[AI] The battle against Internet viruses
vataran77 at verizon.net
Sat Mar 22 12:09:34 EDT 2008
Dear list members,
This article shows the extent of the problem we all computer users face.
Can you imagine, over 5 million malicious software were unleashed last year!
This emphasises the importance of not relying only on the anti virus
programme and to exercise caution regarding attachments, clicking on
unknown links, downloading from dubious web sites etc.
Wishing you all safe surfing.
Anti-Virus Firms Scrambling to Keep Up
Sophistication of Viruses and Other Threats Poses Big Challenges for
By Brian Krebs
washingtonpost.com Staff Writer
The sheer volume and complexity of computer viruses being released on
the Internet today has the anti-virus industry on the defensive,
experts say, underscoring the need for consumers to avoid relying on
anti-virus software alone to keep their home computers safe and
Approximately 5.5 million malicious software programs were unleashed
on the Web last year, according to AV Test Labs, a German company
that measures how quickly and accurately anti-virus products detect
the latest malicious software, also known as "malware." That volume,
AV said, forced anti-virus firms to analyze between 15,000 and 20,000
new specimens each day -- more than four times the daily average they
found in 2006, and at least 15 times as many the company recorded in
2005. In the first two months of 2008 alone, AV Test found more than
one million samples of malware spreading online.
"Back in 1990 we were seeing a handful of new viruses each week," said
David Perry, global director of education for Trend Micro, an
anti-virus company headquartered in Japan. "Now, we're having to
analyze between 2,000 and 3,000 new viruses per hour."
This glut of malware is the result of a long-running digital arms race
between security companies and criminals intent on stealing personal
financial data from vulnerable computers and using networks of
commandeered PCs for all manner of lucrative criminal enterprises --
from sending spam to hosting scam Web sites.
The rapid increase of viruses and other malware has forced the
anti-virus industry to overhaul its traditional approach writing its
software, with the result that security products on the market today
are far more powerful and sophisticated. But many observers say that
despite all its new bells and whistles, the anti-virus industry as a
whole continues to fall behind in identifying the very latest
The challenge, security experts say, is that criminal groups
responsible for manufacturing most of the malicious software in
circulation today are reinvesting their illicit profits in research
and recruiting talented computer programmers. A special emphasis is
placed on creating malware that coexists peacefully with an infected
computer system, doing its work quietly in the background.
"A lot of these [malware] shops are now hiring professionals and doing
quality assurance work, things that generally make the job of the
anti-virus researcher that much harder," said Randy Abrams, director
of technical education at ESET, an anti-virus company based in
Nightmarish Arms Race
Spurred by enormous profits, organized criminals largely based outside
of the United States and Western Europe are automating the creation
and modification of new viruses, making it possible to churn out
thousands of variations of the same viruses every few hours in a bid
to stay a step ahead of the anti-virus firms.
Malware writers increasingly are taking steps to ensure that computers
infected with their creations stay infected, according to security
researchers. In years past, no matter how quickly an anti-virus
product shipped updates to detect the most recent malware, most
anti-virus software would eventually sound the alarm if a virus
managed to slip past its initial defenses.
But more of today's cyber criminals are continuously updating the
malware they have managed to install on victims' computers replacing
older malicious files with new ones in a bid to keep them hidden.
This strategy has had a profound impact on the daily operations of
anti-virus companies. The industry has traditionally fought malware by
maintaining large libraries of digital genes known as "signatures,"
tiny snippets of computer code pulled from known viruses and worms.
Under this tried-and-true method, if the anti-virus software spots a
match between a virus signature in its database and segment of code in
the user's downloaded file or e-mail, the security software will alert
that user that the program is malicious and attempt to block it from
gaining a foothold on the system.
But the large volume of malware that anti-virus firms are processing
each day has made it virtually impossible for those companies to
create individual signatures for each new specimen. Instead, the
anti-virus firms have been forced to invest heavily in methods and
technologies for automating new malware analysis.
For its part, Sunbelt Software, a security software company based
in Clearwater, Fla., recently added more than 50 new servers to its
malware analysis center to lighten the load of a lab already straining
under the daily deluge of new virus samples.
"We've had to bring in a great deal more hardware and come up with
tons of different new detection methods just to deal with the incoming
malware load in the past year," Sunbelt President Alex Eckelberry
Much of that automation involves creating more generic signatures
capable of detecting a broader range of malicious files. That approach
relies less on recognizing any telltale code fragment than it does
identifying a suspicious type of behavior or overall resemblance to a
well-known family of malicious software.
This labor- and time-saving method has its shortcomings, however. For
one thing, employing more generic detection methods can lead to a
greater number of false alarms, wherein innocent files are mistaken
for viruses. These kinds of errors can be extremely disruptive for
customers, and they've become more common as anti-virus makers have
increased their reliance on generic detection methods, said Andreas
Marx, managing director for AV Test.
Marx said that while all anti-virus companies maintain comprehensive
lists of known "good" files with which to test their daily anti-virus
updates and avoid false alarms, many times those tests are never
"It looks like more and more that for time reasons these scans are not
even performed, but the update is released 'as is,' putting the users
at a high risk to destroy their running, non-infected systems," Marx
A handful of these so-called false positives have had a fairly broad
impact on customers. In December, Russian anti-virus maker
Kaspersky erroneously flagged Windows Explorer -- the visual
interface for Windows itself -- as a Trojan horse program. Earlier in
the year, a faulty update to certain versions of Symantec's Norton
Antivirus program detected two essential Windows components as
malicious, crippling millions of Windows PCs.
Headache for Consumers
Malicious software is becoming harder to remove because more virus
writers are including components that bury the malicious files deeper
within the operating system. For many users, some of today's most
tenacious intruders cannot easily be removed without re-installing the
operating system. Re-installing isn't such a huge hassle for business,
which tend to keep user-generated data files in separate digital
storage bins than the underlying operating system. Indeed, for some
businesses, a virus infection is grounds to rebuild the infected
machine with a known safe copy of Windows and any other needed
But home users often will try almost anything before re-installing
Windows, mainly because they typically do not have those same data and
system backup plans in place, said Don Jackson, a senior security
researcher for Atlanta-based SecureWorks.
"Comprehensive remediation of infections is badly hurt by generic
detection, and unfortunately a lot of today's infections are extremely
difficult for the average user to remove completely," Jackson said.
"You can see the evidence of that by number of people desperately
posting to various security self-help sites."
An increasing reliance on generic detection also has made it more
difficult for consumers to find instructions online for removing an
infection that can't be completely eradicated by anti-virus software.
Instead of pinpointing a malicious intruder with a specific filename
(e.g. "MyTob Worm.AB"), generic signatures often will assign plain
vanilla names to malware files, such as "Generic Trojan Dropper," or
"Backdoor.generic." Such vague names entered into a search engine
produce so many results that people with machines victimized by such
malware often are at a loss as to how to proceed, said David Harley,
an anti-virus consultant and administrator of the Anti-Virus
Information Exchange Network (AVIEN), a group made up of corporate IT
security administrators who share trends and data on the latest
malware threats. .
"What happens now is some stuff can be removed generically, and that
does happen, but a lot of the time [the victim's anti-virus product]
says I think you have a problem here, but I'm afraid you're going to
have to sort it out yourself," Harley said. "That puts the user who
just wants this stuff off his machine in a terribly awkward position."
Experts say PC users shouldn't depend on anti-virus software to save
them from risky online behaviors, such as clicking on Web links
included in unsolicited e-mail and instant messages. Rather, they say,
anti-virus should be part of a layered security approach that includes
using a firewall to keep out unwanted Internet traffic and applying
software updates for both Microsoft Windows and third-party software
-- particularly popular programs used to display documents or play
audio and video files.
"The problem is that we have this ongoing, unrealistic expectation
that somehow we are going to detect 100 percent of the malware out
there, when in fact what we have today is slightly less detection than
we did, say, in the mid-1990s, when we were actually catching 70 to 80
percent of the new threats," said AVIEN's Harley.
For security researchers on the bleeding edge of defending information
networks, even those less-than-stellar numbers may be seem a bit
inflated. Jerry Dixon, director of analysis for Team Cymru, a
security research firm in Burr Ridge, Ill., said his team recently
submitted more than 1,000 samples of brand new malware for scanning by
32 different commercial anti-virus products from around the globe. The
result: Only 37 percent of the programs were detected as malicious by
any of the products.
"The real challenge here is for people to get it through their heads
that anti-virus is not a panacea, and that it's always going to fall
short of identifying threats in real-time," said Trend's Perry. "The
challenge for us as an industry is to try to change that perception,
while at the same time integrating new threat mitigation features into
More information about the AccessIndia