Virus Bulletin 2006 and Flying Cars
by Jose NazarioI spent a good portion of last week at Virus Bulletin 2006 in Montreal, Canada, or preparing for it. My talk on botnets and some of our research was on Thursday, and I had been working on slides with updated statistics and information. Overall, the talk went OK and it was well received, which is great for my first visit to a Virus Bulletin conference and before such a sharp crowd. I didn’t have as quality a presentation as Mikko, but no one did.
VB is the industry’s biggest bash, it seems. The AV camp has remained very distant from the larger information security community until the last few years, which has been fascinating. For me, coming from an infosec products background, their challenges and solutions have always been a bit odd to me. They have tests and certifications which, at first glance, seem almost geared towards making a product look good unless it’s a real failure. Unpon closer inspection, however, the tests start to make sense, but there’s still some holes. The infosec industry doesn’t have nearly as unified product certification sphere as the AV industry does, and so many people still prefer to do their own, in-house testing, correctly or incorrectly.
As an outsider for so long (and still, I’m an outsider), I’m still surprised at the business constraints these guys work with. AV has become a commodity, and the profit margins on a single user are razor thin. Also, with Microsoft entering the AV world, everyone’s running for cover and building consumer security suites. This is good, it adds layers to the protections needed by nearly every computer out there, but only if they’re used properly.
I think my biggest feeling walking away from VB 2006 was that we haven’t solved this malware problem. It’s 2006, and yet if you look at our malware statistics for the past couple of months, it’s malware that is, in most cases, over a year old that dominates the trends:
| Rank | Name | Sep 2006 | Aug 2006 |
|---|---|---|---|
| 1. | Worm.Mydoom.AT | 13.4% | 7.3% +124% |
| 2. | Worm.Mydoom.M | 4.7% | 4.4% -72% |
| 3. | Worm.Mytob.AF | 4.0% | 2.8% -95% |
| 4. | Worm.Lovgate.X | 4.0% | 3.6% -73% |
| 5. | Worm.Mytob.V | 3.9% | 4.3% -62% |
| 6. | Worm.Mytob.S | 3.8% | 1.8% +145% |
| 7. | Worm.SomeFool.P | 3.4% | 3.7% -62% |
| 8. | Worm.Mytob.AY | 3.4% | 3.3% -69% |
| 9. | Worm.Bagle.pwd-eml | 3.1% | 0.7% +315% |
| 10. | Worm.Mytob.AU | 2.7% | 1.0% +177% |
Our stats largely mirror those of other AV companies, and we use the ClamAV names (for historical reasons). But, this begs the question: why don’t we have better threat detection and elimination? We’ve known about these nasties for months or years, why do we still see them so prominent in the trends?
I don’t know what the future holds for the infosec industry, but the proliferation of threats - not just viruses and worms but rootkits, bots, spyware, and all manner of tools loaded by bad guys onto your box - means that we’re going to have to run faster, harder, and even further to try and keep up.
It’s 2006. If I can’t have the flying car that I was promised several years ago, why do I still have to wait for my AV vendor to detect a threat when I can spot it right there with my own two eyes? I’m reminded of a paper from IBM’s AntVirus labs (since shut down), Virus Bulletin 2010: A Retrospective. Read it, and look at the reality of our current anti-malware situation. Perhaps the flying car we were promised was grounded by a virus. Perhaps cybertheieves have stolen the plans and are selling them on some IRC channel.
Hi, Jose:
Are you planning on posting the slides of your VB presentation?
rodolfo