of common spyware programs may serve to illustrate the
diversity of behaviors found in these attacks.
Caveat: As with computer viruses, researchers give names to spyware
programs which frequently do not relate to any names that the spyware-writers
use. Researchers may group programs into "families" based not on shared program
code, but on common behaviours, or by "following the money" of apparent
financial or business connections. For instance, a number of the spyware
programs distributed by Claria are collectively known as "Gator". Likewise,
programs which are frequently installed together may be described as parts of
the same spyware package, even if they function separately.
- CoolWebSearch, a group of programs, installs through the exploitation
of Internet Explorer vulnerabilities. The programs direct traffic to
advertisements on Web sites including coolwebsearch.com. To this end,
they display pop-up ads, rewrite search engine results, and alter the infected
computer's hosts file to direct DNS lookups to these sites.
- Internet Optimizer, also known as DyFuCa, redirects Internet
Explorer error pages to advertising. When users follow a broken link or enter an
erroneous URL, they see a page of advertisements. However, because
password-protected Web sites (HTTP Basic authentication) use the same mechanism
as HTTP errors, Internet Optimizer makes it impossible for the user to access
password-protected sites. 
- 180 Solutions transmits extensive information to advertisers about
the Web sites which users visit. It also alters HTTP requests for affiliate
advertisements linked from a Web site, so that the advertisements make unearned
profit for the 180 Solutions company. It opens pop-up ads that cover over the
Web sites of competing companies. 
- HuntBar, aka WinTools or Adware.Websearch, is a small
family of spyware programs distributed by Traffic Syndicate.
 It is installed by ActiveX
drive-by download at affiliate Web sites, or by advertisements displayed by
other spyware programs—an example of how spyware can install more spyware. These
programs add toolbars to Internet Explorer, track Web browsing behavior,
redirect affiliate references, and display advertisements.
User consent and legality
Gaining unauthorised access to a computer is illegal under computer crime
laws in several global territories, such as the United States Computer Fraud and
Abuse Act. Since the owners of computers infected with spyware generally claim
that they never authorised the installation, a prima facie reading would
suggest that the promulgation of spyware would count as a criminal act. Law
enforcement has often pursued the authors of other malware programs, such as
viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and
many such producers operate openly as aboveboard businesses. Some have, however,
Spyware producers primarily argue in defense of the legality of their acts
that, contrary to the users' claims, users do in fact give consent to the
installation of their spyware. Spyware that comes bundled with shareware
applications may appear, for instance, described in the legalese text of an
end-user license agreement (EULA). Many users habitually ignore these purported
contracts, but spyware companies such as Claria claim that these demonstrate
that users have consented to the installation of their software.
Despite the ubiquity of EULAs and of clickwrap agreements, relatively little
case law has resulted from their use. It has been established in most common law
jurisdictions that a clickwrap agreements can be a binding contract in
certain circumstances. This does not however mean that every clickwrap
agreement is a contract or that every term in a clickwrap contract is
enforceable. It seems highly likely that many of the purported contract terms
presented in clickwrap agreements would be dismissed in most jurisdictions as
being contrary to public policy. Many spyware clickwrap agreements appear
intentionally ambiguous and excessive in length, with key contract terms made
inconspicuous. These are all grounds on which similar agreements have been
rejected as contracts of adhesion. In Australia, the proprietors of Sharman
Newtorks, who own and operate the KaZaa P2P network were sued by the Australian
Recording Industry Association for breaching copyright laws as a result of
allowing illegal music to be shared and distributed through the KaZaa network.
Sharman Networks claimed that the EULA stated that the program was not to be
used for illegal activity, however the claim was dismissed on the grounds that
the length and ambiguity of the agreement coupled with the fact that few users
read it made the agreement inadmissable as a defence.
Nor can a contract possibly exist in the case of spyware installed by
surreptitious means, such as in a drive-by download where the user receives no
opportunity to either agree to or refuse the contract terms.
Some jurisdictions, including the U.S. states of Iowa  and Washington ,
have passed laws criminalizing some forms of spyware. Such laws make it illegal
for anyone other than the owner or operator of a computer to install software
that alters Web-browser settings, monitors keystrokes, or disables
New York Attorney General Eliot Spitzer has pursued spyware companies for
fraudulent installation of software. 
In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc.
ended up settling by agreeing to pay US$7.5 million and to stop distributing
spyware. Intermix's spyware spread via drive-by download, and deliberately
installed itself in ways that made it difficult to remove.
Another spyware behaviour has attracted lawsuits: the replacement of Web
advertisements. In June 2002, a number of large Web publishers sued Claria for
replacing advertisements, but settled out of court. Other spyware apart from
Claria's also replaces advertisements, thus diverting revenue from the
ad-bearing Web site to the spyware author.
One legal issue not yet pursued involves whether courts can hold advertisers
responsible for spyware which displays their ads. In many cases, the companies
whose advertisements appear in spyware pop-ups do not directly do business with
the spyware firm. Rather, the advertised company contracts with an advertising
agency, which in turn contracts with an online subcontractor who gets paid by
the number of "impressions" or appearances of the advertisement. Some major
firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies
which have run their ads in spyware. 
Some spyware companies have threatened websites which have posted
descriptions of their products. In 2003, Gator (now known as Claria) filed suit
against the website PC Pitstop for describing the Gator program as "spyware".
 PC Pitstop settled, agreeing not
to use the word "spyware", but continues to publish descriptions of the harmful
behaviour of the Gator/Claria software. 
Malicious programmers have released a large number of fake anti-spyware
programs, and widely distributed Web banner ads now spuriously warn users that
their computers have been infected with spyware, directing them to purchase
programs which do not actually remove spyware — or worse, may add more spyware
of their own. 
The recent proliferation of fake or spoofed antivirus products has occasioned
some concern. Such products often bill themselves as antispyware, antivirus, or
registry cleaners, and sometimes feature popups prompting users to install them.
This is called Rogue software.
Known offenders include:
- Malware Wipe
- Pest Trap
- AntiVirus Gold
- Spy Sheriff
- PAL Spyware Remover
- Spyware Stormer
For details, please see "Rogue/Suspect Anti-Spyware Products & Web Sites"
On 2006-01-26, Microsoft and the Washington state attorney general filed suit
against Secure Computer for its Spyware Cleaner product.