On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.
Today's attacks: Two broad categories
Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today's most common infections into two categories: APT ("advanced persistent threat") and AFT ("another freaking Trojan.")
New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.
"Each one is different and scary," Thompson notes.
As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)
The acquisition of new Trojans appears to be limited only by a researcher's ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload -- creating a unique file -- for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.
The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.
These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.
While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers -- for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.
Meanwhile, the attackers have formed their own economy, with a division of labor. "Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data," says Zeltser.
"You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules," Murray adds.
New battlefields include XP, Android
But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.
For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.