Kaspersky: Malware quality drops, quantity rises
- — 19 December, 2006 16:28
They just don't make malware like they used to. Or at least like they did earlier this year.
Even low-quality malware, however, is taxing the resources of security companies, since it is being detected in ever-higher numbers.
Over the last six months, the technical creativity of malware had fallen along with the ability to cause massive damage, such as that created by the MyDoom and Sasser worms of years past, wrote senior virus analyst for Kaspersky Lab, Alexander Gostev, in a recent report.
Gostev's lab intermittently sees highly technical malware, but most was the same unending stream of Trojans, viruses and worms, he wrote. In many cases, hackers simply take existing malware and create variants, by tweaking the older code to evade antivirus software.
At times, the process is simple trial and error. Malware writers used online scanners such as [Virustotal], which checked to see if their new code would be detected by antivirus software, chief research officer for F-Secure, Mikko Hypponen, said.
If the code was detectable, they could make a slight modification and run it through the scanner again.
"I'd like to tell you that we're winning this war," Hypponen said. "But frankly, I'm not so sure. We need new kinds of solutions."
Because much of the code is not new, it tends to remain effective for shorter periods of time before antivirus companies detect it. Still, the time it takes to identify and create a signature for a new virus, which can range from a few minutes to a few hours, is often long enough for hackers to infect computers.
"Antivirus companies are working at the limits of their capabilities in terms of speed," Gostev wrote.
To be sure, some malicious hackers are doing creative work. This year saw some sophisticated phishing attacks, and virus writers have been branching into relatively new areas such as instant messaging and social networking sites, security research manager for FaceTime Communications, Christopher Boyd, said. But the trend overall had been quantity over quality.
Kaspersky Lab in Moscow is on the front lines of the battle. Its analysts added 2000 signatures to their database in January 2005. Last month they added 10,000 signatures -- a five-fold increase, head of the lab,Stanislav Shevchenko, said.
The virus analysts work 12-hours shifts, pulling up screen after screen of rolling lines of code. Automated tools analyse some pieces of malware, but human analysis is still needed for others.
A good analyst should process an average piece of malware within 5 minutes, Shevchenko said. But some of the rarer, more creative code is harder to crack. Polymorphic viruses -- ones that could change their byte sequences to throw off antivirus software -- could take up to a week to analyse, Shevchenko said.
The signatures are added to a database used by Kaspersky's antivirus engine, which is licensed by other security vendors such as Juniper Networks, ClearSwift and F-Secure.
The increase in the volume of malicious code could be attributed in part to the impunity enjoyed by malware writers, head of antivirus research, Eugene Kaspersky, said. Despite efforts by law enforcement agencies to strengthen international cooperation, most malware writers were never punished.
"It's quite safe for them," Kaspersky said. "If they are clever enough, there is almost no risk for them at the moment."
The US Federal Bureau of Investigation and Russia's Federal Security Service (FSB), the successor to the country's KGB intelligence agency, frequently ask Kaspersky Lab for information, Kaspersky spokesperson, Timur Tsoriev, said.
The FSB, however, approached Kaspersky less these days since the agency had bolstered its in-house expertise, Kaspersky said.
His lab focused less on finding the root of criminal activity than protecting the company's customers, he said. But the burden of rising online criminal activity directly impacted on security companies.
"If there is no help from the police and if they don't reduce the number of criminals, I'm afraid the detection for all antivirus products will go down," Kaspersky said.