Malware flood driving new AV

During a weeklong period in mid-November, security experts with Symantec observed roughly 65,000 new applications being downloaded onto the computers of customers participating in a new research project -- based on their analysis of the software, as many as 60 percent of the programs were malicious.

The involved timeframe represented a relative high point for the percentage of unknown applications being downloaded by Symantec's project participants, and the basis for the company's assessment of the programs as malicious was predicated largely on the programs' use of obfuscated naming conventions.

However, the numbers point to a disturbing trend that the researchers say may force the security company to change its fundamental approach for warding off threats -- that being that the number of malicious applications coming to life on the Web appears to be outpacing the volume of legitimate programs.

With malware authors using fuzzing tools to find holes in popular applications such as Web browsers, and testing their work against commercial anti-virus (AV) products to ensure that the attacks evade detection by the tools, leading researchers at Symantec admit that defending against threats using traditional methods has become something of a losing battle.

"The reality is that most new malware is going undetected by commercial security products, and not just Symantec's, but we have to recognize that like all other AV products we are probably missing a sizeable amount of this malware," said Carey Nachenberg, a member of the company's Symantec Research Labs who also wears the title of Symantec Fellow.

"Eventually we write [virus] signatures and get those out to customers, but it appears that a sizeable proportion of this malware never gets detected," he said. "Instead of distributing one copy of each malware program to thousands of people, they're producing a copy for as few as two or three people and then re-writing it; so, if we get one version we can remove it from a few computers, but not all the variants. The problem with this is that there is the potential over time for almost everyone to have some form of infestation, maybe in only a few years time."

The trend toward malware authors using small runs of attacks to evade detection and hook as many victims as possible, known as server-side polymorphism, is forcing Symantec to reassess how it goes about protecting its users.

Since it can't hope to keep up with every flavor of threat that is being created, traditional countermeasures such as the use of malware signatures or behavioral heuristics will need to be augmented with new tactics, Nachenberg said.

One such alternative is the use of the same distributed data collection capabilities that Symantec is using to track the proliferation of malware. By creating a system of file and Web site reputation by studying applications usage patterns among its customers, the researcher said, Symantec hopes to use a community approach to help people determine which programs they decide to use, or avoid.

Much as many people turn to the reviews section on Amazon.com or the buyer feedback system on eBay to get a real-world take on products before they decide to buy, Nachenberg contends that by watching how people are using various applications the security vendor can use a process of elimination for weeding out malware from legitimate software.