Page last updated at 09:12 GMT, Wednesday, 20 May 2009 10:12 UK

Coping with the malware deluge

By Mark Ward
Technology Correspondent, BBC News website


Webcam and internet banking under hacker's control

The struggle between computer security firms and hi-tech criminals has often been likened to an arms race.

Any improvement in the way computers spot malicious software is matched by a change in tactics by the criminals that undermines that better protection.

One particular tactic that has proved successful for the criminals is the pumping out of ever more copies and variants of their malware.

The numbers of malware samples received by the security companies tells this story all by itself.

In 1988 the whole universe of malicious programs numbered 1738 samples, according to statistics from AV Test. By 1998 it had grown to 177,500 and in 2008 hit six million.

"In 2007 we saw more malware in one year than we had in the previous 20," said Tom Parsons, a spokesman for security giant Symantec. "And in the last 18 months we've seen more than in all the previous years combined."

Many of the samples hitting the security firms are variants of old families.

"They re-pack and re-compile them and they look different," said Roger Thompson, chief research officer at AVG.

Mr Thompson said AVG sees about 150,000 samples of malware every day. Up to 30,000 of those can be new and unique viruses never seen before.

Signature dish

In simpler times when security companies came across a virus they would analyse it, prepare a signature file that identified it, test it and then issue that to their customers and clients so they would be protected.

If it starts looking at keystrokes and never has done before that's a sign it's something bad

Roger Thompson, AVG

The number of malicious programs being created has mushroomed because the criminals realised that the ability to react was the weak link in the way that security companies protected people.

That black listing approach may have worked well when the numbers of malicious programs were low, but many are starting to question it in the face of the deluge hitting security firms every minute of every day.

"It does mean that, in some ways, the black listing model needs to be questioned," said Mr Parsons.

"It's a model we've been using for 20 years or more," said Rik Ferguson from Trend Micro. "But it's no longer up to the threat. It's just not quick enough."

What can help is more generic analysis of the behaviour of any file that lands on a computer.

Although many computer worms and trojans look very different on first blush, they share a basic modus operandi of subverting the workings of a PC.

Mr Thompson from AVG said tools that analyse behaviour can spot these types of malicious programs even without a signature file naming them as viruses.

Cloud call

"If it starts looking at keystrokes and never has done before that's a sign it's something bad," he said.

Computer virus in e-mail inbox, AP
Computer viruses are now less likely to show up in e-mail

Most computer security firms now include in their software, behavioural analysis systems that keep an eye out for seemingly innocuous programs that suddenly turn bad.

Some, such as Trend Micro, are going further and are using the web to help protect PC owners.

Mr Ferguson from Trend said it changed its tactics when it realised that more than 90% of the malicious programs it sees involve a link to the web.

Whether the subject is a trojan or a machine that has been compromised for a long time, it will eventually get in touch with another site for a download that will update the infected code or seek instructions about what to do next.

This requirement to contact some other website is the Achilles heel of the malicious programs, said Mr Ferguson.

By checking the reputation of the site that any PC sends a query to, it becomes far easier to work out of the program sending that data is malware or if a computer has been infected.

Typically, said Mr Ferguson, the servers that keep infected machines up to date or activate them to enrol them in a botnet or start issuing spam are those that are longest-lasting.

"The backend is the most stable part of the infection chain," he said.

By checking a number of factors, such as IP address, correlations between domain name and geolocation, it can be easy to spot when a crime hotspot is talking to machines it has infected.

Information about those hotspots is held in a database in the "cloud" so the experience of any infected PC can be widely and quickly shared.

Trend Micro predicts that malware samples per hour could hit 26,500 in 2015, Mr Ferguson said. Given that it is no wonder that some are turning to blue-sky thinking to solve the problem.

Print Sponsor

Zombie computers 'on the rise'
06 May 09 |  Technology
InfoSec 2009 at a glance
29 Apr 09 |  Technology
Call to rally against cyber crime
21 Apr 09 |  Technology
Security experts eye worm attack
31 Mar 09 |  Technology
Facebook users suffer viral surge
02 Mar 09 |  Technology
US 'should go on cyber-offensive'
30 Apr 09 |  Technology
Conficker begins stealthy update
09 Apr 09 |  Technology
Click Essentials: PC Protection
13 Mar 09 |  Click

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific