Malware Threat Reports Are "Apples and Oranges"

Ant writes "The December malware threat reports are trickling in from vendors — and they all appear to be different. Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results. Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats."

Do any of them mention linux or OS-X?

[symbolset]

At all?

Re:Do any of them mention linux or OS-X?

They also didn't mention OpenBSD.

This will answer your question, symbolset -

[Ethanol-fueled]

From TFA, but not in order:

"He argued that antivirus companies have tried to use common names for malware that they find..."

No they haven't.

"It's hard for users...Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out...Because of the way that the industry works, you can't work around them too well."

That's why.

"In short: is there a problem with the user confusion over threat tables like these? Most definitely..."

Most definitely not. Windows users have no idea about 'threat tables' or what the hell's going on, except that their antivirus program is blinking red and making noises and they have to keep clicking "yes" or "OK" to make it better.

"'Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges,' said Tom Kelchner, Sunbelt Research Center manager. 'What one company detects and identifies as a specific, named piece of malcode, another may detect generically.'"

The inconsistency stems from the fact that these so-called "antivirus software research labs" are just Windows terminals with neckbeards in each. Symantec's neckbeard prefers browsing porn sites with ActiveX. Fortinet's neckbeard gets his latest and greatest malware from careless P2P downloads. Kapersky's neckbeard gets his viruses from phishing and gambling sites.

Hence the inconsistent naming conventions and detection profiles across vendors. +5 informative.

Re:Wow!

[HamSammy]

You can see each story 10-20 minutes before it goes "live." (Assuming we posted it that far in advance, which usually we do.)

Straight from the Subscription FAQ. Fail troll is fail.

Re:Wow!

[HamSammy]

Totally pressed the submit button on accident, now I am the failing one.

There can only be one way out.

SEPPUKU.

Example of competition gone wrong

[syousef]

Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market. There are a number of problems:

1) Antivirus solutions do not co-exist - and not just the resident portion. I'd love to run a second or 3rd scanner like I can for spyware but Antivirus vendors have created a market that is use to the worst kind of lock in. Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable.

2) Antivirus vendors are now trying to police what you can and can't do. Look at the numerous reports of false positives for programs that are legally grey (or black) but aren't viruses. I've personally had network tools come up as false positives and it's a pain to unquarantine and exclude them so they don't quarantine themselves again.

3) The main form of collusion between vendors seems to be fitting into Microsoft frameworks so they show up as antivirus software in the appropriate control panel and so you don't get warnings about invalid or out of date antivirus. But this in itself makes them more vulnerable to attack

4) The products are often so badly written that they cause as many problems as they solve. A bad update here or there can (and has in the past) caused irrevocable system damage that has required a reinstall or restore from backup for users. What's the point of an antivirus that does this. Worse I've seen much subtler performance problems from minor antivirus updates - in one case it brought a company I worked for's client's machines to their knees and initially they blamed us. Turns out a change in the engine meant very big files were being opened and re-scanned for every write. Needless to say it wasn't out fault.

5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

Isn't competition suppose to improve such things and open up the market? In this case it just hasn't happened. There has been implicit collusion but not of the right sort to improve or provide a diverse range of products. There's not one product that will protect you well.

Re:Example of competition gone wrong

[Korin43]

I'm guessing the reason you can't use multiple resident scanners is that just one will bring your system to a crawl. I don't even want to touch a computer with Norton + McAfee. Back when I used Windows my solution was to have adblock, spybot, AVG and Clamwin and then just scan any programs I downloaded (along with not downloading seedy looking programs). It worked pretty well. If I did have any viruses, none of them were noticable (and my monthly+ scans never picked anything up). I think the need for constantly running virus scanners is seriously overstated, at least for people who know not to run HorseSex.exe.

Re:Example of competition gone wrong

[ozmanjusri]

Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market.

No, this is a clear example of a monopoly creating a market repairing broken Windows. That's why it seems confusing.

Consumers shouldn't be facing a choice of ineffective bandaids to patch over their computers' inability to keep malware out. They should be able to choose a computer/OS that is inherently resistant.

For computer users, this is a Red Queen's race, and Windows users have to keep paying and stay vigilant just to retain a semblance of control of their own machines. The real solution is to mandate open formats, APIs, and protocols, then let any OS vendor compete on level terms. When consumers can select an OS that suits them, including the level of security they wish to pay for, we will have competition. Only then will OS vendors have to improve their products to retain customers.

Re:Example of competition gone wrong

[symbolset]

Hashes really aren't useful for metamporphic code and a short signifier for heuristics is fairly meta.

Re:Example of competition gone wrong

[ozmanjusri]

There is; it's called "a computer that is powered off"

Please tell me how a virus can infect a Live CD?

Re:Example of competition gone wrong

[ozmanjusri]

why aren't people leaving windows for linux in droves?

Because, as I stated, we don't have open formats, APIs, and protocols.

That makes it difficult for computer users to move freely between OSs and prevents competition on real merits.

Re:Example of competition gone wrong

[Korin43]

Photoshop, Illustrator, certain games..

It's not that they can't run on Linux, it's that they don't.

Re:Example of competition gone wrong

[Bert64]

The vast majority of said windows malware actually takes advantage of the user combined with the fact that user typically runs all his code as an admin.. Unix/Mac don't give you elevated privileges by default, and provide a well understood mechanism by which you can elevate your privileges which *should* make you think...

There is also worm type malware which attacks open network services, windows ships with several services on by default, even on a workstation install, which cannot easily be turned off and are usually just hidden behind a software firewall... Linux/Mac ships with virtually nothing listening by default, anything that is listening can be turned off and a software firewall (if you choose to enable one) provides an extra level of security on top of that, not the last line of defence.

The issue with unpatched software, while a concern for all platforms, is simply worse on windows platforms... While Linux distros typically have a centralised package manager which will update all of your software through a single consistent interface and all at the same time, windows has a mechanism for updating the core os, and then each application you install may or may not have its own separate update mechanism which might run in the background (wasting resources), might run when you try to use the program, might require you to explicitly run the update program, or it might not have any update mechanism whatsoever and thus require you to manually check the website for updates.

As an extension to the above, the windows mentality of downloading and executing binary installers from websites lends itself to malware... Users are not encouraged to verify the legitimacy of the site they download from, nor are they encouraged to compare checksums of downloaded files.

And let's not get started in the inherent flaws of the windows security model, sure NT (the kernel) had a very good security model when originally designed, but since then a lot of dos/win9x compatibility cruft has been forced on top. Think of the multiple versions of various apis retained for backwards compatibility, the authentication model designed so you dont need to send the password in the clear over the network, flawed because you can just send the hash instead, doubly flawed because they are now locked in to weak password hashing mechanisms.

Re:Example of competition gone wrong

[Erikderzweite]

It's a self-sustaining monopoly out there. How can you tell about some abstract choice if for a majority of people PC=Windows? And you can't really blame people here: all they see is Windows, on every shell in every computer store. Exclusive per-CPU deals led to a situation where OEM's pay the same to Microsoft no matter how many OS's they offer, so they usually offer one because it's cheaper that way.
What choice do consumers really have if they don't know about Linux? Windows vs. overpriced Apple computers? Even so, Mac OS share grew up somewhat sharply last few years.

You have a hard time finding a PC that comes with Linux so you end up installing the OS yourself. Then there's this proprietary formats and protocols issue artificially created to ensure Microsoft's lock-in. Then you have some hardware vendors who decide to support Windows only and who don't use standard implementations.

None of those issues speak about the quality of operating systems, but you have to clear those monopoly-made hurdles in order to enjoy vastly improved security, better software management and more comfortable interface of Linux.

Re:We Win!

[ozmanjusri]

Windows users have gotten smart about updating, people know better than to take ActiveX downloads from free porn sites, and people have wised up about trusting what they get from P2P. All sources are now seeing lower virus rates

September 29, 2009 11:51 AM PDT
Malware worldwide grows 15 percent in September

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday
http://news.cnet.com/8301-1009_3-10363373-83.html

Phew, I'm glad they're so much smarter - imagine how much more clickfraud and spam the botnets would be perpetrating if they hadn't wised up.

Close to 60% of all US Windows computers are hosting malware already, and that's not likely to change any time soon. The anti-malware industry is making a fortune from Windows flaws, but overwhelming evidence suggests it's not money well spent. If computer users DID wise up, they'd be moving away from expensive and fragile platforms, not adding to the coffers of modern day snake-oil merchants.

Re:Running multiple products

... and then you complain Windows runs like a snail.

Re:Wow!

[thoughtfulbloke]

The writer could conceivably seen the story in the firehose, thought this one will make the front page, copied and pasted story into a text editor and composed their message, then had it ready to post. When the article with your reply came live, they posted within 8 seconds, with a more cogent response than your initial first post as they had time to work on a first reply. This is also suggested by the post referencing the story but not your post.

Alternatively they might have actually read the article, and thought This will make slashdot one day, then followed a similar plan, but Mr. Ocham might want a word over an explanation that involves that much forward planning and OCD monitoring of the front page.

Re:Running multiple products

[RAMMS+EIN]

``This is why I have to run 6 different scanners: because there isn't one that detects all the threats. I currently run 2 antivirus programs along with SpyBot, SuperAntiSpyware, Windows Defender, and Malwarebyte's Anti-Malware.''

And yet, people insist that Windows is user friendly. More so than other operating systems, even.

Re:I think we can kiss this meme good night now.

[flyingfsck]

You are super pessimistic. There are more than 2 billion Linux machines out there and pretty much every Windows home user has a dinky little Linux based modem and firewall thingy for his desktop to hide behind. Linux devices are much more prevalent than Windows devices. Windows is only dominant if you define the market segment so narrow that it is the only thing that fits...

Re:I'm just bragging

[TheThiefMaster]

You mean "zero detected instances".

Re:I gave up on viruses a long time ago

[AdmV0rl0n]

I'm going to reply to your comments in "".

"I use Linux. Its true that there are some viruses for Linux, its just that I haven't ever had one."

Do you understand the difference between a Virus, and Spyware, Malware, Worms, and Root Kits? This idea you have is a mirage. Linux boxes have multiple serious security flaws, as all our systems do today, The idea peddled by some is that one side is immune, while the other is an open door way. I'd really rather people talked sensibly with a realisation that our current systems and how they are built remains fundamentally flawed.

"When I was in college, the monkey virus (long ago) was the baddie. When I was unfortunate enough to manage windows systems, code red, nimda, I love you and a few others were all the rage. I got real disappointed when they started listing viruses in the ten thousands, then fifty thousands."

Windows has fundamental flaws, and since win95, its architechture and design had some serious problems. In XP, users by default are created as Admins, and the bulk of the Windows world, developers, suppliers and ISVs continued with a lot of flawed security. This 'ease' of use operation, leaves security mired in a serious hole. And its one that Anti Virus companies and Anti Spyware and Malware companies and organisations are still chasing down today, as well as Microsoft. However, for a very very long time now, Microsoft, and others have stated quite clearly one of the steps that should be taken, and often, even today, is still not taken, and that is _do_not_run_as _admin.

"For Linux, its been in the teens. Mostly root exploits, proof-of-concept stuff, and virii that you have to allow in and set to execute yourself (change permissions, etc)."
http://www.pcworld.com/article/113636/linux_groups_servers_hacked.html

The arrogance of your point is noted. However, its badly placed. Linux systems that are actually placed in the real world, live, facing data ports. One of the large advantages this does exist, is the majority of users are created as users, not as the admin account. This alone is a primary basis for its better record. The point however, is that its not immune, and people should be very careful in assuming that it is.

"Its possible, but not probable to kill your system with these viruses. Perhaps it is good fortune, but I've never been infected (under linux). I'm not trying to troll, its just that the virus writers don't ever get tired trying to be destructive (mind you, kids come and kids go), and the anti-virus folk always seem to have some kind of real specific remedy, which keeps people buying. Its a bit like homeland security. In order to have a budget, there has to be a threat level. In order to sell anti-virus software, there have to be viruses. Shutting an airport for 6 hours because a man kissed his wife sounds like an over reaction. Its stupid. Its non-sensical. Its someone sounding the klaxon too loud so that the danger-danger-danger mentality and the budget both are accepted. No terror, no budget (or sales). Its a game. I refuse to play. If there are viruses on some system, I use the other. Terrorists always target planes, I use car, or bus or something else. The virus researchers never seem to offer anything all encompassing. Its always piecemeal, just like the homeland security rules. The terrorists always always target at the last hour, so we worry about just the last hour (very piecemeal). A stupid approach if you are trying to solve a problem like terror or security, but a real boon if you are trying to sell software or get a budget passed. Milk it baby! Milk it hard. But please, count me out. It just looks like a pile of crap to me (both). Thanks."

When I last spent time with a team from Mcafee, they spoke about how their labs a few years ago, were getting 60,000 unique samples of virii and malware code, and how only a couple of years later they were being bombarded with 255,000 a month. No security co

Re:We Win!

[Erikderzweite]

This is why education is so important and the idea that a computer is simple is bad. People buy devices that are as powerful as supercomputers were 15 years ago and expect them to be as simple as a toaster. So they end up giving vast amounts of computing power and network bandwidth to criminals.

As for Best Buy -- just an example of how easy are a fool and his money parted. I recall reading an article about how many people just buy a new cheap PC after theirs is infected. Of course, current security practices of Best Buy are unacceptable, but it appears that they can get away with it (they provide a working configuration after all). So it is up to users to develop some intelligence...