Malware threat lists slammed as 'useless'

Security vendor PC Tools has questioned the usefulness of the threat lists used by many security companies to warn of current malware attacks.

The problem, according to the Australian company, is that the lists -- which are now regularly issued by almost every security software company -- measure volumes rather than the underlying danger of a particular type of malware.

PC Tools, itself an anti-malware vendor in the same space, dismisses them as being "of no practical use for the security industry or consumers," and, not surprisingly, advocates its own ThreatExpert analysis system that cross-references volume with other factors such as the design complexity of a threat, its innovation, and its payload.

Examples of threats that regularly turn up on some lists but which pose relatively little danger include the four year-old Netsky and the packer NSAnti, which itself is merely a means of hiding malware and shouldn't even appear on such lists at all, the company said.

"Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly, and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats," said PC Tools CEO Simon Clausen.

The underlying problem highlighted by the PC Tools blast is an interesting one. There is little independent security data that can be quickly understood by even experienced users. Typically, information lies in the hands of self-interested security vendors, who use it for marketing purposes.

There are a few exceptions to the rule such as third-party security information providers such as Danish outfit Secunia, but they focus on new threats. Working out which pose the greatest risk still requires a means of cross-checking real-world volumes with sophistication analyzed by looking at source code.

And then there is the dark suspicion many malware watchers have that the most dangerous attacks are the ones you never or rarely hear about until the criminals are long gone.

The company puts forward its own suggestions for the malware that the average user -- which is to say moderately protected user -- should worry about right now. These include the bot-builders Kraken/Bobax, Srizbi, Cutwail/Pandex, as well as the ubiquitous Storm family.

Other popular and current threats include the fascinating MBR-infector Mebroot, which has attracted plenty of attention from industry insiders who see it as a clever throwback to virus techniques thought long dead, and social engineering infectors such as Zlob, which masquerades as a legitimate anti-spyware program.

Carole Theriault of Sophos took issue with the PC Tools assessment of threat lists in the strongest terms.

"I don't know of any reputable security company that only publishes top threat info without giving context or explanations. Talking about why a threat is more prevalent than any other is a great way to get the message out to computers users about the importance of security," she said.

"The mere fact that Netsky is still hammering away and infecting systems is very important. It shows that there are a large numbers of computers out there that have completely inadequate or nonexistent computer security."

Techworld is an InfoWorld affiliate.