You may be aware that in addition to our semi-annual global threat trends reports, we also do a monthly report. Much of this report is trend analysis based on data from our ThreatSense.Net threat tracking system. ThreatSense.Net® is an advanced threat tracking system which reports detection statistics from tens of millions of client computers around the world. This (anonymised) statistical information is collected from those users of ESET security software who choose to enable the reporting service in the product, and it gives a more comprehensive view of the behavior and spread of malware in the real world. While it’s sometimes difficult to extract solid trend data over a few weeks, we often find that even a month-to-month tracking snapshot can suggest some interesting fluctuations in the threatscape, especially when checked against the figures going back over several months. And so it turns out with the November figures, which I’ve been looking at this weekend.
ESET’s "top ten" results don’t look exactly like anyone else’s. That’s not about whose product is better at detection: it’s simply about the very different approaches to detection algorithms that different products use. In our case, because we make heavy use of advanced heuristics, our results may look very different to, for instance, a product that’s heavily reliant on signature detection. Perhaps I should define again what the mainstream approaches to detection are (this is a somewhat simplified model):
Products that are still heavily into malware-specific signature scanning will tend to use names that look something like W32/UnpleasantBot.AKA, where the suffix identifies a variant. (A malware-specific signature can be considerably more complex than that, depending on the type of malware, though.) The more a product’s detection lies at the behavior analysis end of the spectrum, though, the more variation in naming there is. That’s because the name is likelier to reflect the heuristic algorithm used, not the "true name" of the malware.
In fact, the idea that each malicious program should have its own unique identifier is unrealistic in the current glut-ridden threatscape, as Pierre-Marc Bureau and I discussed in our paper "The Name of the Dose" at this year’s Virus Bulletin. This is particularly so for ESET because of the sophistication of our heuristics.
So after that long preamble, what trends have we actually noticed this time?
Author David Harley, We Live Security