Malware flood driving new AV

Symantec researchers say number of malicious applications is rapidly outpacing the volume of legitimate programs, forcing some to rethink AV, defense tactics

During a weeklong period in mid-November, security experts with Symantec observed roughly 65,000 new applications being downloaded onto the computers of customers participating in a new research project -- based on their analysis of the software, as many as 60 percent of the programs were malicious.

The involved timeframe represented a relative high point for the percentage of unknown applications being downloaded by Symantec's project participants, and the basis for the company's assessment of the programs as malicious was predicated largely on the programs' use of obfuscated naming conventions.

However, the numbers point to a disturbing trend that the researchers say may force the security company to change its fundamental approach for warding off threats -- that being that the number of malicious applications coming to life on the Web appears to be outpacing the volume of legitimate programs.

With malware authors using fuzzing tools to find holes in popular applications such as Web browsers, and testing their work against commercial anti-virus (AV) products to ensure that the attacks evade detection by the tools, leading researchers at Symantec admit that defending against threats using traditional methods has become something of a losing battle.

"The reality is that most new malware is going undetected by commercial security products, and not just Symantec's, but we have to recognize that like all other AV products we are probably missing a sizeable amount of this malware," said Carey Nachenberg, a member of the company's Security Response team who also wears the title of Symantec Fellow.

"Eventually we write [virus] signatures and get those out to customers, but it appears that a sizeable proportion of this malware never gets detected," he said. "Instead of distributing one copy of each malware program to thousands of people, they're producing a copy for as few as two or three people and then re-writing it; so, if we get one version we can remove it from a few computers, but not all the variants. The problem with this is that there is the potential over time for almost everyone to have some form of infestation, maybe in only a few years time."

The trend toward malware authors using small runs of attacks to evade detection and hook as many victims as possible, known as server-side polymorphism, is forcing Symantec to reassess how it goes about protecting its users.

Since it can't hope to keep up with every flavor of threat that is being created, traditional countermeasures such as the use of malware signatures or behavioral heuristics will need to be augmented with new tactics, Nachenberg said.

One such alternative is the use of the same distributed data collection capabilities that Symantec is using to track the proliferation of malware. By creating a system of file and Web site reputation by studying applications usage patterns among its customers, the researcher said, Symantec hopes to use a community approach to help people determine which programs they decide to use, or avoid.

Much as many people turn to the reviews section on Amazon.com or the buyer feedback system on eBay to get a real-world take on products before they decide to buy, Nachenberg contends that by watching how people are using various applications the security vendor can use a process of elimination for weeding out malware from legitimate software.

If only a few people among the millions of Symantec customers who could contribute usage data to such a program were utilizing some application in question, it would be prudent to recommend that people avoid the program until its nature has been better determined, he said.

Using opt-out tools that provide anonymous feedback on applications that were built into Symantec's existing Norton AntiVirus and Internet Security 2008 products, the company is already gathering the type of data necessary to create such a system of recommendation.

"Right now this is just a long-term research project, but we hope that as we get more users involved in the system, we can truly get a better idea of what is on people's computers so that we can identify malicious software based on the demographics of who is using it, versus what it does," Nachenberg said. "We're hoping to get more clarity through the large base of users we have; by collecting this data we should be able to get the most comprehensive view of the usage patterns to derive reputation information for everything they use."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?