## Friday, June 6, 2008

### Malware Trend in 2007

I read the report IBM Internet Security System X-Force 2007 TrendStatistics. This is a report describing trends for various threats in 2007.This team has been tracking trends since 2000. I found the reportto be quite interesting. In the rest of this post, I highlight someof the interesting points from the report and what they mean in thecontext of malware detection.(I) The X-Force team reports continued growth in Web browser exploitation. Thisclearly shows that the infection vector is changing to the Web. Earlierthe primary infection vectors were email and the network. Therefore,for detecting malware, drive-by-downloads (DBD) and other threats targeted at hacking through the Web browser need a lot of attention.(II) X-Force also reports a marked increase in obfuscated exploits, i.e.,exploits that use various code obfuscation techiques (such as encryption).Here is a quote, "X-Force estimated that nearly 80 percent of Web exploitsused obfuscation and/or self decryption ... By the end of 2007, X-Forcebelieved this rate had reached 100 percent, ...". This means that goingforward, Web exploits will increasingly harbor indiscernible code rending signature-based techniques less effective. Advancedtechniques (such as behavior-based detection) are clearly needed to detectsuch malware. To exacerbate the situation the X-Force report stated thatthere was a 30% increase in new malware samples in 2007 over 2006. Thisfurther drives home the point that signature-based detectors will have troublein keeping up with the number of malware as they cannot detect new threats.(III) There was another very interesting point made by the report. Modernmalware use features from various types of classic malware (such as viruses, worms,and spyware) by pulling the successful features of each into new strains. To quote the report, "Modern malware is now the digital equivalentof the Swiss Army knife, and 2007 data continues to support this." This trendalso indicates that the behavior of malware is becoming more sophisticated, whichagain supports my claim that detection techniques based on analyzing behavior arebetter suited to handle malware of the future. Another interesting tidbit from thereport: "Trojans make up the largest class of malware in 2007 as opposed to downloaders,which were the largest category in 2006." Recall that a Trojan appears to be alegitimate file with some hidden functionality (for example, that of a rootkit).Trojans are historically a problematic class of malware for signature-baseddetection.Overall, I found the report to be very interesting. Read it for yourself.You can find the report here.