F-Secure 實驗室平均每天收到25,000個病毒樣本 趨勢如果繼續 預計到2008年底總數將會超過百萬.

F-Secure predicts million viruses by end of 2008
The company received an average of 25,000 malware samples every day, seven days a week  

Tuesday, April 01, 2008

BANGALORE, INDIA: The amount of new malware has never been higher. Our labs are receiving an average of 25,000 malware samples every day, seven days a week. If this trend continues, the total number of viruses and Trojans will pass the one million mark by the end of 2008.

While there are more viruses being created than ever before, people often actually report seeing less of them. One reason behind this illusion is that malware authors are once again changing their tactics in how to infect our computers. A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov.

Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. The criminals' new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP.

Drive-by downloads

Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.

There are several methods criminals use to gather traffic to these websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages like "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits.

Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous like "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.

The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today's criminal hackers don't change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there. Everything works and looks as normal.

This has happened to the web sites of some popular magazines which can have a million users every single day. People trust sites that are part of their daily routine, and they couldn't suspect that anything bad could happen when they go there.

Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites. Examples of where this has happened include TV4.se, Expedia, NHL, and MLB.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.

Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.

Advanced rootkit emerges

A MBR rootkit – known as Mebroot – is probably the stealthiest recent malware we have observed, and has so far been distributed by drive-by downloads.

Mebroot replaces the infected system's Master Boot Record (MBR), which is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.

MBR viruses used to be the most common form of viruses at the time of the DOS operating system about 15 years ago. Recently there were academic papers published in conferences discussing whether this kind of MBR stealth could ever happen in the age of Windows. We have been very surprised to see it happening for real now in 2008.

This means that the criminals have both the funds and the high level expertise to develop such complex attacks. They have succeeded in developing code that loads from the boot sector of the hard drive, stays alive while Windows boots up, then loads parts of itself and injects to the operating system when Windows is up and running, and manages to hide all this very effectively.

We are likely to see this technique being used by quite a variety of malware. These first MBR rootkits are banking Trojans targeting several online banks, where the criminals are clearly seeing an opportunity to make a return on their investment.

First mobile ransom Trojan

Making money is what today's malware is all about and the first ransom Trojans for smartphones have been found in China. We have already seen similar Trojans on the PC side before which infect your computer, take your data 'hostage' or somehow disrupt your computer's capabilities, and then offer to restore everything back to normal if you pay out the ransom money. Typically, the ransom Trojan first encrypts your hard drive and then sends you a password after you have sent money to the criminals via an online money transfer system.

In the case of Kiazha, the first smartphone ransom Trojan, you get infected by downloading a shareware lookalike program on your phone, which then drops several known older viruses on your phone. Next it sends a message explaining that you can only get the phone fixed by transferring the equivalent of seven dollars to the attackers through an online payment system. Today's smartphones are so important to many people that they are prepared to pay a ransom to get back their phonebook, calendar and mobile emails, so we might well be seeing much more of this type of malware in the future.

More mobile trouble

The Beselo worms spread via MMS and Bluetooth by using a novel form of social engineering to trick users into installing an incoming SIS application installation file. What makes Beselo interesting is that instead of a standard SIS extension, the Beselo family uses common media file extensions. This leads the recipient to believe that he or she is receiving a picture or sound file instead of a Symbian application. The recipient is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file.

The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm. So if you have a Symbian S60 phone and receive a media file, answer "no" to any installation prompt that appears when trying to open the file. There is no reason for any image file to ask installation questions on the Symbian platform, so any image or sound file that does something else than play immediately is definitely not what it claims to be .Beselo worms are compiled for S60 2nd Edition phones. Attempting to open the file on a 3rd Edition phone will probably cause an error message rather than an installation prompt.

HatiHati.A is another troublemaker, a worm-like application that spreads via MMC cards. Once the worm has copied itself to a new device, it starts sending SMS messages to a predefined number which can prove very expensive.

For a video about mobile threats, please go to our video channel at http://www.f-secure.com/video-channel/

2 April 2008, 10:45
F-Secure expecting a million viruses this year
Finnish antivirus software vendor F-Secure has published its statistics for the first quarter of 2008. The company estimates that a total of a million new viruses will be born this year – 25,000 malicious programs per day have made their way onto the firm's servers.

This number agrees with other research. Service provider AV-Test last year had already registered viruses at the same daily rate, but from all antivirus vendors and other sources such as honeypots combined. According to AV Test general manager Andreas Marx, in the 13 hours to one o'clock on Tuesday 21,439 unique samples – viruses with a unique MD5 "fingerprint" – had already made their way onto the company's servers. While Marx originally expected his complete virus archive to contain a total of 7 million samples by the end of 2007, by mid-April the total is now anticipated to exceed 10 million.

As F-Secure gathers around 25,000 samples per day including MD5 non-uniques, the over 20,000 unique samples accumulated by Marx in 13 hours suggests that individual antivirus vendors each acquire only a fraction of the total number of viruses in circulation.

F-Secure's analysis also suggests a significant shift in the ways in which viruses are spread. Trojans in e-mail attachments are becoming less common, while attacks on the web using drive-by downloads are increasing. The use of root kit techniques to hide viruses is becoming more prevalent. According to F-Secure, the MBR root kit, discovered earlier this year, is spread by drive-by downloads.

The Finnish security company also develops antivirus software for smartphones. In view of that, it's no surprise that F-Secure has also discovered new threats to these mobile devices. For example, a virus has cropped up that, like the Zippo trojan, blackmails its victims by encrypting files and providing the password only once a ransom is paid. Furthermore, criminals are increasingly using social engineering tactics to encourage smartphone users to install files, using file names like beauty.jpg, sex.mp3 and love.rm, as Beselo.A did.

我喜歡用這個防毒軟件，已經用過好幾個版本，穩定又好控制，他的MEMU介面我覺得比kaspersky 更容易操作，雖然記憶體有耗損問題，但新版本也改善不少！如果病毒庫樣本越多，我相信有一天掃毒功力會超越KAV，【雖然有用到KAV的一個引擎，但青出於藍剩於藍不是嗎】

難怪最近回報Panda後的回覆速度愈來愈慢了... 病毒一直以極快的速度推陳出新，如果沒有一套好的偵測方式，單純只靠病毒碼是不行的..

每日 25k 个如果都无重复那也太厉害了

真的有那么多病毒嘛

病毒库有些和Kaspersky是一样的
但是个人感觉Fs的防御要更胜一筹
期待FS有好的表现

收到樣本不重要, 最重要是可否處理已上報的樣本
不然, 對偵測沒有太大幫助

引用:

原帖由 shisin 於 2008-4-3 11:26 發表
難怪最近回報Panda後的回覆速度愈來愈慢了... 病毒一直以極快的速度推陳出新，如果沒有一套好的偵測方式，單純只靠病毒碼是不行的..

TruPrevent,TruPrevent,TruPrevent,TruPrevent,TruPrevent,TruPrevent .

看了8樓的回覆，超想笑的

唉....一直想不通去關心廠商到底收到多少病毒樣本,官方公佈病毒庫有多少 有何用處

關心這些,不如去關心偵測率.....

收到的樣本數並不能表示一個殺軟的偵測能力
1.每日平均生產多少病毒有人知道嗎?
  沒有基本準則該如何判定25,000個樣本算多呢?
2.如果有些明明是同一種病毒,只是加了不能脫的殼呢?

官方公佈病毒褲也無法表示殺軟的偵測能力
1.實際病毒數量 不等於 病毒定義數量
2.各家引擎不同,病毒定義編碼也不同

在論壇上看到很多人,常常喜歡說XXX防毒病毒庫又破多少了....但這也無法代表一個殺軟的偵測能力阿..
記得ㄚ一大很早就提過,每家防毒廠商的病毒庫編碼&引擎都不同,可能有的廠商一個定義能掃到數十個病毒,有些就沒辦法辦到
看Panda的NANO SCAN病毒庫數量如此龐大,但已知偵測率與Panda個人版差不多
不知道Panda把數字搞的那麼大,是不是為了讓不懂的使用者覺得很強?!




以上言論,若有錯誤,敬請指教

其實除了自我宣傳的部份，回報樣本呈現出的趨勢才是值得注意的地方，像文中幾段標題分別提及ROOKITS應用的增長和手機病毒的潮流。

手機病毒因為容易和不法業者結合，透過撥付費電話直接獲利，因此在歐洲蔚為主流，看那些業者多半有手機防毒就可以看出。而且手機防毒限制多，要採樣本也難。FS公司有個像是防電子戰的鐵絲網包圍地下室，前幾年就是在那裡處理手機樣本（手機信號才不會傳出去），不然一開病毒手機，全公司員工的手機都準備遭殃……

日、台、美好像因為各種業者和系統因素所以比較沒有這方面問題。趨勢當年也提出「從基地台下手」的遠大手機防毒目標，後來大概覺得還是先搞好PCC賺電腦市場比較實際……

FS的处理能力也相当惊人啊 呵呵