Fruit ArticlesFruit News

In "Malware threat lists slammed as 'useless'", Inforworld magazine reports that "Security vendor PC Tools has questioned the usefulness of the threat lists used by many security companies to warn of current malware attacks."

If we look at the March 2008 prevalence lists from Kaspersky, Sophos, and other antivirus vendors, we find the top ten are heavily saturated with email worms. Indeed, most of these same email worms have been topping these charts for three years or more.

Yet in the past three years, the threat landscape has changed dramatically. So why have these antivirus vendor prevalence lists stood still?

Antivirus top ten lists are based on volume, which means anything that even attempts to spread via email will result in higher numbers - even if a single copy of the worm never makes it through to the user. And in most cases, email worms never do make it through to the user thanks to the wide adoption of scanning at the ISP, web mail, or corporate gateway (or in the cloud).

Netsky is one such example. Netsky routinely tops antivirus prevalence lists, but it's actually rarely seen in a users' inbox (thanks to wide adoption of email scanning). When an infection does occur, the Netsky worm then begins spewing email to any email addresses it finds on the system, plus it copies itself to any P2P-related shares it finds. And each one of these individual email end up as a tally in antivirus prevalence lists. So if Joe User has 100 email addresses on their system when the worm launches, that's not counted as one, but rather 100 (one detection per each email sent).

Conversely, a backdoor or password stealing (pws) trojan doesn't email itself. So if a backdoor or password stealer is encountered, it's tallied as one. Thus right off the bat, the score becomes Netsky 100, backdoor 1 - which artificially inflates the importance of Netsky and minimizes the impact of the backdoor trojans. (Not to mention that a backdoor infection is much more serious than a Netsky infection to begin with).

Antivirus prevalence lists are also more indicative of where that vendor has the strongest presence (generally email) so that needs to be factored in as well. Or as PC Tools CEO Simon Clausen explained to Infoworld:
"Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly, and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats."

One exacerbating angle that the Infoworld article doesn't address is the issue of virus names. When a threat is detected, chances are very good that no accompanying description can be found for that specific threat. And when a virus description is found, today it is likely to be a 'family' description which only describes the threat in a very general way.

For users who must attempt manual removal, or security folks who must know what the exact threat does, these generic family descriptions aren't very helpful (assuming they even exist). In most current day cases, only three viable options exist to determine what a particular piece of malware does: (1) reverse engineering; (2) infecting and monitoring a goat system; (3) using a dynamic analyzer such as PC Tools ThreatExpert. (Other dynamic analyzers exist; ThreatExpert seems to work best).

PC Tools ThreatExpert not only provides a detailed analysis of what the malicious file does, it categories it based on a variety of information in order to measure impact. (PC Tools also includes geographical origin, i.e. what language/country the malware was written in, irregardless of where it was discovered). When viewed from this fresh perspective of 'actual risk', the PC Tools top ten list contains several password stealers and backdoors - and only one pure email worm.