Friday, March 21, 2008

swamped or not swamped?

there's this idea floating around that says the following:
We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs’ capability to build detection for it.


there are 2 key erroneous notions in this line of argument, the first is that malware is starting to fly under the radar of known-malware scanners (blacklist style detection)... malware has always flown under the radar of known-malware scanning in the beginning of it's life-cycle, the only difference now is that there is a whole lot more of it at that stage of it's life-cycle at any given moment...

the second erroneous notion is that av labs are being overwhelmed by number malware instances being produced... the implication here is that there is an ever-growing backlog of malware to be analyzed... let's take a hypothetical example - say an av vendor is able to process 5 malware samples a day but the malware writers are producing 6 malware samples per day... over the course of a year that av vendor has slipped behind by 365 samples and we can all see how farked they'd be in that sort of situation...

that is if they were morons who sat on their thumbs doing nothing about the problem, not realizing that it's possible to increase the number of malware samples they can process in a day in the short term by adding more analysts, and in the long term by pouring research dollars into malware analysis automation... there is always room for advancement in automation, and the reverse engineering competitions that go on point to a healthy pool of potential new analysts for the av companies to draw from...

it is true that more and more malware is flying under the radar of known-malware scanning, but only because there's more and more malware period... if malware writers are creating 6 samples per day when they used to only produce 3 per day, that will appear as a 100% increase in the amount of malware flying under the radar regardless of whether av vendors can process 3, 6, or 600 per day... the increased numbers don't necessarily exceed the vendors abilities, it just makes that initial window of opportunity seem more significant...

0 comments: