Many spyware programs take advantage of publicly available encryptors or packing technologies to evade detection, said Gerhard Eschelbeck, CTO at Webroot Software Inc. in Boulder, Colo. If a proprietary encryption algorithm is used, it is based off a publicly available or open-source algorithm, he said.

Spyware programs also use kernel-level drivers and process blocking techniques to actively stop antispyware programs from running, Eschelbeck said.

According to Ralph Thomas, manager of malicious code operations at VeriSign Inc.'s iDefense unit in Reston, Va., modern malware programs are also designed to split themselves into several co-dependent components once installed on a system.

Each fragment or component then keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly re-spawns or reinstalls it -- making removal very hard, Thomas said during a CSI presentation.

One early example of such malware was WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them.