Number of the Month: 70K per Day.

Anti-malware: it’s a dirty job, but someone’s got to do it. Or at least it used to be… but I’ll get to that later…

For your average Joe it can be hard to understand all the finer details of the work of an anti-malware company. But oh how we want to tell everyone about them! So we’re trying as best we can to translate them all into understandable, non-gobbledygook language – not to mention also in the English language!

The tip of the malware-fight iceberg one gets a peek at from collections of facts and figures, which illustrate the basic ins and outs of anti-malware. For example, here we have the kinds of infographics we issue on a regular basis:

[click on the image to see the details]

One of the most frequently asked questions we get is: “How many viruses do you find every day?”.

At first you may laugh – but you shouldn’t. No. Here I should remind you (forgotten your better schoolteachers’ words?) that there’s no such thing as a stupid question! So what do I do with this question – simple though it seems? Answer with a simple answer. Right? But I thought that the answer was the much bandied about figure that we’ve had for a while – 35,000 viruses a day. Or somewhere in that vicinity, on average, and without going into mind-numbing detail about malware families, polymorphism, vector patterns, peculiarities of counting database records, etc.

But since for several months now the answer to this question has normally been followed up by further enquiries seeking clarifications, as it is thought that this figure is too small, we decided to get to the bottom of this once and for all. We got down to some sums and, well, were rather astonished at what we discovered. The result necessitated an update: 70,000 daily! Just a 100% increase, but there you go.

Again, I won’t get into all the gritty details (if anyone is interested – please ask in the comments section below). I’d do better telling you how generally we get to shovel up these 70,000 samples in a day.

Many of you will know that our “family’s” talisman is a woodpecker. And this is no accident.

Back in the day our anti-virus lab worked like a woodpecker! Like on a conveyor – we sat there and pecked away at viruses. Speaking of which, it was a very difficult, fatiguing, albeit respected profession – the dirty job that someone had to do. And guess who was the first woodpecker in the company? You guessed right: for too for many years I was pecking away daily!

However, those days are long gone. With the current high-volume streams of malware we discover every day, to peck is just unrealistic and ineffective, or rather, simply daft.

Already for years, as if on red-alert combat status… we’ve been auto-woodpecking! For human input is left just the most intellectual work – examining the trickiest samples, investigating botnets and targeted attacks, and making sure that the auto-woodpeckers don’t give any false positives, and of course, to train and develop these little helpers of ours.

There are several sources from which we receive samples of malware for analysis: self-propelling ones (which get caught in special traps), “submits” (sent by users), collection exchanges with other anti-virus companies, and our cloud-based KSN service (video, details). And in terms of the contributions towards protection of users, the latter is in the lead. So here let’s have a quick look at KSN and see how it drives our automation of malware processing.

The participating computers in KSN (currently more than a cool 50 million) send to the cloud statistics (anonymously, of course – no Big Brother participation here!) on how our products operate. Specifically, the cloud collects information about detected malicious programs and infected sites and much more besides to help reveal new outbreaks – for example, suspicious activity of programs, downloaded file checksums, and more.

Let’s say a user launches a previously unknown file. The anti-virus checks it with all the tools it has – and determines the file to be clean. Then the AV asks the cloud, and the response – no data. Ok, so we give the all-clear for the launch. But then it turns out that the file somehow strangely positions itself in the system registry, tries to access system services, sets up suspicious connections, has a double extension (e.g., jpg.exe), or does something else fishy.

A signal arrives at KSN, where the system automatically evaluates the reputation of the file (based on all the signs of trouble), and then takes a decision as to detection as “bad” or “good” or “not sure – best be careful”. If “bad”, to the protected computer is sent an “attack” command, the file is blocked, and its actions are rolled back. Of course, the more messages about a file from different computers, the higher the priority of processing and the higher the accuracy and criticality of the verdict. And if a suspicious file turns up on other users’ computers plugged into KSN – they get told straight away that it’s suspect, and advised they should not take any chances.

Let’s take another example:

Several users simultaneously download a file from one and the same link. But each time the file has a different checksum. Smells not like Teen Spirit, smells like malicious polymorphism! KSN starts to untangle the nitty-gritty and sees that, for example, the site was registered just a few days earlier, there’s some kind of iframe on it, and maybe it had even sent out infected files earlier (well, that’s a lot of signals that something ain’t right). And again, the cloud gives marks out of ten for reputation and, if not so good, sends a command to block not only the file itself and everything else originating from it, but also access to the site.

Thanks to this approach, on average between detection and verdict there are just 40 seconds!

But our auto-woodpeckers don’t stop there. Another system pumps from the network the most suspicious files and hands them over for analysis to an automatic handler.

There’s an array of all sorts of patented and yet-to-be patented technologies related to all this, so I won’t dig deeper here – I’ll save that for another day. For now just let me say that this handler develops and tests the familiar-to-everyone updates and sends them to the server so that all of us can download them and stay optimally protected.

I remember eight years ago how competitors enviously admired how we had the knack of doing things right and getting results with the few resources we had to conduct such a huge amount of work. The answer: automation! But it’s only competent automation that’s able to cope with today’s crazy flow of malware! And btw, though the “battlefront” in anti-malware work is constantly expanding, we have for a year now not increased the number of employees in the anti-virus lab.

So how do small anti-virus companies survive, you may ask. For example how can an AV company with as few as just two virus analysts – there is such a company! – handle this avalanche of new malware?

It’s taken as read that to run a good anti-virus lab you need not only money but also brains. So how do they find the resources to keep afloat, while spending little on R&D?

This is a big topic.

For several years in the anti-virus industry “detection adoption” has been flourishing. Instead of analyzing malware, developing home-grown expertise and nourishing new technologies, some (that is, around ten) companies simply peep at the results of the hard work of others and blindly add to their databases detections based on infected files’ checksums.

And they are helped along by incompetent tests that don’t reflect protection levels in real-world conditions. As a result, coming out top of the class is not the very best software, though the quantity of its installations increases as a result of the bogus gold medals, and the overall global level of protection falls. Honest companies dedicated to genuine, painstaking anti-malware research may lose motivation to conduct research as the effectiveness of investment in R&D falls, but sales of the copy-cats’ products rise, and cybercriminals rejoice.

But this is a topic for another post…

Despite this gloomy picture we still continue our work and keep investing in anti-malware R&D. And we’re planning a lot of new technologies in next year’s releases. At the same time, I’ve no idea at the moment how to protect our investments and avoid detection adoption, which naturally thwarts the fight against cybercrime.

To finish on a merrier note, here are some pics of what some of our woodpeckers look like (some of them are still available in our merchandizing store!):

And even a #kozmo woodpecker:

BTW, if anyone has more KL branded woodpeckers I missed here, please send me links below in the comments or use the contact form. I will be regularly updating my collection, available here.

Do svidaniya, comrades! Have a nice weekend!

17 Responses to “Number of the Month: 70K per Day.”

  1. 70,000 viruses a day isn’t as big as I thought the number would be. Are all of these new numbers? Are you counting derivatives of existing viruses? I apologize that I don’t know the correct word, but viruses that are, oh, so similar to 1000 other viruses, but are just tweaked a little, so they’re given a new number like exampletrojanname33333333.trojan. Do you report your polymorphism findings on websites to
    Search engines so the sites can be de-indexed? I’d appreciate a reply, because my site is going to write an article on this, so specifics are very important.

  2. Nice. Keep up the good work.

  3. I actually think about how come you named this particular posting, “Number of the Month: 70K per
    Day. | Nota Bene”. In any case I personally loved the blog!
    Thanks for your time-Garfield


  1. Features You’d Normally Never Hear About – Part Three. | Nota Bene - December 8, 2011

    […] pattern method means that we need to know about all the baddies. But these days we detect around 70,000 malware samples every day, and what it’s going to be like in years to come is anyone’s guess; but one thing’s […]

  2. SecureConnect Blog - July 16, 2012

    […] step to protect your computer data against the inevitable growth of new malware.  According to a blog written by Eugene Kaspersky, a specialist in the information security field, the estimated number of new malware per day is at […]

  3. Kaspersky internet security 2012 cause multiple BSOD on windows 7 - August 12, 2012

    […]       1 Minute Ago This thread is over 6 months old. No A/V is perfect and some will work better for one individual than they do for others. However, not worrying at all about security is naive and in this day and age to run with no A/V at all is irresponsible. As of last October Kaspersky calculated there are 70,000 new viruses every day. SOURCE […]

  4. Crowdsourcing in Security. | Nota Bene - September 18, 2012

    […] to be found in the way we (KL) successfully process 125,000 samples of malware every day (up from 70,000 late last year). Of course, robots and other technologies of automation and data-flow analysis […]

  5. Crowdsourcing in Security. | Eugene Kaspersky - November 6, 2012

    […] to be found in the way we (KL) successfully process 125,000 samples of malware every day (up from 70,000 late last year). Of course, robots and other technologies of automation and data-flow analysis […]

  6. Additional Features of Kaspersky Lab's Whitelist Program | Eugene Kaspersky - November 7, 2012

    […] pattern method means that we need to know about all the baddies. But these days we detect around 70,000 malware samples every day, and what it’s going to be like in years to come is anyone’s guess; but one thing’s […]

  7. Woodpecker Summit 2012 - Kaspersky Lab Analyst Summit | Eugene Kaspersky - November 8, 2012

    […] KL’s most distinguished virus analysts (woodpeckers; why woodpeckers? – see the full story here) and invited external security experts, who come together to boast about their achievements; […]

  8. Finding the Needle in the Haystack. Introducing: Astraea. | Nota Bene - November 15, 2012

    […] because of how incredibly fast it grows. Indeed, its growth amazed even me: a year ago it was 70,000 samples of malware – remember, per day; in May 2012 it was 125,000 per day; and now – by […]

  9. Trouver l’aiguille dans la botte de foin. Découvrez Astraea | Nota Bene - November 15, 2012

    […] de la rapidité à laquelle il augmente. J’en suis moi-même impressionné : il y a un an, 70000 virus apparaissaient par jour; en mai 2012, 125000, et aujourd’hui (coup de massue) nous en […]

  10. Encontrar una aguja en un pajar. Presentamos: Astraea | Nota Bene - November 15, 2012

    […] a su increíble crecimiento. De hecho, este dato me sorprende hasta a mí. Hace un año, había 70.000 muestras de malware… ¡al día! En mayo del 2012 había 125.000 y hoy (¡por todos los […]

  11. Cercare l’ago nel pagliaio. Introduzione a Astraea | Nota Bene - November 15, 2012

    […] cui cambia. Infatti la sua crescita sorprende anche me: un anno fà i campioni di malware erano 70.000 – attenzione, al giorno! Nel Maggio del 2012 erano 125.000, e oggi addirittura 200.000, […]

  12. Die Nadel im Heuhaufen finden. Astraea stellt sich vor. | Nota Bene - November 15, 2012

    […] sie täglich rasend schnell wächst. Das Wachstum beeindruckt sogar mich: Vor einem Jahr waren es 70.000 Malware-Samples – denken Sie daran: pro Tag; im Mai 2012 waren es 125.000 pro Tag; und jetzt – […]

  13. Finding the Needle in the Haystack. Introducing: Astraea. | Nota Bene Eugene Kaspersky's Official Blog | Nota Bene Eugene Kaspersky's Official Blog - November 16, 2012

    […] because of how incredibly fast it grows. Indeed, its growth amazed even me: a year ago it was 70,000 samples of malware – remember, per day; in May 2012 it was 125,000 per day; and now – by […]

  14. All Mouth, No Trouser. | Nota Bene - January 24, 2013

    […] Plain cheating. There are masses of possibilities here. The most widespread is stealing detection and fine-tuning products for specific tests (and onwards as per the above scenarios). In AV […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: