Gallery

The truth about the threat

Posted on 13 Aug 2008 at 11:33

Clearly, the malware threat isn't merely a case of security industry hype. We found it in our searches for media files, and we found it in abundance when we turned to file-sharing. But in everyday use, and when looking for a range of specific resources - even porn and gambling sites - the threat seems surprisingly small. It appears that the increasing prevalence of Firefox and the greater emphasis on security in Internet Explorer 7 have severely impeded the spread of malware.

Those findings are echoed by the latest Information Security Breaches Survey, carried out by a consortium led by PricewaterhouseCoopers on behalf of the Department for Business, Enterprise & Regulatory Reform. The study, which focused on businesses, found 60% fewer malware infections than in 2006.

How can we square these findings with the alarming figures trumpeted by security vendors? Kaspersky Lab reported recently that it found almost as many new malicious programs in 2007 as it had in the previous 15 years combined. So where are they all hiding?

There's no single answer, but a big factor is doubtless the move from viruses to drive-by downloads and trojans. The classic virus is a self-replicating program that spreads from computer to computer by itself. Typically, a program such as this will be quickly identified by antivirus developers, and signature files will be updated to stop it in its tracks.

But with drive-by downloads and trojans, each visitor to the site gets a fresh copy of the malware. This means attackers can constantly update the code, keeping it unrecognisable to antivirus software. AV-Test's figure of five million new malware items in 2007 is based on MD5 hashes, meaning that if two downloads differ by even a single bit, they'll be counted as different threats - even if the code is functionally identical. Thus, the huge numbers bandied about by detection agencies tell us very little about the risk of infection: 100,000 signatures could relate to 100,000 slightly different copies of the same program, hosted on a single web server.

Reality check

Security companies like to publicise the number of signatures their software recognises - after all, it's in their interest to put maximum emphasis on the risks. But internally, many recognise that the number of viruses being scanned for is significantly greater than the number actually being found. "There's an awful lot of scanning going on," admits David Emm, "but there's not a lot of stuff being picked up most of the time."

Symantec's Con Mallon agrees that the headline figures tell only part of the story. "We have something called the Norton Community Watch, where users can ping back to us when they find a malicious website. We're getting 10,000 submissions a day. But that's probably only 1,500 unique domains a day. And that's a worldwide number: for sites that are a concern to a user sitting in the UK today, maybe it's only tens."

But Mallon is obviously reluctant to call the threat overblown. "I can't say that surfing the web is low-risk. We're seeing the web as a focal point for attacks, and all of the numbers are very much in an upward trajectory. A lot of the time, I might be able to avoid an attack, but there could be one thing out there that will go after me and I'll fall into the trap."

Indeed, while our own experiments found far less malware than we'd feared, we certainly witnessed genuine danger. And, as criminals keep looking for new ways to make money out of the internet, new approaches may catch you off guard. "Social networking sites, such as Facebook, are complex enough to run malware," says Andrew Lee. "And in online communities, such as World of Warcraft or Second Life, people can steal and sell your online assets." No matter how well informed you are about the risks, we couldn't recommend regularly using the internet without malware protection.