The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware at first denoted hardware meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Since then, "spyware" has taken on its present sense.

In early 2001, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and suspected it was stealing his personal information. After analysis, he determined that it was adware from the companies Aureate (later Radiate) and Conducent. Gibson developed and released the first anti-spyware program, OptOut. Many more have appeared since then.

According to a November 2004 study by AOL and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer (such counts usually include 'cookies' which report back to a website, but are not software as such). 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for the installation of the spyware.

As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9 out of 10 computers connected to the Internet are infected.Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used but because its tight integration with Windows allows spyware access to crucial parts of the operating system.

Anti-spyware programs

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebranding it as Windows AntiSpyware beta and releasing it as a free download for Windows XP and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, and it was released as a free download in October 2006. Microsoft has also announced that the product will ship (for free) with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, Trend Micro's Anti-Spyware, PC Tools' Spyware Doctor, and Sunbelt's CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware, now called Microsoft's Windows Defender). Blue Coat Systems released a gateway anti-spyware solution in 2004.

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). Recently the anti virus company Grisoft, who make the AVG anti virus program, re-labled the Ewido anti spyware program as AVG anti Spyware program. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, who make the Zone Alarm firewall have also released an anti spyware program.

Anti-spyware programs can combat spyware in two ways:

Real-time protection, which prevents the installation of spyware;
Detection and removal, which removes spyware from an infected computer.
Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows Defender now combine the two approaches, while SpywareBlaster remains focused on prevention.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol), on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?"

Windows Defender's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete. Open source anti-spyware programs are also available. One program, wssecure, can detect new processes and change in system files using checksum verification, a technique that can be helpful in detecting spyware that are downloaded automatically due to Windows vulnerabilities.

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.

A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use. as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Antispyware Company to Reimburse Some Customers

Washington's attorney general has settled the first case prosecuted under the state's 2005 Computer Spyware Act.

The settlement announced today is with antispyware vendor Secure Computer. The White Plains, New York, software company was accused of marketing its product via deceptive spam and pop-up ads, which offered free spyware scans that always detected a problem with the computer that was scanned.

The company and its president, Paul Burke, will pay $725,000 in legal fees and $200,000 in penalties, and will reimburse Washington state customers $75,000, said Paula Selis, senior council with the attorney general's office. "Given the scope of the defendants' practices and the amount of consumer harm out there, we feel this is a very fair settlement."

More than 1100 state residents purchased the company's Spyware Cleaner software since it went on the market in 2004, Selis said. Those customers will now be e-mailed by Secure Computer and offered a refund for the $50 product, under terms of the settlement.

Additional Penalties
Secure Computer, which admits no wrongdoing in the matter, is also prohibited from using deceptive marketing techniques to promote its software, and the company must now review the advertising of its marketing affiliates to make sure they comply with the settlement.

That seems like an unlikely possibility, however, because Spyware Cleaner was pulled from the market shortly after the lawsuits were filed in late January, and Secure Computer is now out of business, according to the company's Web site. Representatives from Secure Computer could not be reached for comment.

Secure Computer and four of its business partners were sued by Microsoft and the Washington attorney general in January, but charges against three of the men have already been settled. A fourth man, Manoj Kumar of Maharashtra, India, could not be located the attorney general's office said.