How can there be 250,000 new viruses every day?


To answer this question, let’s take a look at Sofia, Bulgaria in 1991. Viruses of the day were pretty ordinary, although some of them were quite colorful. The slow spread of viruses permitted detection to be effective in the majority of the cases.  There was a cadre of computer experts in Sofia at the time, including names famous in the modern world of computer security: Professor Vesselin Bontchev, Katarin Tocheva and Jivko Kolchev. There is another, whose name we do not know. We know him only as the DARK AVENGER.

According to legend, the DA was a teenager in Sofia, a student at a rare math and science specialized school (what we would call a target school here in the USA) where students were given free access to computers. He wrote viruses, and was a great fan of the rock band Iron Maiden. Many of his viruses are themed after the band including black scorpion, eddie lives, and others.

But the real reason to remember this young person is an invention he made that rocked the world. (of virus research) It was the DARK  AVENGER MUTATION ENGINE. DAME ( or MtE as it was called at Norton) would be added to malware in development and would make it harder to detect. Each time the virus replicated, the DAME would encrypt it, so it couldn’t be detected using the same pattern.  Fortunately, it was a very early technology and was only used in a couple of viruses (Pogue, Coffeeshop) but unfortunately the idea caught on and was immediately superseded by the TRIDENT POLYMORPHISM ENGINE (or TPE) the idea is essentially the same.  Antivirus companies learned that they could run the infection in emulation, and catch the encryption engine at work.  This made virus detectors orders of magnitude more complicated, but it worked… for a while. Intentional obfuscation, scrambling, hiding in multiple places, renaming and every trick they could think of has been used by malware to hide from detection and/or removal.  Collectively we refer to these efforts as stealth.

Mutation and Polymorphism are good examples of terms that confuse the heck out of people. I once wrote an entire resarch paper on the damage caused by bad nomenclature in the malware research community. (some of it might make a good blog entry—we will see) Here’s a story that illustrates just how:

Around the time of the Y2K panic (remember that?) I was privileged to serve in the national Y2K center in Washington DC, together with two other virus experts. I represented Trend Micro, they represented Norton/SYMANTEC and McAfee. Everyone else belonged to the Government. After the big moment came, and went, and mostly nothing happened. At the wrap up meeting I was asked about mutating viruses. Both of my other comrades answered that they were covered for the detection of mutating viruses, but I knew something they didn’t. The guy asking the question had no idea what the term mutating meant. I assured him that mutating viruses are only hiding from detection and not adding any new powers. (like, say, the FANTASTIC FOUR) He was very surprised.

Flash forward to 2003. As criminals start to produce the majority of malware seen in the world, they made some distinct changes to the dominant forms. For one thing, they had no use for self replicating malware—so viruses and worms begin to go away to be replaced by more targeted forms. Second, they componentized the existing forms.  Think of it this way: an old school virus contained a replication engine, a mutation engine, a stealth agent, an infection engine and a payload. In order to ‘get the job done’ (now that malware had a job to do) they only deliver those parts of the malware needed for the task at hand and keep all of the other components at home.

So in today’s world (this blog was written in early 2013) we experience something called server side polymorphism, where an amount of scrambling and reassembling are done to each piece of malware before it leaves the ‘nest’. This creates a great cloud of new variants who are really minor iterations of the same code. Why do they do this? This is done specifically to defeat traditional antimalware methods, and it works like a charm. Unlike the old polymorphic viruses (which contained the polymorphic engine on board) these are standalone, encrypted and pretty nearly opaque to the techniques developed over the virus years. These malware aren’t so much organisms.  They are bullets.

I want to add a note, here. There is a tendency to think that malware trends show you the one and only type in circulation right now, but nothing could be farther from the truth. There are still viruses, Trojans and worms, spyware and adware, rootkits and botnets, all kinds of malware, all over the map, all the time.  Some of the advanced modern attacks use old fashioned viruses as parts of their attack. This just isn’t simple.  And, it isn’t getting any simpler.

So 250,000 new samples of malware discovered today does not actually mean that they were all newly written. Somewhere in the range of 100-1000 of them were newly written. The rest are mutant clones. They cannot be merely detected as 100-1000 pieces of malware, that effort lies somewhere closer to the enourmous number found in the title of this blog. With numbers like these, it is almost certain that no detection technology will catch up in time to see today’s malware today.  Welcome to the future.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s