Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Threat Reports Are "Apples and Oranges"

Posted by kdawson on from the calling-a-spade-a-flippin'-shovel dept.

Ant writes "The December malware threat reports are trickling in from vendors — and they all appear to be different. Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results. Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats."

12 of 191 comments (clear)

  1. This will answer your question, symbolset - by Ethanol-fueled · · Score: 5, Insightful
    From TFA, but not in order:

    "He argued that antivirus companies have tried to use common names for malware that they find..."

    No they haven't.

    "It's hard for users...Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out...Because of the way that the industry works, you can't work around them too well."

    That's why.

    "In short: is there a problem with the user confusion over threat tables like these? Most definitely..."

    Most definitely not. Windows users have no idea about 'threat tables' or what the hell's going on, except that their antivirus program is blinking red and making noises and they have to keep clicking "yes" or "OK" to make it better.

    "'Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges,' said Tom Kelchner, Sunbelt Research Center manager. 'What one company detects and identifies as a specific, named piece of malcode, another may detect generically.'"

    The inconsistency stems from the fact that these so-called "antivirus software research labs" are just Windows terminals with neckbeards in each. Symantec's neckbeard prefers browsing porn sites with ActiveX. Fortinet's neckbeard gets his latest and greatest malware from careless P2P downloads. Kapersky's neckbeard gets his viruses from phishing and gambling sites.

    Hence the inconsistent naming conventions and detection profiles across vendors. +5 informative.

  2. Re:Wow! by HamSammy · · Score: 3, Insightful

    Totally pressed the submit button on accident, now I am the failing one.

    There can only be one way out.

    SEPPUKU.

  3. Example of competition gone wrong by syousef · · Score: 5, Insightful

    Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market. There are a number of problems:

    1) Antivirus solutions do not co-exist - and not just the resident portion. I'd love to run a second or 3rd scanner like I can for spyware but Antivirus vendors have created a market that is use to the worst kind of lock in. Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable.

    2) Antivirus vendors are now trying to police what you can and can't do. Look at the numerous reports of false positives for programs that are legally grey (or black) but aren't viruses. I've personally had network tools come up as false positives and it's a pain to unquarantine and exclude them so they don't quarantine themselves again.

    3) The main form of collusion between vendors seems to be fitting into Microsoft frameworks so they show up as antivirus software in the appropriate control panel and so you don't get warnings about invalid or out of date antivirus. But this in itself makes them more vulnerable to attack

    4) The products are often so badly written that they cause as many problems as they solve. A bad update here or there can (and has in the past) caused irrevocable system damage that has required a reinstall or restore from backup for users. What's the point of an antivirus that does this. Worse I've seen much subtler performance problems from minor antivirus updates - in one case it brought a company I worked for's client's machines to their knees and initially they blamed us. Turns out a change in the engine meant very big files were being opened and re-scanned for every write. Needless to say it wasn't out fault.

    5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

    Isn't competition suppose to improve such things and open up the market? In this case it just hasn't happened. There has been implicit collusion but not of the right sort to improve or provide a diverse range of products. There's not one product that will protect you well.

    --
    These posts express my own personal views, not those of my employer
    1. Re:Example of competition gone wrong by Korin43 · · Score: 3, Insightful

      I'm guessing the reason you can't use multiple resident scanners is that just one will bring your system to a crawl. I don't even want to touch a computer with Norton + McAfee. Back when I used Windows my solution was to have adblock, spybot, AVG and Clamwin and then just scan any programs I downloaded (along with not downloading seedy looking programs). It worked pretty well. If I did have any viruses, none of them were noticable (and my monthly+ scans never picked anything up). I think the need for constantly running virus scanners is seriously overstated, at least for people who know not to run HorseSex.exe.

    2. Re:Example of competition gone wrong by ozmanjusri · · Score: 4, Insightful
      Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market.

      No, this is a clear example of a monopoly creating a market repairing broken Windows. That's why it seems confusing.

      Consumers shouldn't be facing a choice of ineffective bandaids to patch over their computers' inability to keep malware out. They should be able to choose a computer/OS that is inherently resistant.

      For computer users, this is a Red Queen's race, and Windows users have to keep paying and stay vigilant just to retain a semblance of control of their own machines. The real solution is to mandate open formats, APIs, and protocols, then let any OS vendor compete on level terms. When consumers can select an OS that suits them, including the level of security they wish to pay for, we will have competition. Only then will OS vendors have to improve their products to retain customers.

      --
      "I've got more toys than Teruhisa Kitahara."
    3. Re:Example of competition gone wrong by SensiMillia · · Score: 3, Interesting

      Purely theoretical:

      - User boots live-cd
      - Some malware gets executed and stays in RAM (by user interaction or not)
      - Malware reflashes the EEPROM holding the BIOS with some malicious code
      - On next boot BIOS will store some malicious code in memory and does something very clever that makes the OS on the liveCD execute that code

      It would be a very targeted attack, but not entirely impossible

  4. Re:Running multiple products by Anonymous Coward · · Score: 3, Insightful

    ... and then you complain Windows runs like a snail.

  5. Apples and Oranges - A Comparison by scapermoya · · Score: 4, Funny

    one of my favorite papers ever: Apples and Oranges: A Comparison

    --
    Beware the Jubjub bird, and shun the frumious Bandersnatch.
  6. How about latin names by starbugs · · Score: 5, Interesting

    5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

    How about a (latin/greek) Biological-like naming system. After all, it works for biology and many (computer)viruses are derived from earlier versions of those viruses, so we could have actual hierarchies.

    So you could have a name such as: "userus.dumbus.clicktus.pornolinkus.diabolicus"

    Of course after the latin name we could come up with a "common" name - based on the name of the unfortunate tech who had the displeasure to remove it first.

  7. Re:I think we can kiss this meme good night now. by flyingfsck · · Score: 3, Insightful

    You are super pessimistic. There are more than 2 billion Linux machines out there and pretty much every Windows home user has a dinky little Linux based modem and firewall thingy for his desktop to hide behind. Linux devices are much more prevalent than Windows devices. Windows is only dominant if you define the market segment so narrow that it is the only thing that fits...

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  8. Re:I'm just bragging by TheThiefMaster · · Score: 3, Insightful

    You mean "zero detected instances".

  9. Re:I gave up on viruses a long time ago by AdmV0rl0n · · Score: 3, Insightful

    I'm going to reply to your comments in "".

    "I use Linux. Its true that there are some viruses for Linux, its just that I haven't ever had one."

    Do you understand the difference between a Virus, and Spyware, Malware, Worms, and Root Kits? This idea you have is a mirage. Linux boxes have multiple serious security flaws, as all our systems do today, The idea peddled by some is that one side is immune, while the other is an open door way. I'd really rather people talked sensibly with a realisation that our current systems and how they are built remains fundamentally flawed.

    "When I was in college, the monkey virus (long ago) was the baddie. When I was unfortunate enough to manage windows systems, code red, nimda, I love you and a few others were all the rage. I got real disappointed when they started listing viruses in the ten thousands, then fifty thousands."

    Windows has fundamental flaws, and since win95, its architechture and design had some serious problems. In XP, users by default are created as Admins, and the bulk of the Windows world, developers, suppliers and ISVs continued with a lot of flawed security. This 'ease' of use operation, leaves security mired in a serious hole. And its one that Anti Virus companies and Anti Spyware and Malware companies and organisations are still chasing down today, as well as Microsoft. However, for a very very long time now, Microsoft, and others have stated quite clearly one of the steps that should be taken, and often, even today, is still not taken, and that is _do_not_run_as _admin.

    "For Linux, its been in the teens. Mostly root exploits, proof-of-concept stuff, and virii that you have to allow in and set to execute yourself (change permissions, etc)."
    http://www.pcworld.com/article/113636/linux_groups_servers_hacked.html

    The arrogance of your point is noted. However, its badly placed. Linux systems that are actually placed in the real world, live, facing data ports. One of the large advantages this does exist, is the majority of users are created as users, not as the admin account. This alone is a primary basis for its better record. The point however, is that its not immune, and people should be very careful in assuming that it is.

    "Its possible, but not probable to kill your system with these viruses. Perhaps it is good fortune, but I've never been infected (under linux). I'm not trying to troll, its just that the virus writers don't ever get tired trying to be destructive (mind you, kids come and kids go), and the anti-virus folk always seem to have some kind of real specific remedy, which keeps people buying. Its a bit like homeland security. In order to have a budget, there has to be a threat level. In order to sell anti-virus software, there have to be viruses. Shutting an airport for 6 hours because a man kissed his wife sounds like an over reaction. Its stupid. Its non-sensical. Its someone sounding the klaxon too loud so that the danger-danger-danger mentality and the budget both are accepted. No terror, no budget (or sales). Its a game. I refuse to play. If there are viruses on some system, I use the other. Terrorists always target planes, I use car, or bus or something else. The virus researchers never seem to offer anything all encompassing. Its always piecemeal, just like the homeland security rules. The terrorists always always target at the last hour, so we worry about just the last hour (very piecemeal). A stupid approach if you are trying to solve a problem like terror or security, but a real boon if you are trying to sell software or get a budget passed. Milk it baby! Milk it hard. But please, count me out. It just looks like a pile of crap to me (both). Thanks."

    When I last spent time with a team from Mcafee, they spoke about how their labs a few years ago, were getting 60,000 unique samples of virii and malware code, and how only a couple of years later they were being bombarded with 255,000 a month. No security co

    --
    We`re all equal .. Just some of us are less equal than others.