Malware flood driving new AV

Symantec researchers say number of malicious applications is rapidly outpacing the volume of legitimate programs, forcing some to rethink AV, defense tactics

During a weeklong period in mid-November, security experts with Symantec observed roughly 65,000 new applications being downloaded onto the computers of customers participating in a new research project -- based on their analysis of the software, as many as 60 percent of the programs were malicious.

The involved timeframe represented a relative high point for the percentage of unknown applications being downloaded by Symantec's project participants, and the basis for the company's assessment of the programs as malicious was predicated largely on the programs' use of obfuscated naming conventions.

However, the numbers point to a disturbing trend that the researchers say may force the security company to change its fundamental approach for warding off threats -- that being that the number of malicious applications coming to life on the Web appears to be outpacing the volume of legitimate programs.

With malware authors using fuzzing tools to find holes in popular applications such as Web browsers, and testing their work against commercial anti-virus (AV) products to ensure that the attacks evade detection by the tools, leading researchers at Symantec admit that defending against threats using traditional methods has become something of a losing battle.

"The reality is that most new malware is going undetected by commercial security products, and not just Symantec's, but we have to recognize that like all other AV products we are probably missing a sizeable amount of this malware," said Carey Nachenberg, a member of the company's Security Response team who also wears the title of Symantec Fellow.

"Eventually we write [virus] signatures and get those out to customers, but it appears that a sizeable proportion of this malware never gets detected," he said. "Instead of distributing one copy of each malware program to thousands of people, they're producing a copy for as few as two or three people and then re-writing it; so, if we get one version we can remove it from a few computers, but not all the variants. The problem with this is that there is the potential over time for almost everyone to have some form of infestation, maybe in only a few years time."

The trend toward malware authors using small runs of attacks to evade detection and hook as many victims as possible, known as server-side polymorphism, is forcing Symantec to reassess how it goes about protecting its users.

Since it can't hope to keep up with every flavor of threat that is being created, traditional countermeasures such as the use of malware signatures or behavioral heuristics will need to be augmented with new tactics, Nachenberg said.

One such alternative is the use of the same distributed data collection capabilities that Symantec is using to track the proliferation of malware. By creating a system of file and Web site reputation by studying applications usage patterns among its customers, the researcher said, Symantec hopes to use a community approach to help people determine which programs they decide to use, or avoid.

Much as many people turn to the reviews section on Amazon.com or the buyer feedback system on eBay to get a real-world take on products before they decide to buy, Nachenberg contends that by watching how people are using various applications the security vendor can use a process of elimination for weeding out malware from legitimate software.

If only a few people among the millions of Symantec customers who could contribute usage data to such a program were utilizing some application in question, it would be prudent to recommend that people avoid the program until its nature has been better determined, he said.

Using opt-out tools that provide anonymous feedback on applications that were built into Symantec's existing Norton AntiVirus and Internet Security 2008 products, the company is already gathering the type of data necessary to create such a system of recommendation.

"Right now this is just a long-term research project, but we hope that as we get more users involved in the system, we can truly get a better idea of what is on people's computers so that we can identify malicious software based on the demographics of who is using it, versus what it does," Nachenberg said. "We're hoping to get more clarity through the large base of users we have; by collecting this data we should be able to get the most comprehensive view of the usage patterns to derive reputation information for everything they use."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

InfoWorld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?