- Larry Bridwell and Lawrence Walsh
Overall, 2002 was a quiet year on the malware front. When the SQL Slammer worm struck in January 2003, it had been more than 16 months since a major malware outbreak on the scale of LoveLetter, Code Red or Nimda.
Still, according to the annual ICSA Labs Virus Prevalence Survey, overall perception of the malware problem is getting worse, as are the effects of virus infections.
Released last month, the survey shows the rate of virus encounters remained relatively flat, rising to 105 per 1,000 machines per month, compared to 103 in 2001 (see Figure 1).
Virus encounters may have remained constant, but enterprises' attitude toward the problem has not. Inundated with a persistent stream of new and recirculating viruses and worms, nearly three-quarters of the 306 respondents say the virus problem is getting worse, especially in terms of money and resources spent to combat and recover from infections.
Viruses have plagued enterprises since the nascent days of microcomputing and the Internet. Ever since Robert Morris shocked the world with his worm in 1988, the Internet community has struggled to contain malware. Enterprises and home users have invested millions in antivirus solutions and synergistic defenses, and yet the problem persists and, as the survey details, the consequences are getting worse.
If you're connected to the Internet, you're going to periodically get hit by viruses or worms. There's no evading them. ICSA Labs1, which has conducted the annual survey since 1996, has recorded a continuous rise in virus encounter rates, with the sharpest jump occurring four years ago, when the infection rate spiked from 32 encounters per 1,000 per month in 1998 to 80 per 1,000 in 1999.
Ordinarily, virtually flat growth in infection rates would be cause for celebration, but the survey's respondents tell a different, more worrisome story.
The overall number of respondents saying the malware problem got worse in 2002 remained constant from the 2001 survey. However, the plurality of respondents--40 percent--say the virus problem is getting much worse, and another 35 percent say it's getting somewhat worse. In the 2001 survey, most said the problem was getting worse, but the proportions were inverted--32 percent saying much worse and 40 percent somewhat worse (see Figure 2).
Enterprises' growing frustration with malware seems counterintuitive, given that there were no outbreaks in 2002 on the scale of Code Red or Nimda. Still, enterprises dealt with a plethora of minor, but costly virus and worm problems.
ICSA Labs classifies virus disasters as 25 or more machines (workstations or servers) infected at the same time. In 2001, disasters were easy to see, with the ubiquitous Nimda being responsible for 28 infections per 1,000 machines, with the rest of the pack trailing far behind--LoveLetter, 12; SirCam, 11; Anna Kournikova, 6; and Code Red, 4.
In 2002, the breadth and depth of virus disasters increased precipitously. The persistent Klez worm topped the list with 32 infections per 1,000 machines (the original Klez worm was discovered in November 2000, but didn't rank in the 2001 survey). Other malware from 2001 also penetrated much higher on the list. Number two BugBear had an infection rate of 29 per 1,000; BadTrans, 22; Yaha, 18; and SirCam, 12.
As for others on the 2001 list, Nimda dropped to the bottom of this year's top 10 with an infection rate of only two per 1,000 machines; LoveLetter fell to number seven, with an infection rate of six per 1,000. The exception is FunLove, which actually climbed on the list, rising from an infection rate of four per 1,000 in 2001 to seven per 1,000 in 2002.
Although ICSA Labs didn't track malware by its specific targets, eight of this year's top 10 are Windows-based mass mailers.
The survey didn't capture data on the recent Slammer worm, which infected unpatched SQL Servers or applications running the Microsoft SQL Desktop Engine (MSDE). Some say Slammer is the most significant malware outbreak since Nimda struck in September 2001.
Following Nimda, malware experts predicted the rise of polymorphic worms that would carry more dangerous payloads, have multiple propagation mechanisms and attack several system vulnerabilities.
Polymorphic and Internet-based worms remain a threat, but they continue to lag far behind the number of e-mail-borne viruses. According to the survey, e-mail-borne viruses accounted for 86 percent of all infections (see Figure 3). ICSA Labs says Nimda is exclusively responsible for the spike in infections via the Internet in 2001. But, as Nimda's power has dissipated, so, too, has the number of Internet infections.
Not so surprising is that the number of diskette-related infections has nearly disappeared. ICSA Labs reported receiving two diskette infection reports--one Monkey.B and an Anti-Exe--marking the near extinction of the once-dominant infection mechanism.
Protection in Place
The good news is antivirus solutions are nearly ubiquitous. Most enterprises use either network-based or workstation AV solutions, and more are using synergistic controls such as e-mail attachment filtering.
Of the 306 enterprises responding to the ICSA Labs Virus Prevalence Survey, 96 percent said that at least 90 percent of their machines--workstations, servers and network devices--are covered by AV solutions.
When it comes to AV solutions, two vendors dominate--Network Associates and Symantec.
The distribution of AV solutions deployed by respondents remained relatively unchanged. Network Associates, which completed the reacquisition of its McAfee.com last year, accounts for 49 percent of all AV solutions in use by enterprises--a loss of 1 percent from the previous year. Symantec holds 43 percent, also a 1 percent loss (see Figure 4). The shares for Trend Micro, Computer Associates, Command Software and Sophos remained static.
Network Associates commands the server AV installments, holding 46 percent, while Symantec has 35 percent and Trend 17 percent. On the desktop, Symantec rules with 45 percent, compared to Network Associates' 40 percent.
Traditionally, AV solutions were deployed on workstations and e-mail gateways, with little protection being afforded to network devices, such as firewalls and proxy servers. The survey found enterprises are extending AV protection to the network, with roughly half of all firewalls and proxy servers now having AV software installed.
Additionally, enterprises are increasing their use of synergistic malware controls. Eighty-one percent of survey respondents said they're doing gateway filtering and quarantining e-mails and files, where only 69 percent did in 2001.
If the number of virus infections was relatively flat and the use of antivirus solutions increased, then what explains the sharp shift in end users' perception that the malware problem is getting worse?
Simply put, it's a matter of frequency and depth of damage. The steadily high number of virus incidents is forcing enterprises to devote more time and resources toward guarding against infection. And, when infections do occur, it's taking longer and costing more to recover from them.
In previous years, ICSA Labs reported that the number of virus disasters was directly tied to notable virus outbreaks--Melissa in 1999, LoveLetter in 2000, Code Red and Nimda in 2001. Although the number of disasters dropped slightly from 84 to 80, it's the way that disasters happened that made 2002 different. Enterprises say disasters in 2002 were a result of multiple outbreaks over a course of months. Four viruses over nine months were responsible for most of the disasters.
The constant malware pressure on enterprises is overwhelming. Instead of taking 20 staff days to recover from an incident, enterprises reported in the survey that it took 23 days in 2002.
Enterprises say the effects of malware infections are getting more severe. Three-quarters of survey respondents said viruses cause a significant loss in productivity, while more than two-thirds said they deny access to PCs and corrupt files, and nearly half report loss of access to data or data loss (see Figure 5).
Where cleaning systems was once a matter of hitting a button to disinfect, enterprises are finding that malware remediation now means taking critical production servers offline for patching or rebuilding. In organizations of hundreds or thousands of servers, this means weeks of work and business disruptions.
The direct remediation cost rose to an average $81,000 per incident ($9,500 median) from $69,000 ($5,500 median) in 2001. When indirect costs are considered, ICSA Labs says the average cost of a virus disaster can total up to $500,000.
Not surprisingly, the annual ICSA Labs Virus Prevalence Survey contains good and bad news.
Good news: enterprises get it. After years of needless damage to systems due to a lack of rudimentary AV software, layered security and synergistic controls, enterprises are putting AV protection (in one form or another) everywhere it's needed. They are meeting the continuously growing threat of viruses and worms with the best available tools at their disposal.
Bad news: Viruses are getting worse and continue to outpace enterprise defenses. There's little wonder why enterprises say the problem is getting worse; it's simply because it is. When virus writers aren't creating more innovative malicious scripts, they're pelting networks with nuisance code that consumes a considerable amount of time, money and energy to defend against.
Effective virus protection means incorporating the virus threat in the overall security strategy. Organizations need to patch vulnerable systems, segment their networks to guard against worms spreading through network shares, and properly configure host and network-based devices to ensure they're only running necessary services. They also need to educate users to keep them from surfing hostile Web sites, opening unknown e-mail attachments and exposing their PCs to possible infection.
The malware scourge isn't something that enterprises can defeat; they can only attempt to control it. Through well-thought-out security strategies, traditional AV solutions and layered defenses, enterprises will stand a better chance of preventing infection from both known and unknown viruses and worms.
1ICSA Labs and Information Security are owned by TruSecure, a provider of security assurance services. The annual ICSA Labs Virus Prevalence Survey was conducted independent of TruSecure and Information Security. For information about the survey, visit www.icsalabs.com/2002avpsurvey.
About the author:
Larry Bridwell is content security programs manager at ICSA Labs and author of the annual ICSA Labs Virus Prevalence Survey.
Lawrence M. Walsh is managing editor of Information Security.