The average Internet user has difficulty distinguishing viruses from spyware. The differences are indeed subtle. Both are malicious software (malware): uninvited, intrusive, and potentially destructive. Both have the capacity to capture and destroy information, ruin performance, and disrupt business. Viruses and spyware programs are delivered via web visits and downloads, as well as email attachments. Both can attack systems through many vectors. Perhaps they both fall into the category of blended threats? But what the heck is that?
A Virus Seeks to Spread
One way to distinguish a virus from spyware is by its behavior. A virus seeks to infect a computer; to replicate; and ultimately, to infect as many computers as possible, as quickly as possible.
When you accidentally install a virus onto your computer, the malicious code that is "the virus" tries to find ways to use your computer to infect other computers. For example, an email-delivered virus (a worm) may search your computer's file system for your Outlook address book, and send infected email messages to contacts it finds in the address book. Before you dismiss your own address book as a modest success, consider what a jackpot email addresses like email@example.com or firstname.lastname@example.org are for a virus.
Increasingly, a virus will not rely on email alone for propagation, but will try many attack vectors. These blended threats employ file sharing, telnet, FTP, IMs, or any services and programs on your computer that communicate with other computers.
Spyware seeks to embed
Viruses seek to spread, but spyware tries to stay put, a behavior we typically associate with a parasites. Parasites need a host to feed upon: nematodes notwithstanding, parasites don't need or try to propagate. In the world of espionage, spyware is closest to a mole. A mole will avoid any activity that might blow his cover; similarly, a spyware applications is often content to hide on your system. Spyware disguises itself as a legitimate application or secretly resides as one more data link library or registry setting Joe Average User knows nothing about, so that it can collect information about you, your messaging and browsing behavior, your online preferences.
Spyware may have a heavier "footprint" on your computer than a virus: spyware will embed itself deeply into critical components of your operating system and bloat your memory with its monitoring and collection processing executables. So where virus activities are overt and sufficiently extensive in their impact to attract attention quickly, spyware activities are typically covert and their infestations are often long lasting.
Fame, Pain or Monetary Gain?
Another way to distinguish a virus from spyware is by its objectives, or more accurately, the objectives of the malware writer. Many viruses are written by malcreants who want to distinguish themselves among their underground peers and simultaneously thumb their noses at anti-virus vendors and network administrators. Viruses are written to outperform previous virus outbreaks, and to illustrate how the far the "science" of virus programming has advanced. Recent events such as the war between the authors of the Bagel and NetSky viruses certainly support the argument that at least some virus activities are a testosterone thing.
Spyware wants to sap a host (your computer) of anything it can use for monetary gain, for as long as it can remain attached to the host. Spyware is content to sit on a single computer, to monitor what the user does, as is the case with tracking adware, or influence where the user visits, as is the case with targeting advertisers who use browser helper objects that pop up ads, substitute search engines, and hijack home pages. Like ticks, mosquitoes and mites, spyware leeches computer resources (e.g., processing capacity) and inhibits performance. But invariably, these pests stay with the host they've infested.
Degrees of malice
Lastly, we can compare viruses and spyware by their malicious intent. Viruses can be intentionally destructive and have been known to erase or corrupt file systems or abet denial of service attacks; in fact, given their potential for destruction, we're actually quite fortunate that virus writers aren't more nihilistic, politically- or financially-motivated.
A parasite, however, needs its host to survive. Spyware is more interested in having the host remain healthy: simply put, a non-functional computer has neither advertising value nor revenue potential to the spyware. So spyware typically remains non-destructive, unless you try to remove it. But many spyware packages are removal resistant: you may uninstall them only to find they reappear when you reboot your computer. Others modify many critical components of a computer operating system and incomplete removal often renders the computer inoperable.
I am the spy-rus?
Do hybrids - viral spyware - exist? I don't know of any "spy-ruses" - spyware that not only installs to track behavior and hijack browsers but also tries to worm onto other systems through email. It's not inconceivable that such a hybrid might be developed, especially among peer to peer applications (instant messaging and file sharing), where the "free" client software may already be spyware. But propagation increases the possibility of detection, public disclosure, and subsequent mass removal of spyware, so I'm inclined to conclude that worm behavior in spyware is unlikely.
Shades of gray, even among countermeasures you employ
No classification of viruses and spyware is exact. Keyloggers, remote administration tools (RATs), and other trojan programs are examples of malware that is often embedded in both viruses and spyware. Keyloggers in particular illustrate the degree of overlap in the malware anti-virus and anti-spyware programs detect.
This "overlap" is a perfect segue for the question, "why do we need both anti-virus and anti-spyware software? There are numerous market and development cycle reasons, but no "scientific" reason why virus and spyware detection and removal can't be implemented in a single desktop security software programs, or anti-malware server. I fully expect some consolidation in the desktop product segment of the anti-malware industry in the next 6-12 months, and anti-malware servers will follow.
Until we see this convergence, use both anti-virus and anti-spyware at the desktop. SMBs and enterprises should try to complement desktop anti-virus with anti-virus, anti-spam and content filtering gateways from Trend Micro, Symantec and others, or security appliances like Watchguard and Fortinet, who incorporate such features into their firewall products. If you're a consumer Internet user, choose an Internet Service Provider who can complement your desktop security measures with anti-malware services.
Originally published January 2005 in Security Pipeline, reprinted courtesy of CMP Technology and Dark Reading, also available at Information Week.