Kaspersky Lab: Malware Quality Down, Quantity Up

They just don’t make malware like they used to. Or at least like they did earlier this year.

Even low-quality malware, however, is taxing the resources of security companies, since it is being detected in ever-higher numbers.

Over the past six months, the technical creativity of malware has fallen along with the ability to cause massive damage, such as that created by the MyDoom and Sasser worms of years past, wrote Alexander Gostev, senior virus analyst for Kaspersky Lab, in a recent report.

Gostev’s lab intermittently sees highly technical malware, but most is “the same unending stream of Trojans, viruses and worms,” he wrote. In many cases, hackers simply take existing malware and create variants, by tweaking the older code to evade antivirus software.

At times, the process is simple trial and error. Malware writers use online scanners such as Virustotal, which check to see if their new code will be detected by antivirus software, said Mikko Hypponen, chief research officer for F-Secure.

If the code is detectable, they can make a slight modification and run it through the scanner again.

“I’d like to tell you that we’re winning this war,” Hypponen said. “But frankly, I’m not so sure. We need new kinds of solutions.”

Because much of the code is not new, it tends to remain effective for shorter periods of time before antivirus companies detect it. Still, the time it takes to identify and create a signature for a new virus, which can range from a few minutes to a few hours, is often long enough for hackers to infect computers.

“Antivirus companies are working at the limits of their capabilities in terms of speed,” Gostev wrote.

To be sure, some malicious hackers are doing creative work. This year saw some sophisticated phishing attacks, and virus writers have been branching into relatively new areas like instant messaging and social networking sites, noted Christopher Boyd, security research manager for FaceTime Communications. But the trend overall, he said, has been “quantity over quality.”

Kaspersky Lab in Moscow is on the front lines of the battle. Its analysts added 2,000 signatures to their database in January 2005. Last month they added 10,000 signatures—a fivefold increase, said Stanislav Shevchenko, head of the lab.

The virus analysts work 12-hour shifts, pulling up screen after screen of rolling lines of code. Automated tools analyze some pieces of malware, but human analysis is still needed for others.

A good analyst should process an average piece of malware within five minutes, Shevchenko said. But some of the rarer, more creative code is harder to crack. Polymorphic viruses—ones that can change their byte sequences to throw off antivirus software—can take up to a week to analyze, Shevchenko said.

The signatures are added to a database used by Kaspersky’s antivirus engine, which is licensed by other security vendors such as Juniper Networks, ClearSwift and F-Secure.

The increase in the volume of malicious code can be attributed in part to the impunity enjoyed by malware writers, said Eugene Kaspersky, head of antivirus research. Despite efforts by law enforcement agencies to strengthen international cooperation, most malware writers are never punished.

“It’s quite safe for them,” Kaspersky said. “If they are clever enough, there is almost no risk for them at the moment.”

The U.S. FBI and Russia’s Federal Security Service (FSB), the successor to the country’s KGB intelligence agency, frequently ask Kaspersky Lab for information, said Kaspersky spokesman Timur Tsoriev. The FSB, however, approaches Kaspersky less these days since the agency has bolstered its in-house expertise, Kaspersky said.

Kaspersky said his lab focuses less on finding the root of criminal activity than protecting the company’s customers. But the burden of rising online criminal activity directly impacts security companies, he said.

“If there is no help from the police and if they don’t reduce the number of criminals, I’m afraid the detection for all antivirus products will go down,” Kaspersky said.

-Jeremy Kirk, IDG News Service (London Bureau)