A changed approach from the authors of malware defines new challenges for protection software

Introduction

During the last two years monitors of trends in malicious Internet activity in general and malicious software in particular, have noticed a significant change. Previously the Internet community experienced huge pandemic outbreaks of malicious software (with lots of media attention). This has stopped almost completely. As you can see from Norman's "CURRENT VIRUS THREATS" listing on the right hand side, most of the items on this list are quite old. The reason why is that almost no new malware has appeard that poses a greater risk for infection for you as a user, than these still active old ones.

Our Security Information week 11 this year discussed the change in malware activity with focus on the media's role in analyzing the threat situation. This Security Information will take a different approach.

Less high-profile malware means less risk of infection?

One might be tricked into believing that since there is no media attention on the huge virus pandemics - like Melissa, LoveLetter, Sobig.F and other widespread malware - the casual Internet user is less exposted for infections from malicious software.
Unfortunately this is not the situation at all!

Although each and every piece of malicious software are less widely distributed, this is (obviously?) not a relevant way to measure your exposure to malware in general. The total amount of malicious software "floating around" is what dermines your risk for being exposted. To determine whether you are at less risk now than a few years ago, the sum of malware in the wild is a far more significant than the attention particular pieces of malware gets.

Norman's virus detections files may give some kind of indication regarding the amount of different malware that are created. Long-time users of our software will have experienced a striking increase in the size of the virus definition files during the latest few years and months. These days more than one thousand new signatures are added each day, and it is not exceptional that several thousand new signatures are added. Other antivirus vendors' products have the same growth in their signature files.

The mere number of malicious software created also makes if more difficult for the antivirus and security industry to determine precise names for the culprits. The recent family of worms called Stration by Norman has names like Email-Worm.Win32.Warezov; W32/Spamta.worm by other antivirus vendors. This of course further adds to the media's and the general public's inability to determine the threat situation accurately.

What has happened?

Before discussing what this change means for vendors of protection software, and for your own precence on the Internet, let us sum up a bit the reasons for this shift in the malware situation:

• The authors of malicious software are not so often "script kiddies", rather persons or organizations involved in criminal activity with significantly more resources at disposal. The Internet community is currently experiencing a shift from creating havoc as an end itself, to economically motivated malicious activity.
• There is a convergence going on between different types of malware; viruses, worms, keyloggers, trojans, spyware and adware. These are often bundled in "malware cocktails" that are difficult to get rid of when one is infected.
• The authors of malware are often using day-zero vulnerabilities in operating systems and applications. Thus the malware may exist some time without any cure/protection available from the vendor of the vulnerable software.
• Each piece of malware is meant to be short-lived. However, new variants are created at a frightening speed (requiring their own virus signatures). The authors often use sophisticated techniques to "obscure" the fact that a new variant is close to a previous one, thus complicating the antivirus vendors ability to detect a particular malware family in a generic way.
• Authors of malicious software often create the malware with one particular or one group of organizations as their target. This means that it is more difficult for the antivirus industry to become aware of such malware, to add to the signature files.

The protection scheme

The situation for most users

This new situation has to some extent been a new challenge to the antivirus industry. Getting hands on the new malware as well as adding new signature files for this malware, are more demaning and time-consuming than ever.

The need for protection software that is less dependant on signature-based techniques is seen as paramounth, and several antivirus vendors have created their own tools to accomplish this. Norman's SandBox Technology, which is integrated in all Norman's antivirus products, is among the most advanced pro-active protection tools. You can read more about the SandBox tecknology here (opens a separate browser window).

End users will often also use several types of protection software to be as widely protected as possible. (The consideration is that if one protection software does not catch the malware, another might.)

Users likely to be targeted by special attacks

As mentioned previously, particular organizations are pinpointed for attacks far more often than before. If such attacks are conducted by use of malicious software, it is difficult to protect against, as the malware may be so little wide-spread that it is not included in the antivirus industry's signature files.

Examples of organziations that may be in the danger zone are

• The banking and insurance industry
• High-tech businesses that have developed technology that is seen as strategically important for other competing companies and organizations (or countries)
• Security organizations of all kinds.

Such potential targets will often have their own arsenal of protection software - developed in-house or as special projects by third-party vendors. Norman has recently developed a set of tools that are particularly useful for this group of organizations - the SandBox Malware Analyzer products. More information about these is available here (opens in separate browser window).