ANYONE PINING for the days when computer viruses came with catchy titles like 'ILOVEYOU' should be warned: far from disappearing, infections are multiplying and mutating so fast that naming them is the least of anyone's worries, writes GORDON SMITH

Estimates vary, but all point to a growing problem. The antivirus (AV) firm Sophos says it records a new infection sample just about every 0.5 seconds, every day – a 60 per cent increase since last year.

In Ireland alone, Trend Micro detects 13,000 infected files from its customers every 24 hours, with fake antivirus programs among the most common types.

Blacklisting malicious software, or malware, has been one of the cornerstones of the antivirus industry for more than two decades. The idea is simple: the antivirus recognises the signature of software that is known to do bad things to computers, and blocks the file from opening.

But the sheer volume of threats is putting a strain on this approach. According to Symantec, there were close to 166 million unique malicious code threats between April and June this year. That’s without counting the amount of legitimate programs and apps created during the same time.

Graham Ahearne, regional product manager with Symantec, says of current protection methods: “You need to know about something before you protect against it . . . There are millions of files that appear and we don’t yet know if they are good or bad. That space is where malware first tends to breed.”

At the opposite end of the spectrum, attacks are now being created specifically to exploit flaws in just one organisation’s systems, or to target particular individuals. “We used to think that it was just government bodies and military targets but we know now that’s not the case,” says Orla Cox, security operations manager with Symantec’s security response team.

Symantec’s response to this is to give programs a reputation score based on the number of people that download them. For example, a new version of the Firefox web browser that has a million downloads is considered safe. Equally, a program that appears out of nowhere and is downloaded by only a handful of people is treated as suspicious.

Dermot Williams, managing director of Threatscape, an IT security consultancy and Symantec partner, likens this approach to Judo because it uses an attacker’s strength against them. It doesn’t matter whether the malware is widespread or highly targeted; reputation scoring prevents both from causing harm. “A file can’t not have a reputation. If it’s brand new, the fact that we know nothing about it actually tells us something. That’s suddenly an enormously valuable atom of information,” he says.

This “Insight” technology is now in Symantec’s Enterprise Protection 12.1 suite which is a free upgrade for existing customers. This allows businesses to set their security policy accordingly, so any new program created within the past week with a low reputation score is automatically blocked from their networks.

Since the antivirus system doesn’t need to scan the actual code, the classic countermeasure of slightly mutating the virus won’t work. “It should certainly upset the malware authors’ favourite approach, of morphing samples frequently to try to bypass detection – in this case, such tactics will actually make detections more likely,” says John Hawes, technical consultant and test team director with the independent security software tester Virus Bulletin.

Hawes adds that it’s hard to judge the effectiveness of this approach compared to blacklisting or heuristics without thorough testing in specialist labs and in the real world. He is also unsure whether reputation scoring will become standard industry practice, because the amount of computers needed to make this approach workable are at the disposal of only the largest AV vendors.

Symantec can use information provided by 175 million customers’ machines to assign reputation scores – a kind of “wisdom of the crowds” on steroids. Rival Trend Micro uses 80 million computers to gather similar data.

Hawes believes it’s too early to tell if reputation scoring represents a major breakthrough in combating malware. “With each new development in protection, we generally see a brief improvement in safety before new attack vectors emerge, and adoption by the bulk of vendors tends to be mirrored by a move towards new approaches by the bad guys,” he says.

“Each layer of defence the vendors add makes it harder to penetrate protected systems though, and this one does sound like it could be a significant step forward,” he says.

Urban Schrott, cybercrime analyst with antivirus firm Eset Ireland, is sceptical about claims that any one concept is a “game changer”. A good antivirus product should have a multi-layered approach, he says. “Some technologies are better for detection, some for prevention and others for removal . . . All of these different technologies serve a specific purpose and saying one is at an end or we need something new is like saying ‘now we have airbags in cars, we don’t need seatbelts’.”

Safe or sorry? Security and cloud computing

CLOUD COMPUTING is the latest technology trend and the anti- virus (AV) industry hasn’t been slow to embrace the opportunity.

Symantec, Trend Micro, Kaspersky Lab, Eset and others have been adding cloud-based technology into their products.

More than simply following the fashion, the industry thinks the cloud can solve two key problems. The first is that using the computing power in data centres will more effectively handle the ever-increasing volume of threats.

The second is to remove some of the burden of scanning files on individual computers which can slow down the performance to a point where users cannot get any proper work done.

Symantec claims at least 80 per cent of software on an average machine is benevolent, and reputation-scoring speeds up scanning of existing files on a PC by up to 70 per cent.

Although security tools from most of the leading vendors also use heuristics to analyse how programs behave, in addition to blacklisting, this too is not without flaws because of the risk in mistakenly categorising good applications as bad.

“At the end of the day, malware burrows deep into your system, so AV needs to go even further still, constantly monitoring for suspicious activity,” says Robert McArdle, manager of EMEA threat research at Trend Micro in Cork. “All of that takes a toll in terms of performance. That’s one of the other major benefits of cloud AV – a lot of the resource-hungry processing has been offloaded on to powerful data centres of the security industry,” he says.

That will be an important trend as people move from using heavy computers to lighter mobile devices.

In a recent webcast, Kaspersky Lab chief executive Eugene Kaspersky says cloud-based AV will be so effective that it will force all but the most professional cybercriminals out of the game.

McArdle thinks cloud AV and reputation-based systems are “definitely a major breakthrough” in fighting infections, “but we cannot just sit back, pat ourselves on the back and say ‘job done’. Cybercriminals are constantly innovating and so must the security industry.”