First, we had wild tall tales of the spyware business being a $2 billion industry (the actual amount is closer to $500 million).

Now we have the risk of spyware theft pegged at $24 billion.

John Bambenek at the SANS Internet Storm Center writes that over $24 billion is at risk of theft from spyware in the US. Methodology here. Article here.

John is a highly respectable and sharp guy, but I don’t buy it (and to his defense, his work on this is very preliminary).

The thesis is based heavily on a spyware vendor’s estimate that 7% of machines they surveyed contain “system monitors” that would include keyloggers.

Add in the population out there and the active bank accounts, and you’ve got $24 billion.

I’m sorry.  I don’t buy it.  First, I don’t buy that 7% of the machines out there have keyloggers.  “System monitors” could include a range of programs.  But if I took 100 people and actually found out what they have on their system, I would be very surprised if 7 had keyloggers.

First, there’s SP2.  In just the past few months, we’ve found well over 20 variants of the vicious Winldra.exe keylogger (also known as the dumaru or nibu trojan).  This is the nasty bugger that got all the press a few months back.  Guess what: Not one machine running it had SP2.  They all had older unpatched systems.  It’s darned hard, if not impossible, for these keyloggers to get on your system if you’re running SP2. 

Second, there’s the question of definition.  The vendor in question had a general definition of “System Monitors”, which is “range in capabilities and may record some or all of the following: keystrokes, e-mails, chat room conversations, instant messages, Web sites visited, programs run, time spent on Web sites or using programs, and even usernames and passwords. The information is transmitted via remote access or sent by e-mail. Keyloggers are included in this category of spyware.”

Ok.  So there’s a lot more than just keyloggers in this definition.

You want to see what’s on people’s machines? You can see our live ThreatNet stats which shows what is actually being removed by clicking here.  Of course, this is also unscientific, since it only includes a population of CounterSpy users.

The correct thing to do here would be to get several hundred PCs on an nth sample basis, and actually do a formal audit.  Ignore things like cookies. Find out what’s really on the machines that is real adware/spyware/trojans etc.  And then you can start to develop an accurate thesis.

Alex Eckelberry
Hat tip to Donna