Malware flood driving new AV

Symantec researchers say number of malicious applications is rapidly outpacing the volume of legitimate programs, forcing some to rethink AV, defense tactics

During a weeklong period in mid-November, security experts with Symantec observed roughly 65,000 new applications being downloaded onto the computers of customers participating in a new research project -- based on their analysis of the software, as many as 60 percent of the programs were malicious.

The involved timeframe represented a relative high point for the percentage of unknown applications being downloaded by Symantec's project participants, and the basis for the company's assessment of the programs as malicious was predicated largely on the programs' use of obfuscated naming conventions.

However, the numbers point to a disturbing trend that the researchers say may force the security company to change its fundamental approach for warding off threats -- that being that the number of malicious applications coming to life on the Web appears to be outpacing the volume of legitimate programs.

With malware authors using fuzzing tools to find holes in popular applications such as Web browsers, and testing their work against commercial anti-virus (AV) products to ensure that the attacks evade detection by the tools, leading researchers at Symantec admit that defending against threats using traditional methods has become something of a losing battle.

"The reality is that most new malware is going undetected by commercial security products, and not just Symantec's, but we have to recognize that like all other AV products we are probably missing a sizeable amount of this malware," said Carey Nachenberg, a member of the company's Symantec Research Labs who also wears the title of Symantec Fellow.

"Eventually we write [virus] signatures and get those out to customers, but it appears that a sizeable proportion of this malware never gets detected," he said. "Instead of distributing one copy of each malware program to thousands of people, they're producing a copy for as few as two or three people and then re-writing it; so, if we get one version we can remove it from a few computers, but not all the variants. The problem with this is that there is the potential over time for almost everyone to have some form of infestation, maybe in only a few years time."

The trend toward malware authors using small runs of attacks to evade detection and hook as many victims as possible, known as server-side polymorphism, is forcing Symantec to reassess how it goes about protecting its users.

Since it can't hope to keep up with every flavor of threat that is being created, traditional countermeasures such as the use of malware signatures or behavioral heuristics will need to be augmented with new tactics, Nachenberg said.

One such alternative is the use of the same distributed data collection capabilities that Symantec is using to track the proliferation of malware. By creating a system of file and Web site reputation by studying applications usage patterns among its customers, the researcher said, Symantec hopes to use a community approach to help people determine which programs they decide to use, or avoid.

Much as many people turn to the reviews section on or the buyer feedback system on eBay to get a real-world take on products before they decide to buy, Nachenberg contends that by watching how people are using various applications the security vendor can use a process of elimination for weeding out malware from legitimate software.

If only a few people among the millions of Symantec customers who could contribute usage data to such a program were utilizing some application in question, it would be prudent to recommend that people avoid the program until its nature has been better determined, he said.

Using opt-out tools that provide anonymous feedback on applications that were built into Symantec's existing Norton AntiVirus and Internet Security 2008 products, the company is already gathering the type of data necessary to create such a system of recommendation.

"Right now this is just a long-term research project, but we hope that as we get more users involved in the system, we can truly get a better idea of what is on people's computers so that we can identify malicious software based on the demographics of who is using it, versus what it does," Nachenberg said. "We're hoping to get more clarity through the large base of users we have; by collecting this data we should be able to get the most comprehensive view of the usage patterns to derive reputation information for everything they use."

Faced with questions over potential privacy issues driven by Symantec's ability to watch just who is using what applications and how, the researcher reiterated that users must be made aware of the data collection, allowed to opt-out, and guaranteed that all the information aggregation is done in an anonymous fashion.

By offering users the ability to decide whether or not to use an application based on demographics, versus simply blocking programs based on its own observations, the company will also give people more freedom to determine what tools they feel are appropriate to use, he said.

"If we know that only five people are using a program, given the tens of millions of users we ultimately hope to have in the system, we can be totally objective and recommend that people wait until it is scrutinized further before using it," the researcher said. "We will need to have some manual process for white-listing programs as well, but we think that using this approach we can deliver a reasonable amount of quality with a low false positive rate."

If the volume of new malware strains arriving on the Web continues to outpace the proliferation of legitimate programs, Nachenberg said that AV vendors including Symantec may need to move to a white-listing approach in general, and focus more attention on identifying good applications instead of trying to chase down all the bad.

"If there is less software to analyze that is good, it makes more sense to spend our time scanning for good programs and simply telling our users to avoid everything else," he said. "We're considering models where we can produce the world's largest up-to-date white list of software, but it's not something we can put together in a year; maybe in two-to-three years time."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform