More than a quarter of all malware variants created in 2015
Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year.
That averages out to around 230,000 new malware samples a day, said Luis Corrons, technical director of Panda’s PandaLabs unit, or 27% of all malware ever created.
“Vendors differentiate themselves in how they process the malware samples, how they manage that information, and how they set up the detection,” Luis Corrons, PandaLabs
Trojans continued to account for the main bulk of malware, at 51.45%, followed by viruses at 22.79%, worms at 13.22%, potentially unwanted programs such as adware at 10.71% and cases of spyware at 1.83%.
According to Corrons, one reason that the number of malware variants is proliferating is, ironically, that antivirus software is getting better at detecting and blocking them.
“At the end of the day, it’s our fault, in some ways,” he said.
Say, for example, a hacker sends out 1,000 instances of a piece of malware. Once one gets caught, the rest will as well because the signature will get identified. But if the hacker sends out 1,000 variations on that same malware, the likelihood is higher that more of them will get through.
These days, Corrons added, the attackers have automated software that will slightly modify malware just enough to make it look different to defending systems.
“When you get an infected website, every different user gets a slightly different version of the same Trojan,” he said.
Back when he started out, 17 years ago, he said, they saw 100 new variants per day.
“And we thought it was crazy,” he said. “All the processes we had in the lab were pretty much manual — so it was crazy.”
But the defenders are getting better as well, he added.
For example, if PandaLabs sees a file that it has never seen before, that is an indicator to place the file under additional scrutiny. That is due to the rapid spread of cloud technology, he said.
“If we see a new file that we have never seen, we know that the file has not yet been seen anywhere else in the world,” he said.
In addition, antivirus vendors are getting smarter about sharing malware samples.
Panda has servers up that it uses to share malware samples with its competitors, and it has the ability to query their servers as well — not just for all the new malware samples, but specifically for the ones that Panda itself has not seen yet.
If Panda were to stop sharing malware with, say, Symantec, then Symantec would stop sharing back — and customers would get mad, Corrons said. Instead, vendors differentiate themselves in how they process the malware samples, how they manage that information, and how they set up the detection, he said.
That means that customers do not have to sign up for multiple antivirus services, said Craig Young, security researcher at Tripwire, but he added that it can be an advantage to have different sets of eyes looking out for you.
“You don’t want to be loading up endpoint workstations with multiple antivirus,” he said. “But one approach might be that your email server has one brand of antivirus software that monitors all emails, your intrusion prevention system might be using a different antivirus engine, and the actual computers themselves might have yet another engine to just ensure that nothing is slipping through the cracks.”
In fact, different antivirus engines are often bundled into different security products, so an enterprise would get multiple takes on this automatically.
Both Corrons and Young warned, however, that antivirus detection is not enough, and enterprises need multiple levels of defence.
“A tiered approach is the only way to have any semblance of security, in my opinion,” said Young.
Everyone is constantly under attack, said Corrons.
“Medium and large companies — they have to assume that they are already compromised, and that someone is already inside their network,” he said. “Mainly, in most cases, because it’s already true.”
Enterprises need to look at investing in technology that helps discover infections after they have already infiltrated their systems, instead of relying only on perimeter defences.
Maria Korolov, IDG News Service