Skyrocketing viruses, less danger?

Cyber criminals are constantly repackaging the same code in different ways to fool antivirus programs. So why are we still counting viruses?

In 2008, antivirus firm Sophos processed about 20,000 "new" pieces of malware every day. By mid-year 2010, cyber criminals had apparently tripled the company's workload, producing 60,000 different malware samples.

Other antivirus firms report similar increases in the number of uniquely identified malicious software. In its recently released quarterly threat report, for example, McAfee claims to be processing 55,000 "new" pieces of malware every day. Antivirus firm Panda also states that it recognizes 55,000 variants of malicious software every day.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Cue the pulling of hair and shouting from the street corners: "The end is nigh!"


While more data is always better, the seemingly inevitable escalation of the volume of malware processed by security firms has little meaning without knowing the context of antivirus firms' operations. While the implication is that more malware equals a greater threat, the reality is that we don't have enough data to figure out how more variance in malware is affecting the threat landscape.

What is the definition of "new," for example? In the past, many antivirus firms classified viruses by their MD5 hashes; add a simple string, even a character, and you have a new piece of malware. Many, if not all, security firms now use signatures as a way to classify what is new -- if they have to include a new pattern in their database to recognize the program, then the malware is "new."

Yet, cyber criminals attempts to get around antivirus software as quickly and as painlessly as possible means that the number of signatures will continue to increase, until every piece of malicious software encountered by a victim's computer is automatically generated to be different.

Perhaps a better measure of the threat posed by malicious programs is the percentage of samples that can bypass the protections of security software. Critics of antivirus software frequently point to dismal numbers on VirusTotal as proof that the software is failing. But the testing of security products rarely tests all of their capabilities, so automated testing such as VirusTotal does not give a perfect picture of the effectiveness of defenses.

A second measure may be the increase in workload for antivirus firms over time. Yet, that is also a complex situation to measure. While security firms are hiring more analysts, they are also improving their automated analysis systems and moving their infrastructures to the cloud. McAfee estimates that only 5 percent of malware need to be seen by an analyst.

"The analysts only want to handle the 5 percent that was not handled by automation," says David Marcus, security research and communications manager for McAfee. "To keep up with the other 95 percent, we have to continually improve our back-end systems."

In the end, the proliferation of malware variants should not, by itself, be considered a threat. The security industry needs to find better measures of how the increase impacts users' efforts to remain secure.

This article, "Skyrocketing viruses, less danger?," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.