Malware Trend in 2007

By - 
I read the report IBM Internet Security System X-Force 2007 Trend
Statistics. This is a report describing trends for various threats in 2007.
This team has been tracking trends since 2000. I found the report
to be quite interesting. In the rest of this post, I highlight some
of the interesting points from the report and what they mean in the
context of malware detection.

(I) The X-Force team reports continued growth in Web browser exploitation. This
clearly shows that the infection vector is changing to the Web. Earlier
the primary infection vectors were email and the network. Therefore,
for detecting malware, drive-by-downloads (DBD) and other threats targeted at hacking through the Web browser need a lot of attention.

(II) X-Force also reports a marked increase in obfuscated exploits, i.e.,
exploits that use various code obfuscation techiques (such as encryption).
Here is a quote, "X-Force estimated that nearly 80 percent of Web exploits
used obfuscation and/or self decryption ... By the end of 2007, X-Force
believed this rate had reached 100 percent, ...". This means that going
forward, Web exploits will increasingly harbor indiscernible code rending signature-based techniques less effective. Advanced
techniques (such as behavior-based detection) are clearly needed to detect
such malware. To exacerbate the situation the X-Force report stated that
there was a 30% increase in new malware samples in 2007 over 2006. This
further drives home the point that signature-based detectors will have trouble
in keeping up with the number of malware as they cannot detect new threats.

(III) There was another very interesting point made by the report. Modern
malware use features from various types of classic malware (such as viruses, worms,
and spyware) by pulling the successful features of each into new strains. To quote the report, "Modern malware is now the digital equivalent
of the Swiss Army knife, and 2007 data continues to support this." This trend
also indicates that the behavior of malware is becoming more sophisticated, which
again supports my claim that detection techniques based on analyzing behavior are
better suited to handle malware of the future. Another interesting tidbit from the
report: "Trojans make up the largest class of malware in 2007 as opposed to downloaders,
which were the largest category in 2006." Recall that a Trojan appears to be a
legitimate file with some hidden functionality (for example, that of a rootkit).
Trojans are historically a problematic class of malware for signature-based
detection.

Overall, I found the report to be very interesting. Read it for yourself.
You can find the report here.

Comments

汤迅 said…
Hey, I am a new comer in security area. I found your blog quite helpful. Keep writing!
I agree that sigunature-based methods are less effective for polymorphism virus. But I am not quite sure how behavior-based detections work. Could you provide some example?
October 6, 2008 at 10:24 PM
Unknown said…
Excellent and very interesting article, your blog is very helpful for me. Thanks, to sharing the information about malware trends. It's less effective for polymorphic viruses. Can you provide some more details about Internet Safety? that's more beneficial for me and some other peoples. Market Data
November 18, 2012 at 10:34 PM
Post a Comment

Popular posts from this blog

Web Attacks

By -
This blog post was contributed by Vaibhav Rastogi. The web is one of the most common interfaces between an organization and the outside world and so web attacks, or attacks on web applications, are a fairly frequent attack scenario. They have been studied for decades, projects such as OWASP Top Ten  have been there to create awareness about these attacks, and there are numerous tools, which can be used to detect and mitigate common web application vulnerabilities. Here, we outline some of the common categories of attacks on web applications. Injection attacks Such attacks happen when untrusted data is incorporated into the server-side application logic without proper sanitization. These attacks can use a variety of vectors: for example, unsanitized input can make its way into a SQL query to result in a so-called SQL injection. Similar attacks can result with injection into noSQL database queries, and into server-side scripts (e.g., a PHP script that evaluates some untrusted...
Read more

Model Checking and Security

By -
Model checking is a technique of verifying temporal properties of finite-state systems. One of the attractive features of model checking over other techniques (such as theorem proving) is that if a property is not true, a model checker provides a counter-example which explains why the property is not true. Inventors of model checking, Edmund Clarke, Allen Emerson, and Joseph Sifakis, won the 2008 ACM Turing award (see the announcement here ). I have a personal connection to two of the recipients. Edmund Clarke was my adviser at Carnegie Mellon, and Allen Emerson and I have collaborated on few projects and he has supported me through out my career. In this note I try to summarize various applications of model checking to security. Protocol verification : Protocols in the realm of security (henceforth referred to as security protocols) are very tricky to get correct. For example, flaws in authentication protocols have been discovered several years after they have been published. Techniqu...
Read more