Malware creates new challenges for anti virus vendors

By | January 17, 2007

Over the past few years those monitoring trends on malicious Internet activities have noticed a significant change. We are seeing a sizeable decrease in the media grabbing pandemic outbreaks of malicious software. Yet with less headlines on high risk infectors we are still seeing an increasing overall number of malware infections, it is this new breed of malware that is costing industry millions every year – yet no-one seems to know about them.

One might be fooled into thinking that the lack of media attention on virus outbreaks – like Melissa, LoveLetter, Sobig.F etc- means the casual Internet user is less exposed to infections from malicious software.

Sadly this is not the case at all!

Whilst the volume of widely distributed malware has declined the total figure for malware infectors has increased significantly. The amount of malware in the wild is a far more significant than the attention particular pieces of malware get in determining your risk of exposure to malware threats.

Virus definition lists are growing at around 1000 new signatures every day and it is not uncommon for this to reach several thousand in a day. Long standing customers of antivirus vendor Norman, will have seen that in the past 18 months we have released more signatures than in the previous 15 years. This is a significant indicator to the number of different malware that is in the wild.

The sheer volume of malicious software created also makes it more difficult for the antivirus and security industry to determine precise names for the culprits. The recent family of worms called W32/Stration by Norman was also given names like Email-Worm.Win32.Warezov; W32/Spamta.worm by other antivirus vendors. This of course further adds to the confusion in determining the threat situation accurately.

What has happened?

This shift in the landscape has not been accidental. The large scale outbreaks we have seen previously have shown that malware can indeed be a very powerful tool in the right hands. Whilst we still have the odd occasion where the so called “script kiddies” are intent on creating havoc and making a name for themselves, the majority of malware now comes from persons or organizations involved in criminal activity with significantly more resources at their disposal.

In this environment the malware is often created to target one specific company or group of companies making it very hard for the antivirus industry to obtain a sample of the threat and provide signature updates to protect against it. Malware of this type is often short-lived, however, once it has proved it can do what it was intended for, variants are then created at an alarming speed. In these instances authors often use sophisticated techniques to “obscure” the fact that a new variant is close to a previous one, thus complicating the antivirus vendors ability to detect a particular malware family in a generic way.

Add to this the increasing trend for malware authors to use blended attacks to take advantage of zero day vulnerabilities within applications and it is quite easy for a piece of malware to remain undetected for some time without any cure being available – after all if you don’t know you have it why would you think you need protection?

Users likely to be targeted by special attacks

Particular organizations are considered more attractive for targeted attacks using malicious code to infiltrate their systems. In these cases the malware has typically been created bespoke to that company or groups of companies so it often falls below the radar of the antivirus industry as a whole.

Examples of organizations that may be in the danger zone include: The banking and insurance industry; High-tech businesses that have developed technology that is seen as strategically important for other competing companies and organizations (or countries); Security organizations of all kinds; Well known brand companies;

The situation for most users

This evolving situation has, to some extent, been a new challenge to the antivirus industry. Getting hands on the new malware as well as adding new signature files for this threat, has proved more demanding and time-consuming than ever before.

The need for protection software that is less dependant on signature-based techniques is seen as paramount. Whilst it is sound business practice to adopt a multi layered approach to malware protection, it is also a sound policy to ensure that one of theses layers incorporates proven technology that offers protection against unknown threats.

Leave a Reply