Spyware Detection: Understanding the Behaviour of Spyware & Malware
By understanding how the different types of unwanted software behave, we are closer to spyware detection. Basically, unwanted software usually does one or more of the following types of behavior.
All forms of unwanted software can engage in adding, deleting, and modifying existing files in the file system, though adware and spyware are less likely to delete files than is malware. When it comes to modifying existing files, viruses are most likely to engage in this behavior, because injection of their own code into existing files is a hallmark virus feature. Likewise, creating and depositing multiple copies of themselves or their containers is a characteristic of malware that's seldom found in adware or spyware.
All forms of unwanted software may interact with one or more application. Spyware and adware are more likely to add overt, visible elements, such as changed default settings, toolbars, cookies, and so forth.
Malware is far more likely to make covert changes or additions to application that can involve creating new execution threads (to carry out payload instructions), setting up services (SMTP mail, FTP, IRC, and so forth), sending messages, and other activities necessary for propagation and survival.
All forms of unwanted software typically engage in adding or deleting new keys and values into the Registry, though adware and spyware are less likely to delete or disable security software than is malware.
Because interaction with the registry is a part of installing any software in a Windows environment, this is virtually a mandatory occurrence for all types of unwanted software.
Spyware detection is simpler when you can identify the different behaviors of malware, spyware, and adware.