At one time, it was said the sun never set on the British Empire. The same can be said for virus and worm activity.
New mass mailers don't care if it's 3 a.m. in Manhattan. Keeping track of malicious code is a 24/7 job.
Yet it's easy to take antivirus signature files for granted. In many cases, administrators don't even have to download and load them because automatic updates do the heavy lifting. But there are thinking and breathing people who have to create each and every one of them.
One of those people is Jamz Yaneza, senior antivirus consultant for Trend Micro Inc.'s TrendLabs.
Yaneza and his fellow researchers analyze and describe the latest malicious code to hit the Internet. But they don't study malware for the sake of knowledge; they bust their butts to get information out to Trend Micro's end users as fast and accurately as possible. Having four shifts of researchers ensures there are people available to analyze a sample no matter what time it comes in.
A figurative stopwatch begins when Trend Micro's researchers get a sample. They try to get a description of a worm or virus out within 15 minutes of receiving it. They aim to get a pattern file together within one hour and a cleaning tool, if necessary, within two hours.
While end users only really hear of the viruses and worms that achieve major outbreaks every few weeks or months, virus researchers need to be on top of every new worm or virus that appears. Trend Micro, for example, may see between 15 and 50 new pieces of malicious code a day. Now, the vast majority of these will not be Nimdas or Bugbears.
In fact, of the 77,000 or so worms and other malicious code Trend Micro's scanners protect against, only 2,000 or 3,000 ever infect a system, said David Perry, Trend Micro's global director of education, noting that many worms are submitted to antivirus vendors as proof-of-concept code by the writers themselves.
In many ways, most viruses and worms aren't good programs. For example, one of the first things researchers do when receiving a sample of a worm is to see whether it can copy itself, the defining characteristic of that kind of malicious code. "You'd be surprised at how many bad worms there are that can't even replicate themselves," Perry said.
Now, if a sample worm can replicate itself, then a much more detailed analysis begins. Researchers determine what method the worm uses to spread, which is usually pretty obvious, Perry said. The sample is also run through a host of antivirus scanners to see whether it can be detected with an existing pattern file. They also determine whether the worm drops any other programs, such as a keystroke logger into systems.
While a team determines what a sample does, another looks at what it is. In other words, researchers try to determine whether it is a variant of an existing worm or if it is a new worm. If a sample is new, then it's assigned a name. Generally, researchers try not to give malicious code the name intended by the author. "We don't want to give any credibility to the virus writer," Perry said.
For example, in January a worm appeared that referenced Canadian pop singer Avril Lavigne. Some antivirus companies called it the Avril worm, but Trend Micro and others called it Lirva (or "Avril" backwards.)
After figuring out the basic function of a worm and what to call it, the researchers put a policy together so end users can protect themselves while a pattern file is being created. These are temporary measures such as restricting certain file types or looking for e-mail attachments with specific subject lines.
Over time, the description of the worm and virus is updated to reflect the most up-to-date and accurate information possible. The researchers have a host of tools at their disposal, some of which are homemade, to determine what a sample actually does. "We try to automate the process as much as possible," Yaneza said.
Figuring out exactly what a worm does to different systems is imperative, especially if a cleaning tool is to be created. Often, worms change registry keys and save various copies of themselves to infected systems.
All throughout the analysis process, researchers are trying to ascertain how dangerous a sample could be. This calculation hinges both on what the malware actually does to a system and how fast it is spreading in the wild. Researchers can gauge the latter by looking at the number of support calls they are receiving and by the number of samples customers are sending in.
The end result of the virus analysis process is a pattern file. This small file is not a program but data for determining how to identify a particular worm (or a variant of a worm). "Another way of thinking of it is pattern files are like player piano rolls," Perry said.
Some may think virus researchers pat themselves on the back when they beat a competitor's signature file by a few minutes. Yet, when they are doing post-mortem discussions after a worm is identified and a pattern file is produced, researchers like Yaneza value accuracy more. "'Did we provide more correct information than other companies?' is what we ask ourselves," he said.
This series concludes tomorrow.
FOR MORE INFORMATION:
FEEDBACK: Send your feedback on this story to the SearchSecurity.com news team.