RSS Alerts

Related Links

Related Stories

  • 2009 was a record year for malware
    A PandaLabs report claims that 2009 will go down as perhaps the most prolific in malware history. In 2009, malware creators tapped into search tools used by the majority of web surfers, and exploited current events and popular culture.
  • Malware rebounds as cause of data loss
    Malware has rebounded to become the biggest cause of data loss in organizations, according to a report from the Computer Security Institute (CSI). Malware infections far exceed the next most common cause - laptop and mobile hardware theft - said the 2009 CSI Computer Crime and Security Survey.
  • Anti-malware groups align themselves
    Anti-malware efforts took a significant step forward this week with the announcement of an initiative to try and bring legitimate software businesses together and lock out malware writers.
  • Malware protection before infection
    A US Department of Homeland Security-funded research program will help deliver Endeavor Security’s new method of targeting botnet and malware attacks before hosts are infected.
  • Obfuscated Javascript malware making a comeback
    The latest monthly threat landscape report from IT security vendor Fortinet asserts that obfuscated Javascript attacks are starting to hit internet users again.

News

Malware threat reports fail to add up

08 January 2010

The December malware threat reports are trickling in from vendors — and they all appear to be different. Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results.

For example, in its malware report for last month, Fortinet said that W32/PackBredolab.C!tr topped the charts of malware variants detected in December, accounting for two-thirds of malware activity in December. It was a new entry to the malware table, the company said.

Kaspersky highlighted three versions of the Kido worm, known more popularly as Conficker, in the top three slots of its own malware threat report for December. Sunbelt listed Trojan.Win32.Generic!BT in the top malware slot as part of its own report, with almost 20% of the activity for December. A quick scan of the other top 10 malware entries for each company reveals few if any matches.

"Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges," said Tom Kelchner, Sunbelt Research Center manager. "What one company detects and identifies as a specific, named piece of malcode, another may detect generically."

He argued that antivirus companies have tried to use common names for malware that they find, but that the complex nature of antivirus analysis, combined with the speed of the process, has made it almost impossible to work together.

"Naming convention is one thing. But I think the main problem these days is the way in which detection techniques have shifted," said Roel Schouwenberg, senior antivirus researcher, Kaspersky Lab.
"The shift in detection techniques make naming harder and grouping of malware completely different."

Axelle Apvrille, senior mobile AV analyst and researcher in the Fortinet EMEA threat response team, said that the time window for detections is another reason for the disparity in results. "Even if, globally, Sunbelt, Kaspersky and us encounter the same threats, this may not be true when we consider short time frames (such as a month)," he said.

"It's hard for users, not being able to find information on something under one name," noted Joe Stewart, director of malware research at managed security company SecureWorks. Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out. "I don't think that there's any solution in sight, because there are so many factors that play into it. Because of the way that the industry works, you can't work around them too well."

In short: is there a problem with the user confusion over threat tables like these? Most definitely. Can we solve it? Apparently not. 

 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water