Attack Variants Living Shorter Shelf-Lives
As attackers seek to endlessly vary their threats in order to circumvent reactive security controls and find their way onto more end users' machines, individual virus samples are appearing, and disappearing, faster than ever, experts contend.
For years, malware code writers and distributors have been using techniques including server-side polymorphism to conjure code scripts that haven't before been seen by anti-virus technologies, and therein have a stronger likelihood of achieving their nefarious goals.
But the problem has itself reached epidemic proportions, as attackers are so rapidly changing their code that it is making it nearly impossible for traditional signature-based AV systems to catch them, forcing users to rely on other technological solutions such as the use of generic signatures and more advanced behavior monitoring tools to do so.
PandaLabs reported Wednesday that some 52 percent of today's attacks are in circulation for less than 24 hours of the approximately 37,000 new viruses, worms, Trojans and other threats that the company is tracking each day.
After their short run in the wild, the attacks typically become "inactive and harmless" as they are replaced by other, new variants, Panda researchers reported.
The use of this short shelf life approach for malware in part explains the towering increases in the sheer number of new threats that researchers are logging, the company said.
At the close of 2008, PandaLabs had recorded a total of 18 million malware samples tracked over its 20 year history. Over the first seven months of 2009, Panda recorded an additional 12 million samples, making 2009 by far the biggest year for new attacks, a record previously smashed in 2008.
The numbers game is not adding up anymore, which will force AV companies like Panda and all of its rivals to put more emphasis on newer techniques for stopping previously unseen attacks, experts conceded.
"This is a never-ending race which, unfortunately, the hackers are still winning. We have to wait until we get hold of the malware they have created to be able to analyze, classify and combat it," Luis Corrons, Technical Director of PandaLabs said in a report summary. "In this race, vendors that work with traditional, manual analysis techniques are too slow to vaccinate clients, as the distribution and infection span is very short."
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.