There is a sneaking suspicion that viruses ultimately originate with antivirus software vendors. How else, for example, could they get samples so quickly?
Of course, such thinking is ludicrous. There are so many holes in that theory, it could make Swiss cheese look solid. All one has to do is look at the means that virus researchers working for vendors have to get samples early.
In a way, antivirus companies are like firefighters, who run toward burning buildings while everyone else runs away. Researchers try to get the latest worm while everyone else tries to avoid it.
It's pretty obvious that virus researchers need to get samples of malicious code very early in an outbreak in order to be effective. In the uber-competitive antivirus software space, not having a pattern file to protect customers is tantamount to commercial suicide.
Antivirus companies have many ways to get samples, unlike an enterprise which has relatively limited exposure to getting a new worm or virus. Researchers, however, cast a much wider net to purposely capture the latest malware.
A vendor's installed base is one of its biggest assets in garnering samples quickly. Researchers have systems in place where customers can submit suspicious e-mail messages or files for inspection. This method is more reactive because it means a sample is in the wild.
Antivirus companies also get samples submitted by the virus writers themselves. This may sound counterintuitive:
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Why would virus writers let the antivirus vendors know about their newest creation? They do it for recognition or maybe even as an ad hoc job application, said David Perry, Trend Micro Inc.'s global director of education. "But the fact of matter is, the only original ideas in virus writing come along every two or three years from academic types, and they are copied by the script kiddies," he said.
There are also a few clandestine ways researchers have to get virus and worm samples as early as possible. For example, Trend Micro has honeypots out to catch Internet-crawling worms. It also has a host of e-mail accounts at various domains that the company monitors for new worms.
Virus researchers also share samples among themselves. This process is unusual because the sharing relationships are among the individual researchers, not the companies. The researchers maintain their own collection of worms. In fact, during a visit to Trend Micro's Cupertino, Calif., offices, one could see hard drive-less computers -- the researchers took their drives with them whenever they left the office.
Generally, samples aren't shared between companies very often. They may share them if an outbreak is strong in a particular geographic area where one of the vendors doesn't have a strong presence. "We usually get lots of samples from the wild," said Jamz Yaneza, senior antivirus consultant for Trend Micro's TrendLabs, which is based in the Philippines. "If you have to ask for a sample, then it's probably not that big a worm."
But when samples are shared, there are certain ethical guidelines that are followed. For example, the sample is encrypted and compressed so it's pretty small. An authenticated mailing list is used so that only the proper people will have access to the sample. Only important worms are shared among the companies. A researcher, for example, probably wouldn't share a worm just because he "finds it interesting," Yaneza said.
FOR MORE INFORMATION:
Best Web Links on virus management
SearchSecurity.com technical tip: "Time to stop inventing virus wheels"
SearchSecurity.com news exclusive: "The virus name game"
FEEDBACK: Send your feedback on this story to the SearchSecurity.com news team.