In 2008, antivirus firm Sophos processed about 20,000 "new" pieces of malware every day. By mid-year 2010, cyber criminals had apparently tripled the company's workload, producing 60,000 different malware samples.
Other antivirus firms report similar increases in the number of uniquely identified malicious software. In its recently released quarterly threat report, for example, McAfee claims to be processing 55,000 "new" pieces of malware every day. Antivirus firm Panda also states that it recognizes 55,000 variants of malicious software every day.
Cue the pulling of hair and shouting from the street corners: "The end is nigh!"
While more data is always better, the seemingly inevitable escalation of the volume of malware processed by security firms has little meaning without knowing the context of antivirus firms' operations. While the implication is that more malware equals a greater threat, the reality is that we don't have enough data to figure out how more variance in malware is affecting the threat landscape.
What is the definition of "new," for example? In the past, many antivirus firms classified viruses by their MD5 hashes; add a simple string, even a character, and you have a new piece of malware. Many, if not all, security firms now use signatures as a way to classify what is new -- if they have to include a new pattern in their database to recognize the program, then the malware is "new."
Yet, cyber criminals attempts to get around antivirus software as quickly and as painlessly as possible means that the number of signatures will continue to increase, until every piece of malicious software encountered by a victim's computer is automatically generated to be different.