2006-04-01
Abstract
'I see drowning in new malware as one of the main issues facing the AV industry today.’ Eugene Kaspersky, Kaspersky Lab.
Copyright © 2006 Virus Bulletin
The existence of the contemporary e-criminal world is an established fact. We all know of numerous examples of profitable Internet crime rings working around the world. Moreover, while hundreds were arrested in 2005 for writing malware or launching Internet-based attacks, the volume of new malware appearing daily has nearly doubled (according to Kaspersky Lab virus statistics).
Most e-criminals are hard at work and their numbers are growing. I would put the numbers at thousands, given that we add up to 6,000 files to our collection every month. At the end of 2005 and in early 2006 we received around 200 new malware samples per day.
Naturally, the e-criminals are striving to evade both anti-virus products and law enforcement agencies. Currently, favourite criminal tactics include:
Releasing numerous variants of a specific piece of malware in order to 'flood' AV vendors.
Creating local outbreaks instead of global attacks, thus creating longer windows of opportunity to remain undetected and exploit infected machines.
Using polymorphic techniques, encryption and compression to hinder timely analysis.
Analysing proactive technologies, including heuristics and behaviour blockers so as to penetrate systems despite these barriers.
Interfering with anti-virus solutions, for instance, by blocking automatic updates.
Using stealth techniques, such as rootkits.
All of this, naturally, strains the resources of virus labs in all AV companies. In order to deliver updates in a timely manner AV vendors are facing the need to recruit new personnel and to develop new processes designed to handle the masses of malware that flood the labs daily.
I see drowning in new malware as one of the main issues facing the AV industry today. I believe that most, if not all, AV vendors may well find themselves unable to withstand the pressure from the sheer weight of the daily doses of new malware. They simply will not be able to release quality updates fast enough (see this month's news - ed).
On the other hand, business users have seen the number of targeted attacks escalate in 2005. The inherent danger of targeted attacks is that the malware is not being spread widely in the wild, thereby making it virtually impossible for anti-virus vendors to receive a sample. Unfortunately, not only are targeted attacks difficult to trace, but it is also next to impossible to evaluate the costs, since most corporations prefer not to share data: whether about the attack itself or the resulting losses.
However, it is clear that the number of targeted attacks will rise. And this will create serious problems for the anti-virus industry, since neither protection against massed attacks, nor proactive technologies will suffice against a focused attack.
Finally, mobile devices are taking over how we compute, but history is repeating itself as most, or even all of the vendors of these devices place user security at the end of their list of requirements for new technologies and products. The result? New technologies and devices are in the process of being integrated into e-crime structures – both for mass attacks and for targeted ones.
In short, I see the following as the most serious issues for AV vendors to consider:
Anti-virus vendors will need to review processes and invest additional resources into managing the ever-growing flood of new malware.
Targeted attacks are moving to the fore as one of the more dangerous types of threat and will require new technologies to control them.
New technologies are close to achieving critical mass and we will see widespread attacks via phones and WiFi connections with the aim of earning money.
