Constant Churn Makes Viruses Harder to Catch

The latest data point in the arms race between security firms and cybercriminals comes from Panda Security of Bilbao, Spain.

On Wednesday, the company announced that the quantity of malicious software seen by its customers has skyrocketed recently, with the firm now processing some 37,000 samples per day. In 2008, Panda saw 22,000 new samples every day, on average.

“Samples”, as explained in a previous post to UnsafeBits, is an amorphous term that generally covers not only malicious software and variants that are different on a binary level, but also the same software that has been compressed–more commonly referred to as “packed”–in slightly different ways.

The dramatic increase in malicious software samples shows the success of cybercriminals’ efforts to hide their programs from detection. As the number of samples increases, antivirus firms have to improve their automated analysis capabilities or hire more analysts.

“They decided to attack the antivirus labs,” says Sean-Paul Correll, a threat researcher with Panda Labs. “It is a DDoS (distributed denial-of-service attack) is what it is. It is going to continue and it’s only going to get worse.”

Security-software firms have improved their ability to analyze threats, both through better automated analysis and through hiring more analysts. In Panda’s case, the company launched its Collective Intelligence analysis system in 2007, which typically handles about 99 percent of all submissions to the company, Correll says. Collective Intelligence processes a sample in about six minutes.

Yet, antivirus firms also have to deal with the constant churn of threats. Cybercriminals often only have to pack their latest virus or Trojan horse in a slightly different way to escape detection. And if a particular criminal group does not have the technical chops to create new variants, other groups offer services to create obfuscated programs.

Panda documented the churn by noting that 52 percent of samples are only seen in a single 24-hour period. Another 19 percent do not last more than two days. Within three days, 80 percent of all malware disappears from the Internet.

For consumers, that means that updating their software on a daily basis is no longer enough. With more than half of all malicious software appearing and disappearing between updates, consumers are more than likely to miss a threat.

Panda plans to take the update out of the equation, launching a service, hosted in the cloud, that can automatically identify unfamiliar threats. By uploading specific characteristics of any program encountered by the client, its software can then make a judgment on whether a particular file is malicious or not.

“We upload the behavioral traits,” Correll says. “There is so much valuable information in, say, API calls. You can extract so much data about how the program interacts with the operating system. So rather than upload the original file, … by just using the behavioral traits, we can make a judgment using our past knowledge.”