Kaspersky: Malware quality drops, quantity rises

Fighting malware is not getting any easier, experts say

They just don't make malware like they used to. Or at least like they did earlier this year.

Even low-quality malware, however, is taxing the resources of security companies, since it is being detected in ever-higher numbers.

Over the last six months, the technical creativity of malware had fallen along with the ability to cause massive damage, such as that created by the MyDoom and Sasser worms of years past, wrote senior virus analyst for Kaspersky Lab, Alexander Gostev, in a recent report.

Gostev's lab intermittently sees highly technical malware, but most was the same unending stream of Trojans, viruses and worms, he wrote. In many cases, hackers simply take existing malware and create variants, by tweaking the older code to evade antivirus software.

At times, the process is simple trial and error. Malware writers used online scanners such as [Virustotal], which checked to see if their new code would be detected by antivirus software, chief research officer for F-Secure, Mikko Hypponen, said.

If the code was detectable, they could make a slight modification and run it through the scanner again.

"I'd like to tell you that we're winning this war," Hypponen said. "But frankly, I'm not so sure. We need new kinds of solutions."

Because much of the code is not new, it tends to remain effective for shorter periods of time before antivirus companies detect it. Still, the time it takes to identify and create a signature for a new virus, which can range from a few minutes to a few hours, is often long enough for hackers to infect computers.

"Antivirus companies are working at the limits of their capabilities in terms of speed," Gostev wrote.

To be sure, some malicious hackers are doing creative work. This year saw some sophisticated phishing attacks, and virus writers have been branching into relatively new areas such as instant messaging and social networking sites, security research manager for FaceTime Communications, Christopher Boyd, said. But the trend overall had been quantity over quality.

Kaspersky Lab in Moscow is on the front lines of the battle. Its analysts added 2000 signatures to their database in January 2005. Last month they added 10,000 signatures -- a five-fold increase, head of the lab,Stanislav Shevchenko, said.

The virus analysts work 12-hours shifts, pulling up screen after screen of rolling lines of code. Automated tools analyse some pieces of malware, but human analysis is still needed for others.

A good analyst should process an average piece of malware within 5 minutes, Shevchenko said. But some of the rarer, more creative code is harder to crack. Polymorphic viruses -- ones that could change their byte sequences to throw off antivirus software -- could take up to a week to analyse, Shevchenko said.

The signatures are added to a database used by Kaspersky's antivirus engine, which is licensed by other security vendors such as Juniper Networks, ClearSwift and F-Secure.

The increase in the volume of malicious code could be attributed in part to the impunity enjoyed by malware writers, head of antivirus research, Eugene Kaspersky, said. Despite efforts by law enforcement agencies to strengthen international cooperation, most malware writers were never punished.

"It's quite safe for them," Kaspersky said. "If they are clever enough, there is almost no risk for them at the moment."

The US Federal Bureau of Investigation and Russia's Federal Security Service (FSB), the successor to the country's KGB intelligence agency, frequently ask Kaspersky Lab for information, Kaspersky spokesperson, Timur Tsoriev, said.

The FSB, however, approached Kaspersky less these days since the agency had bolstered its in-house expertise, Kaspersky said.

His lab focused less on finding the root of criminal activity than protecting the company's customers, he said. But the burden of rising online criminal activity directly impacted on security companies.

"If there is no help from the police and if they don't reduce the number of criminals, I'm afraid the detection for all antivirus products will go down," Kaspersky said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?