Friday, 14 October 2011

What's infecting today?

When you run real-world virus tests, it's best to use malware that people are really experiencing. That's what we do, but our approach is a little different to some. We find our own samples, independently of the anti-malware vendors.

As a result, it's always interesting when we see research that suggests what the common threats are. These reports usually reflect our own findings, which is not that surprising. However, sometimes they explain why we are seeing certain threats come and go.

When we locate malware for testing purposes we endeavour to find a selection of samples that provides a reasonable representation of what lots of people are finding. That way we can make the claim that, "if you were online today (e.g. 14th October 2011), visited this website (www. somethingbad. tld/ exploit.php) and your PC had Product X installed then the threat would have:


  1. been blocked
  2. run but then have been neutralised or
  3. successfully compromised your system.

This approach produces an interesting, honest, realistic result. It's worth mentioning again that we don't take malware or malicious URL feeds from any anti-virus vendors. When our observations match their security reports it confirms that, by and large, we're all seeing the same bad stuff.

Here's one example: Earlier this week I attended the RSA conference in London. In a presentation called The Geography of Cybercrime, Kaspersky's Darya Gudkova noted that the fake AV threat had fallen off dramatically in June of this year because the man allegedly behind the scam had been arrested. We too had noticed that the fake AV threat had all but disappeared since June, but we did not know why - until now.

Similarly, in the current tests that we are running we've seeing fewer drive-by attacks and more direct downloads than in previous months. We hadn't seen fake codec attacks for a while, but here they are again, turning up in our own malware lists just like three years ago.

Microsoft has just published the 11th volume of its Security Intelligence Report. It claims that malware requiring user interaction far outweighs drive-by downloads, which in turn are even outnumbered by USB autorun threats. Yet again, a further indication that what we find matches what much larger organisations are seeing.

We don't test USB-based threats anymore. Maybe we should.