Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Software Technology

Malware Threat Reports Are "Apples and Oranges" 191

Posted by kdawson
from the calling-a-spade-a-flippin'-shovel dept.
Ant writes "The December malware threat reports are trickling in from vendors — and they all appear to be different. Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results. Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats."
This discussion has been archived. No new comments can be posted.

Malware Threat Reports Are "Apples and Oranges"

Comments Filter:
    • by Ethanol-fueled (1125189) * on Monday January 11, 2010 @01:32AM (#30720400) Homepage Journal
      From TFA, but not in order:

      "He argued that antivirus companies have tried to use common names for malware that they find..."

      No they haven't.

      "It's hard for users...Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out...Because of the way that the industry works, you can't work around them too well."

      That's why.

      "In short: is there a problem with the user confusion over threat tables like these? Most definitely..."

      Most definitely not. Windows users have no idea about 'threat tables' or what the hell's going on, except that their antivirus program is blinking red and making noises and they have to keep clicking "yes" or "OK" to make it better.

      "'Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges,' said Tom Kelchner, Sunbelt Research Center manager. 'What one company detects and identifies as a specific, named piece of malcode, another may detect generically.'"

      The inconsistency stems from the fact that these so-called "antivirus software research labs" are just Windows terminals with neckbeards in each. Symantec's neckbeard prefers browsing porn sites with ActiveX. Fortinet's neckbeard gets his latest and greatest malware from careless P2P downloads. Kapersky's neckbeard gets his viruses from phishing and gambling sites.

      Hence the inconsistent naming conventions and detection profiles across vendors. +5 informative.

      • by Culture20 (968837)

        "'Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges,' said Tom Kelchner, Sunbelt Research Center manager. 'What one company detects and identifies as a specific, named piece of malcode, another may detect generically.'"

        The inconsistency stems from the fact that these so-called "antivirus software research labs" are just Windows terminals with neckbeards in each. Symantec's neckbeard prefers browsing porn sites with ActiveX. Fortinet's neckbeard gets his latest and greatest malware from careless P2P downloads. Kapersky's neckbeard gets his viruses from phishing and gambling sites.

        Good to know. Now I know which AV vendor I'll be choosing in the future.

  • 28 years of computing on networks, zero instances of malware. I feel special.

    • by TheThiefMaster (992038) on Monday January 11, 2010 @04:51AM (#30721132)

      You mean "zero detected instances".

      • Can you point me to some malware that does so little, that it can remain undetected by a fairly savvy computer user?

        I'm serious here - there's always a troll in these threads that makes the comment you just made. However, in my experience, I've never run into malware which was "stealth". Its entire purpose is to send mail, pop up ads, and propagate. All of that is damn easy to spot if you're reasonably well versed in how your computer normally runs.

        I tend to believe a competent person when

        • Spurious network activity can be damn hard to spot. I'll admit that popup ads and so on are a bit of a give-away, but would you notice 1 kB/s of extra network traffic?

          Most people who claim to have no malware don't even know what all the processes they currently have running are. They just don't have popup ads or other obvious symptoms.

          • Can you point me to malware that engages in only spurious network activity? All that I've seen are either mass mailers, which is pretty easy to spot, or ad-based, which by definition need to be visible. I've never seen malware that sent out an email an hour, only when the network was active.
             
            (I've also never heard of one which modifies the blinkenlights on my router and modem. If I'm not using the internet, and they are flickering away, that'd be a problem.)

            • Keyloggers? Backdoors?

              Both are malware, both will do nothing most of the time, and avoid detection as much as possible. Good luck finding out you have one.

        • by Timosch (1212482)

          is it even malware? What would it be doing?

          The real risk does not come from pop-up ads, a changed browser or porn links on a desktop. Nor does it come from formatting harddisks or constantly rebooting. The dangerous thing would be rootkits that hide, remain unseen, log your keystrokes, log your internet traffic etc. and send them to a business rival. They could be buried deep in network traffic, for instance in DNS requests. In contrast to the usual "open some ad windows on the users screen" malware, in this case remaining unseen is crucial.

          • That's not malware. That's a targeted attack. We're talking about garden-variety, drive-by download, infected porn site malware here. We're talking about flies, you're talking about a unicorn.

            • by pnice (753704)
              <quote><p>That's not malware. That's a targeted attack. We're talking about garden-variety, drive-by download, infected porn site malware here. We're talking about flies, you're talking about a unicorn.</p></quote>

              Hidden software that logs keystrokes and sends the results off to a remote system has a lot of value. It doesn't need to only hit a targeted system. When they see results like:

              mail.yahoo.com apoc@yahoo.com 123jass8

              In the log file they know they have a new account to search
    • by pnice (753704)
      It doesn't come off as impressive when you throw all 28 years of your computing experience into your brag. I don't think malware was prevalent when people were coding with punch cards.
  • by syousef (465911) on Monday January 11, 2010 @02:11AM (#30720570) Journal

    Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market. There are a number of problems:

    1) Antivirus solutions do not co-exist - and not just the resident portion. I'd love to run a second or 3rd scanner like I can for spyware but Antivirus vendors have created a market that is use to the worst kind of lock in. Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable.

    2) Antivirus vendors are now trying to police what you can and can't do. Look at the numerous reports of false positives for programs that are legally grey (or black) but aren't viruses. I've personally had network tools come up as false positives and it's a pain to unquarantine and exclude them so they don't quarantine themselves again.

    3) The main form of collusion between vendors seems to be fitting into Microsoft frameworks so they show up as antivirus software in the appropriate control panel and so you don't get warnings about invalid or out of date antivirus. But this in itself makes them more vulnerable to attack

    4) The products are often so badly written that they cause as many problems as they solve. A bad update here or there can (and has in the past) caused irrevocable system damage that has required a reinstall or restore from backup for users. What's the point of an antivirus that does this. Worse I've seen much subtler performance problems from minor antivirus updates - in one case it brought a company I worked for's client's machines to their knees and initially they blamed us. Turns out a change in the engine meant very big files were being opened and re-scanned for every write. Needless to say it wasn't out fault.

    5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

    Isn't competition suppose to improve such things and open up the market? In this case it just hasn't happened. There has been implicit collusion but not of the right sort to improve or provide a diverse range of products. There's not one product that will protect you well.

    • Re: (Score:3, Interesting)

      by MichaelSmith (789609)

      5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

      A number or a hash?

      • Re: (Score:2, Insightful)

        by symbolset (646467)
        Hashes really aren't useful for metamporphic code and a short signifier for heuristics is fairly meta.
    • by Korin43 (881732) on Monday January 11, 2010 @02:39AM (#30720672) Homepage
      I'm guessing the reason you can't use multiple resident scanners is that just one will bring your system to a crawl. I don't even want to touch a computer with Norton + McAfee. Back when I used Windows my solution was to have adblock, spybot, AVG and Clamwin and then just scan any programs I downloaded (along with not downloading seedy looking programs). It worked pretty well. If I did have any viruses, none of them were noticable (and my monthly+ scans never picked anything up). I think the need for constantly running virus scanners is seriously overstated, at least for people who know not to run HorseSex.exe.
      • Re: (Score:3, Interesting)

        by syousef (465911)

        I'm guessing the reason you can't use multiple resident scanners is that just one will bring your system to a crawl.

        I wrote: and not just the resident portion

        I think the need for constantly running virus scanners is seriously overstated, at least for people who know not to run HorseSex.exe.

        I got drive by downloaded 2 days ago. My antivirus didn't pick it up, but fortunately my firewall did (which prevented further virus downloads). I was looking for books on photography (reguarly non-sexual photography) and

    • Everyone's always touting the benefits of competition, but here's a clear example of competition serving to confuse the market.

      No, this is a clear example of a monopoly creating a market repairing broken Windows. That's why it seems confusing.

      Consumers shouldn't be facing a choice of ineffective bandaids to patch over their computers' inability to keep malware out. They should be able to choose a computer/OS that is inherently resistant.

      For computer users, this is a Red Queen's race, and Windows users have to keep paying and stay vigilant just to retain a semblance of control of their own machines. The real solution is to mandate open formats, APIs, and protocols, then let any OS vendor compete on level terms. When consumers can select an OS that suits them, including the level of security they wish to pay for, we will have competition. Only then will OS vendors have to improve their products to retain customers.

      • by timmarhy (659436)
        consumers CAN select the OS that suits them, it just happens that windows is that OS. linux advocates always claim linux can do everything that windows does, so why aren't people leaving windows for linux in droves??
        • Re: (Score:3, Insightful)

          by ozmanjusri (601766)
          why aren't people leaving windows for linux in droves?

          Because, as I stated, we don't have open formats, APIs, and protocols.

          That makes it difficult for computer users to move freely between OSs and prevents competition on real merits.

        • Re: (Score:3, Insightful)

          by Korin43 (881732)
          Photoshop, Illustrator, certain games..

          It's not that they can't run on Linux, it's that they don't.
        • Re: (Score:3, Insightful)

          It's a self-sustaining monopoly out there. How can you tell about some abstract choice if for a majority of people PC=Windows? And you can't really blame people here: all they see is Windows, on every shell in every computer store. Exclusive per-CPU deals led to a situation where OEM's pay the same to Microsoft no matter how many OS's they offer, so they usually offer one because it's cheaper that way.
          What choice do consumers really have if they don't know about Linux? Windows vs. overpriced Apple computers

      • by AK Marc (707885)
        No, this is a clear example of a monopoly creating a market repairing broken Windows. That's why it seems confusing.

        Irrelevant. That there's a monopoly on the OS doesn't have anything to do with the software that runs on it. We had a monopoly of petrol cars in the US for the longest time. Sure, that meant that the diesel Mercedes didn't sell here, but the competition between the petrol car makers was real. And that competition worked the way it was supposed to.

        But antivirus makers not naming things t
    • Re: (Score:2, Informative)

      by Revenger75 (1246176)

      1) Antivirus solutions do not co-exist - and not just the resident portion. I'd love to run a second or 3rd scanner like I can for spyware but Antivirus vendors have created a market that is use to the worst kind of lock in. Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable.

      I decided on one paranoid night to try to do just that. I found that for the most popular free solutions (AVG, Avast, Avira) you can install them side-by-side and narrowed it down to just one resident scanner running. You either have to find the hidden option in the menus, disable the start-up entries, or just opt not to install them during setup. I was able to safely ignore the warnings about having other AV products installed during the various setups.

      An easy solution for individual files is VirusT

      • by Bert64 (520050)

        I agree, security is a process not a product..
        Unfortunately, our voices are nowhere near as loud as those of the vendors telling people that security is a product.

    • Re: (Score:3, Informative)

      by El_Muerte_TDS (592157)

      6) Vendors appear to put more effort into making their user interface "pop" rather trying to minimize resource usage and system impact. For example, Microsoft antivirus creates a system restore point every time the signatures are updated (once a day). Every time a system restore point is created my system become barely unusable for a couple of minutes. You can't control when it updates the signatures (currently for me it's around 23:20). Which brings me to:

      7) Vendors want to use their own resistant schedule

    • by starbugs (1670420) on Monday January 11, 2010 @03:38AM (#30720860)

      5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

      How about a (latin/greek) Biological-like [wikipedia.org] naming system. After all, it works for biology and many (computer)viruses are derived from earlier versions of those viruses, so we could have actual hierarchies.

      So you could have a name such as: "userus.dumbus.clicktus.pornolinkus.diabolicus"

      Of course after the latin name we could come up with a "common" name - based on the name of the unfortunate tech who had the displeasure to remove it first.

      • by jez9999 (618189)

        The trouble is, everything would be under userus.dumbus.clicktus.pornolinkus so it would just be a common namespace and wasted characters.

    • by couchslug (175151)

      "Why can't I run 3 different products side by side and decide which one's resident scanner I want switched on? I'm sure there are technical issue but I'm also sure they're not insurmountable."

      Tried running different products using Thinapp thin installs? That would be one way to experiment.

    • by mpe (36238)
      2) Antivirus vendors are now trying to police what you can and can't do. Look at the numerous reports of false positives for programs that are legally grey (or black) but aren't viruses.

      They don't even have to be questionable. VNC manages to generate plenty of false positives, IME.

      4) The products are often so badly written that they cause as many problems as they solve. A bad update here or there can (and has in the past) caused irrevocable system damage that has required a reinstall or restore from bac
  • by DodgeRules (854165) on Monday January 11, 2010 @02:20AM (#30720594)

    Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats.

    This is why I have to run 6 different scanners: because there isn't one that detects all the threats. I currently run 2 antivirus programs along with SpyBot, SuperAntiSpyware, Windows Defender, and Malwarebyte's Anti-Malware.

    • by Kleen13 (1006327)
      That's too much shit running for me, though I agree with you - no one scanner is God's answer... I gave up and just do good backups and run MSE. I've implemented a Don't Click That policy with my wife and 2 kids, so far I've dodged the bullet.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      ... and then you complain Windows runs like a snail.

    • Re: (Score:3, Insightful)

      by RAMMS+EIN (578166)

      ``This is why I have to run 6 different scanners: because there isn't one that detects all the threats. I currently run 2 antivirus programs along with SpyBot, SuperAntiSpyware, Windows Defender, and Malwarebyte's Anti-Malware.''

      And yet, people insist that Windows is user friendly. More so than other operating systems, even.

      • by drinkypoo (153816)

        If you don't engage in risky behavior you don't have to worry so much. For example, paying for all your software should be enough to get you down to one virus scanner and two anti-malware programs :)

        • Re: (Score:3, Informative)

          by ozmanjusri (601766)
          If you don't engage in risky behavior you don't have to worry so much.

          Really?

          Researchers Hijack a Drive-By Botnet.
          They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites. Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors' machines

          "Once upon a time, you thought that if you did not browse porn, you would be safe," says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors. "But staying away from the seedy places on the Internet is no longer an assurance of staying safe."

        • by Bert64 (520050)

          Warez doesn't typically come with malware, if anything pirate copies of various things often have malicious (defined as doing something detrimental to the user or his machine) code such as drm schemes removed.

          I have done many incident response jobs, where one or more machines inside a company becomes infected with something that the av they subscribe to fails to detect, and it falls upon me to investigate the infection. Very few of these machines have any warez on them, or evidence of trying to view things

        • If you don't engage in risky behavior you don't have to worry so much. For example, paying for all your software should be enough

          Whom should I pay for Firefox and GNU Image Manipulation Program? But seriously, my aunt got drive-by-downloaded twice, both times by fake antivirus software, and she spends most of her time in Facebook. I didn't know Facebook had mandatory fees. The first time it happened ("System Security"), I was able to boot into safe mode and run MalwareBytes Anti-Malware, but this time ("Advanced Virus Remover", apparently a newer version of the same threat), safe mode just causes the computer to restart during boot.

          • a suggestion for you

            1 grab a USB >PATA|SATA cable and a good screwdriver
            2 pop the case on her computer and pull out the hard drive
            3 use the cable to mount her hard drive on your computer
            4 scan her drive on "NSA Paranoid" level (you may of course want to do a scandisk on it first)
            5 backup her hard drive after it has been cleaned
            6 replace her harddrive boot it and pray

            • grab a USB >PATA|SATA cable

              For personal reasons that I would prefer not to disclose on Slashdot, she wants to pinch every penny from this fix; otherwise, she would have already taken the computer into a local repair shop. At this minute, without access to ask her, I'll assume that she'll tell me that she can't afford to buy a USB enclosure for this fix.

              4 scan her drive on "NSA Paranoid" level (you may of course want to do a scandisk on it first)

              My primary computer is a laptop that runs Ubuntu 9.10; her computer runs Windows XP Professional. Ubuntu won't mount an uncleanly unmounted NTFS without a special flag; even then, I ha

              • by HiThere (15173)

                OK. But you can mount and read her files. So get some USB sticks and copy her files over to them. Then reformat the disk.

                Yeah, it's a pain, and a lot of work. But it's a way forwards. Then, if the computer has enough power, install ubuntu and INSIDE it a virtual machine into which you install MSWind and any applications that she needs. Don't allow the virtual machine access to the internet.

                I'm sure there are other ways forwards, and I don't know all the details, but this should work, though it would b

    • Get an iPhone. Seriously. Requiring signed and approved applications along with a mechanism to withdraw applications is the only feasible way I can see to somewhat secure a computer. Plus, http and smtp must die, instead requiring https and some better mail protocol with encryption and signatures.

      Certificates should be issued by government, by the way. Preferably at a cost that will cover a reasonable identification procedure for the certificate holder. And I realize this raises a lot of issues with regards

      • Let me get this straight -- you're saying that the way to avoid to losing any control over our computers is... to give up all control over our computers?

      • by hyades1 (1149581)

        Is the problem that bad, or is this just the latest version of Chicken Little? I use Avast! Antivirus, Malwarebytes, Spybot and Comodo's firewall. They update and scan each night when I'm not at the computer (which is on 24-7, by the way, and has been for more than five years). I've never had a virus or any serious malware infestation. Never. A few tracking cookies, the occasional inactive trojan and the like are invariably sacrificed at the nightly slaughter.

        And yet you believe I should give up what

    • Six scanners?! You can't be serious...

      If that's true you either REALLY need Windows or are plain masochistic. I don't use Windows for years now, but I still remember how a scanner trashes the hard disk and slow the whole system beyond acceptable for some hours. With six scanners it would take a whole day to run them through your disk once.

      Thanks but no, thanks.

    • I pay $24.95 a month in antivirus updates for my $449.98 netbook. I do a deep scan one day a month just to be on the safe side and I manage to keep infections down in the double digits. But what else can I do? Macs are too expensive and Linux just requires too much time.

  • by scapermoya (769847) on Monday January 11, 2010 @03:06AM (#30720768) Homepage
    one of my favorite papers ever: Apples and Oranges: A Comparison [theamericanview.com]
  • They're all the same anyway: "Big Scary Virus, so buy my overpriced antivirus software"
  • Believing all that say those reports, and doing quick and wrong choices.
  • Not only do the various security companies use different names for the threats they identify; they don't even identify the same threats.

    Doesn't make sense to me. I mean, if Schemester Antivirus wants to identify a threat that is "not the same" as the one Flybynight Computer Security wants to identify, wouldn't one expect them to use different names?

    That's like saying Ford calls its car Fiesta, while Toyota calls its car Tazz, but they are not the same car. (To include the obligatory car analogy.)

  • Just wanted to make a comment regarding anti-virus/malware vendors and how they co-operate with each other. Recently I took on some Sophos training for work - Sophos makes security software which includes (among other things) anti-virus.

    From what I was told, they DO work with other AV vendors in one particular situation: samples. If a new virus/trojan/nasty is detected by any vendor in a partnership of vendors, they will provide a sample to others, but won't tell them their detection algorithms. That way th

  • Windows. The sample of reports listed had W32, Win32, or a virus targeting Windows (e.g., Conficker).

    I think the results and the solution is pretty clear, and it's the same that it has been for more than 25 years.

  • They all want you to be afraid of the maleware THEY sponsored the develpoment of so they KNOW they can cure your ills easily.

I have never seen anything fill up a vacuum so fast and still suck. -- Rob Pike, on X.

Working...