Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Analysis of Web-based Spyware and Adware Activity


One of the main goals of a drive-by Web-based installation is the deployment of malicious code, but often a compromised website is also used to install spyware or adware code. This is because the cyber criminals pushing the spyware and adware in this way are being paid a small fee for each installation. However, most adware vendors, such as those providing add-in toolbars for Web browsers, are not always aware how their code came to be installed on the users’ computers; the expectation that is that it is with the permission of the end-user, when this is typically not the case in a drive-by installation and may be in breach of the vendors’ terms and conditions of use.


This metric assesses the prevalence of Web-based spyware and adware activity by tracking the trend in the average number of spyware and adware related websites blocked each day by users of Web security services. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends.


Figure A.11. Malicious Web activity: Spyware and adware blocked, 2011. Source:


  • Only two examples of spyware were found in the top-ten list of unwanted programs in 2011, including Spyware.Perfect and Spyware.Keylogger. Spyware.Perfect is a program that tracks the keystrokes on the computer and logs them in a file. It can be configured to periodically send the log files by email.
  • The most frequently blocked adware code was related to the Zugo search-based toolbar products and the FunWeb family of adware.
  • Adware:W32/FunWeb is a family of adware programs that are used to display unsolicited advertising content, often through the use of pop-up windows. FunWeb variants are often bundled with other applications, games and browser plug-ins. Some variants of FunWeb may also redirect users’ browser home page and download additional code functionality.
  • 57.1% of spyware and adware was detected using generic techniques.