Malware Threat Reports Are "Apples and Oranges"

Ant writes "The December malware threat reports are trickling in from vendors — and they all appear to be different. Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results. Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats."

This will answer your question, symbolset -

[Ethanol-fueled]

From TFA, but not in order:

"He argued that antivirus companies have tried to use common names for malware that they find..."

No they haven't.

"It's hard for users...Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out...Because of the way that the industry works, you can't work around them too well."

That's why.

"In short: is there a problem with the user confusion over threat tables like these? Most definitely..."

Most definitely not. Windows users have no idea about 'threat tables' or what the hell's going on, except that their antivirus program is blinking red and making noises and they have to keep clicking "yes" or "OK" to make it better.

"'Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges,' said Tom Kelchner, Sunbelt Research Center manager. 'What one company detects and identifies as a specific, named piece of malcode, another may detect generically.'"

The inconsistency stems from the fact that these so-called "antivirus software research labs" are just Windows terminals with neckbeards in each. Symantec's neckbeard prefers browsing porn sites with ActiveX. Fortinet's neckbeard gets his latest and greatest malware from careless P2P downloads. Kapersky's neckbeard gets his viruses from phishing and gambling sites.

Hence the inconsistent naming conventions and detection profiles across vendors. +5 informative.

Example of competition gone wrong

[syousef]

Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market. There are a number of problems:

1) Antivirus solutions do not co-exist - and not just the resident portion. I'd love to run a second or 3rd scanner like I can for spyware but Antivirus vendors have created a market that is use to the worst kind of lock in. Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable.

2) Antivirus vendors are now trying to police what you can and can't do. Look at the numerous reports of false positives for programs that are legally grey (or black) but aren't viruses. I've personally had network tools come up as false positives and it's a pain to unquarantine and exclude them so they don't quarantine themselves again.

3) The main form of collusion between vendors seems to be fitting into Microsoft frameworks so they show up as antivirus software in the appropriate control panel and so you don't get warnings about invalid or out of date antivirus. But this in itself makes them more vulnerable to attack

4) The products are often so badly written that they cause as many problems as they solve. A bad update here or there can (and has in the past) caused irrevocable system damage that has required a reinstall or restore from backup for users. What's the point of an antivirus that does this. Worse I've seen much subtler performance problems from minor antivirus updates - in one case it brought a company I worked for's client's machines to their knees and initially they blamed us. Turns out a change in the engine meant very big files were being opened and re-scanned for every write. Needless to say it wasn't out fault.

5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

Isn't competition suppose to improve such things and open up the market? In this case it just hasn't happened. There has been implicit collusion but not of the right sort to improve or provide a diverse range of products. There's not one product that will protect you well.

Re:Example of competition gone wrong

[ozmanjusri]

Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market.

No, this is a clear example of a monopoly creating a market repairing broken Windows. That's why it seems confusing.

Consumers shouldn't be facing a choice of ineffective bandaids to patch over their computers' inability to keep malware out. They should be able to choose a computer/OS that is inherently resistant.

For computer users, this is a Red Queen's race, and Windows users have to keep paying and stay vigilant just to retain a semblance of control of their own machines. The real solution is to mandate open formats, APIs, and protocols, then let any OS vendor compete on level terms. When consumers can select an OS that suits them, including the level of security they wish to pay for, we will have competition. Only then will OS vendors have to improve their products to retain customers.

Apples and Oranges - A Comparison

[scapermoya]

one of my favorite papers ever: Apples and Oranges: A Comparison

How about latin names

[starbugs]

5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

How about a (latin/greek) Biological-like naming system. After all, it works for biology and many (computer)viruses are derived from earlier versions of those viruses, so we could have actual hierarchies.

So you could have a name such as: "userus.dumbus.clicktus.pornolinkus.diabolicus"

Of course after the latin name we could come up with a "common" name - based on the name of the unfortunate tech who had the displeasure to remove it first.