Meaningless Malware Counting?

Posted by Gunter Ollmann on July 25, 2008 at 11:23 PM EDT.

I know everyone’s been distracted with that DNS vulnerability this week and, yes, if you haven’t already done so, you should have patched already. But seriously, if you haven’t, stop reading, patch your DNS servers now – this blog entry will still be here when you’re done.

Anyway, if you were to scroll a little further down your favorite technology news site this week (somewhere below all the DNS and iPhone news/spam) you’ll likely see some snippets from the latest batch of half-year vendor-sponsored security reports (with more to come next week :-)

One particular statistic struck me as worth a closer examination… “It is estimated that the total number of unique malware samples in existence now exceeds 11 million…” according to Sophos.

Yeah, it’s a big number but, to be perfectly honest, in the grand-scale of a malware pandemic, I think it’s pretty meaningless. It’s not as if you can do anything about it. No – scratch that – you can do something, you can increase it anytime you want…

Let's face it, the proliferation of build-your-own malware has pretty much made redundant the quantitative measurement of malware samples. For a few hundred dollars anyone can arm themselves with an arsenal of the tools they'd need to create batches of new “undetectable” malware by the shed load. Generating 100,000 new one-of-a-kind malware can be turned in to a batch process (assuming you don't just go out an buy a tool to do this for you as well!) and can probably be done in a few hours if you really bothered to put some effort in to it.

Take for example a commercial Trojan generator toolkit such as the Turkish Turkojan v4 which comes in Bronze, Silver and Gold editions ($99, $179, $249 respectively) and includes a six month money-back replacement warranty if it were to be detected by any anti-virus product (ok, thats for the gold edition, but I'm sure you get what I mean). It's fine at bypassing any signature-based AV product, and apparently does pretty well against behavioral AV engines too.

Or perhaps you just feel like downloading something similar to the Chinese Y08-40 (aka GenMDB) malicious PDF creator kit, which allows its operator to craft custom infected PDF documents with their own embedded batch of malware and wrap it all up with the latest Adobe Acrobat exploits - an "ideal tool" for creating those payloads you'll need for spam-based delivery.

How about something designed to target businesses rather than home users? For 70 WMZ (Webmoney; 1 wmz is about 0.89 USD ) you can purchase Office Joiner – a tool designed to embed malicious content within Microsoft Office documents that supposedly uses legitimate-only macros and is capable of getting that malware past any of the common desktop anti-virus products (I kid you not!). Since they're legitimate Office macro commands, and don't use any of the common office vulnerability exploits, if you have (unsigned) macro's enabled in your Office deployments you'd better watch out!

And, to round off things (for now) you could always download tools such as PAV.cryptor to turn your previously generated piece of malware into something more sophisticated by adding polymorphic adaptation capabilities for the low price of 48 WMZ.

... or perhaps run that malware through any of the Trojan-to-worm tool kits, and turn that unique polymorphic piece of malware in to a self-propagating network infecting worm..
11,000,000 unique pieces of malware – is that all? What happened to all the others out there? It's a bit like trying to guess the number of songs being sung worldwide by visiting iTunes and counting the number of tracks currently for sale. You're hardly going to find a copy of "Happy Birthday Annabella" sung in native Samoan, and accompanied by the lead guitarist of AC/DC. And yet, the malware equivalent can be easily created.

I think you're underestimating today’s malware threat, if you base business decisions solely off these kinds of numbers.


    Copyright 2001-2008 © Gunter Ollmann