Quantity of malware booms
Virus experts from AV-Test have examined the quantity of malware they have collected over the last few years. The shocking result – the count is rising rapidly. Last year they found more than five times as much new malware – almost five and a half million – as in 2006.
[bild1]
According to AV-Test's Andreas Marx, they counted the number of files with different 'fingerprints' (MD5 hashes). This includes malware which is packed using a different run-time packer or is differently encrypted. Since 2004 the level of growth has gone through the roof:
| Year | Malware discovered |
|---|---|
| 2008 | 117480 (first 7 days only) |
| 2007 | 5490960 |
| 2006 | 972606 |
| 2005 | 333425 |
| 2004 | 142321 |
| 2003 | 178825 |
| 2002 | 199049 |
| 2001 | 155528 |
| 2000 | 176329 |
| 1999 | 98428 |
| 1998 | 177615 |
| 1997 | 137716 |
| 1996 | 36816 |
| 1995 | 15988 |
| 1994 | 28613 |
| 1993 | 12287 |
| 1992 | 36822 |
| 1991 | 18384 |
| 1990 | 9044 |
| 1989 | 2604 |
| 1988 | 1738 |
| 1987 | 1389 |
| 1986 | 910 |
| 1985 | 564 |
The figures clearly demonstrate that the signature based approach of current anti-virus software is no longer appropriate. In light of such figures, Eugene Kaspersky predicted at last year's CeBIT that anti-virus software vendors could lose the fight against virus producers. Anti-virus software vendors try to detect multiple malware variants using a single signature by means of generic detection, but the generation of such generic signatures is carried out by programmers, takes time and is prone to error – in the last few days, avast and Gdata have had to contend with a false alarm for an essential system file caused by just such a signature.
One approach to a solution is 'behavioural blockers', which monitor the software running on a system and analyse and assess its behaviour. If sufficient examples of suspect behaviour – such as setting newly created files to autorun, key-stroke recording or creation of connections to IRC servers – are observed, the analysed behaviour may exceed a set threshold, triggering a behavioural blocker alarm, which can terminate the potentially dangerous program and roll-back any changes made.
In the latest c't anti-virus software test, only few anti-virus solutions included a behavioural blocker. Many vendors are currently working on such extensions to their anti-virus solutions.
See also:
- Gdata and avast issue a false alarm in user32.dll, report by heise Security
- Kasperskys worry about malware and hit out at Microsoft, report by heise Security
- Antivirus protection worse than a year ago, report by heise Security
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
