Anti-virus vendors are getting more than 50,000 submissions of new malware per day now. How can the malware business be so productive? It turns out the numbers aren't really as big as all that.
I was talking to a head research guy at an anti-virus company recently, and
he said that the big anti-virus firms are all getting about 50,000 new malware
submissions every day. 50K! How do they, the malware authors, do it? And how is
it that the AV companies actually get the malware?
Welcome to the malware generation business model. So you want to be a
malware star? Well listen now to what I say. Unfortunately, I will be somewhat
vague, but the fact is that anyone who's technically competent and has the will
to do so can find the missing pieces of the puzzle I'll lay out.
First, very little malware is lovingly hand-crafted from scratch these days.
The name of the game in defeating anti-virus software is volume. You generate
huge numbers of slight variants of a malicious program, do things like use
different packers on the executable, and some end up different enough that the
anti-malware products can't detect them.
So you write or get someone else's malcode generator
. These are
programs that generate malicious code variants. (No, I won't tell you where to
find them.) You can get source to lots of popular malware, make your own
changes and make zillions of variants. But the overwhelming majority of these
variants will be detected by any decent anti-malware program, and you can't
distribute all of then, so how are you to know which are the undetectable ones?
The answer is to use one of the public malware scanning services. The first
and most famous one is VirusTotal
there are several others. You upload a file to these services, and they scan it
with a collection of scanners. Here's the list of VirusTotal's scanners, ripped
straight off of their site:
You get a report back saying what scanners found the
malware, what they detected it as, and which didn't find it. With new malware,
the detections will be overwhelmingly generic/heuristic.
The good news is you can see which variants are undetected enough to be
useful. The bad news is that when a product does not detect your sample,
VirusTotal and the other scanners submit it to the AV companies so that they
can add a signature or adjust their heuristics. You won't go undetected for
long. And of those 50,000 submissions, probably no more than a few hundred,
perhaps much less than that, are ever seen in the wild. Even fewer do real
This arrangement is what makes it worthwhile for the anti-malware companies
to cooperate with VirusTotal. It gets them early access to new malware. It's
also how the AV companies are getting 50,000 submissions a day: The malware
authors are, in effect, sending the new malware directly to the companies. That
they will only have a limited window of opportunity to attack protected users
with the new malware is just a cost of doing business.
If you want to spend some money to avoid having to inform the industry about
your new code, start your own multiproduct scanning lab. You'll need current
subscriptions for as many products as you can get, but I'm not sure it would
buy you much time. These companies talk to each other, and if a new,
undetectable variant came out from the wild, word would spread pretty quickly;
soon someone would feed it through VirusTotal or one of the other services, and
the jig would be up.
None of this is news and shouldn't be surprising. The moral of it all, and
this too should not be news to you, is that anti-malware should not be your
only line of defense. Many people call it useless because some attacks get
through, and now you know how, but no line of defense is perfect. Anti-malware
needs to be combined with other forms of defense, like a firewall, an intrusion
prevention product, running your system with least privileged access and not
clicking on links in e-mails (or at least being very careful about doing so).
This is what is referred to as defense-in-depth, and if you're good about
practicing it and careful online, you should be safe.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack.