Friday, July 25, 2008

Counting the Bullets on the (Malware) Front

How much malware is your antivirus solution detecting? A million, ten million, even "worse", less than a million? Does it really matter? No, it doesn't. What's marketable can also be irrelevant if you are to consider that today's malware is no longer coded, but generated efficiently and obfuscated on the fly. Sophos's recent statistics :



"It is estimated that the total number of unique malware samples in existence now exceeds 11 million, with Sophos currently receiving approximately 20,000 new samples of suspicious software every single day - one every four seconds."



F-Secure's comments according to which they're "lacking behind" Sophos with ten million malware samples :



"Our AVP database reached one million detection records last night. Dr. Evil would be so impressed…"



McAfee's recent comments as well, which seem to detect less malware samples than F-Secure, depending on how you count them of course :



"It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections."



You have an antivirus software that's detecting 10 million malware samples, in reality, while it's protecting you from 10 million malware samples it wouldn't protect you from the just coded for hire malware bot that's about to get used in a targeted attack. The number of malware samples detected by any antivirus vendor is up to how they actually count them, do they take into consideration malware families, do they actually distinguish them, or are they in fact perceiving each and every malware as as seperate "bachelor".



Given the speed in which malware authors are lauching a DDoS attack against AV vendors by crunching out dozens of malware variants parts of a single family, their actions could start directly driving the data storage market, and if they continue maintaining the same rhythm, soon you'll be partitioning a separate GB for the signatures files. Then again, the number of malware samples detected by an antivirus solution isn't the single most important benchmark for its actual usability in a real-life situation, keep that in mind.



Where's the Count when you need him most? Well, he's somewhere out there counting.