Quantity of malware booms
Virus experts from AV-Test have examined the quantity of malware they have collected over the last few years. The shocking result – the count is rising rapidly. Last year they found more than five times as much new malware – almost five and a half million – as in 2006.
[bild1]
According to AV-Test's Andreas Marx, they counted the number of files with different 'fingerprints' (MD5 hashes). This includes malware which is packed using a different run-time packer or is differently encrypted. Since 2004 the level of growth has gone through the roof:
Year | Malware discovered |
---|---|
2008 | 117480 (first 7 days only) |
2007 | 5490960 |
2006 | 972606 |
2005 | 333425 |
2004 | 142321 |
2003 | 178825 |
2002 | 199049 |
2001 | 155528 |
2000 | 176329 |
1999 | 98428 |
1998 | 177615 |
1997 | 137716 |
1996 | 36816 |
1995 | 15988 |
1994 | 28613 |
1993 | 12287 |
1992 | 36822 |
1991 | 18384 |
1990 | 9044 |
1989 | 2604 |
1988 | 1738 |
1987 | 1389 |
1986 | 910 |
1985 | 564 |
The figures clearly demonstrate that the signature based approach of current anti-virus software is no longer appropriate. In light of such figures, Eugene Kaspersky predicted at last year's CeBIT that anti-virus software vendors could lose the fight against virus producers. Anti-virus software vendors try to detect multiple malware variants using a single signature by means of generic detection, but the generation of such generic signatures is carried out by programmers, takes time and is prone to error – in the last few days, avast and Gdata have had to contend with a false alarm for an essential system file caused by just such a signature.
One approach to a solution is 'behavioural blockers', which monitor the software running on a system and analyse and assess its behaviour. If sufficient examples of suspect behaviour – such as setting newly created files to autorun, key-stroke recording or creation of connections to IRC servers – are observed, the analysed behaviour may exceed a set threshold, triggering a behavioural blocker alarm, which can terminate the potentially dangerous program and roll-back any changes made.
In the latest c't anti-virus software test, only few anti-virus solutions included a behavioural blocker. Many vendors are currently working on such extensions to their anti-virus solutions.
See also:
- Gdata and avast issue a false alarm in user32.dll, report by heise Security
- Kasperskys worry about malware and hit out at Microsoft, report by heise Security
- Antivirus protection worse than a year ago, report by heise Security
(mba)