McAfee Inc. recently achieved a depressing milestone, namely the inclusion of the 200,000th malware signature in its VirusScan database. Malware authors have certainly kept themselves busy; this achievement marks the doubling of the database in only 22 months. That's an especially striking statistic when it took eighteen years to build the database to the 100,000 signature mark.
Why the sudden surge? In addition to the natural growth of the malware "industry," we're also witnessing a change in tactics. Sure, we may see another Sasser, ILoveYou, Blaster or Sobig, but the days of the mega outbreak are numbered. Keen to preventative measures, virus authors are now writing variants that differ just enough to require new antivirus signatures. Many of these variants are self-mutating in an attempt to avoid current detection technologies.
The McAfee report also provides some interesting data on the diversity of the malware universe. In its Avert Labs blog, the vendor revealed its database composition:
- 31% Trojans
- 28% Win32 bots/viruses
- 26% Obsolete threats (e.g. MS-DOS, Windows 3.1)
- 12% Scripts and macro viruses
- 3% Potentially unwanted programs
So, what does all of this mean? It's clear that the threat environment is evolving over time. As the environment changes, security professionals must adapt their defenses to focus on the unknown. Here are three simple steps to mitigate such threats:
- Deploy and manage antivirus software. While this advice may seem obvious, ask yourself, are you 100% confident in your current antivirus infrastructure? If your internal audit group hasn't done so already, conduct a random audit of systems in your enterprise (both workstations and servers) and verify that they are properly configured and receive antivirus updates. Better yet, invest in an antivirus management solution to automate these tasks. These tools may even be covered in your existing antivirus license agreement. Symantec customers can use Enterprise Edition while McAfee customers have ePolicy Orchestrator.
- Consider content filtering. Many enterprises now filter outbound traffic. While often driven by legal/regulatory compliance concerns, content filtering can play a valuable role in protecting enterprise systems from malicious code by blocking access to sites known to publish hostile code or act as "phone home" servers for malware.
- Implement a defense-in-depth strategy. Antivirus software is not a cure-all. It's designed to detect known threats, but someone is going to be the first victim of a zero-day virus. It's important to use perimeter protection technologies (such as firewalls and intrusion prevention systems) and system management tools to provide layers of defense for your enterprise.
Unfortunately, the cat-and-mouse game of malware and information security will not end anytime soon. However, researchers are hard at work developing new defensive technologies. We're also likely to see evolutionary changes over the next few years designed to meet the demands of the changing risk environment. In the meantime, steel your defenses and protect your organization against malware incidents.
About the author:
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in October 2006