ThreatSense.Net: Fear and Loathing in the UK

I was asked about malware infection in the UK (especially with reference to Conficker), and(a) if the situation is really as bad as we, the AV vendors make out, and what the real infection rate is; and (b) whether government and ISPs etc could do more to help. You can now find a link here (http://www.guardian.co.uk/technology/2009/nov/04/malware-pc-security-antivirus) to the piece that Jack Schofield (of the Guardian newspaper) was writing on the topic. However, I thought you might be interested in my original answer on that point, at any rate if you're in the UK.

ESET normally avoids giving out absolute numbers as they're too prone to be misleading or misinterpreted, since we can't say how they compare to the entire population of the Internet. (Not that it stops other companies giving "authoritative" statistics!)  I can say that our lab gets over 100,000 unique malicious binaries a day from Threatsense.Net®, a mechanism for sending in samples from machines running ESET products that detect malware. Obviously that's a global figure, not the UK: I don't have a figure for that.

However, we can give percentage figures that give an idea of which malware (and other suckware) is scoring highly regionally. If you want to compare these figures with the results we got globally in October, they're at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_October_2009.pdf, Note, however, that this is a slightly "apples and oranges" comparison: for a number of reasons, we don't list the global top ten in the monthly report in quite the same way. For instance, nuisance applications that aren't necessarily technically malicious are filtered and some closely related detection statistics are consolidated to show the underlying trend more clearly.

  •  In October in the UK, the top scorer was actually a "possibly unwanted application " (PUA), with 4.02% of detections.  
  • Conficker variants were 2nd (2.68%) and 9th (2.14%) (this is an example where we conflate the figures in the report, to make the trend clearer).
  • Malware that exploits the Autorun vulnerability took positions 3 (2.66) and 5 (2.36%).
  • Number 4 was another type of adware  (2.47%) – note that some types of adware have serious Trojan functionality (Virtumonde, for example), they're not just a nuisance.
  • Position 6 was a fake anti-malware program (2.31%) – that's a higher score than we usually get globally for a specific rogue AV variant, which is interesting. It doesn't mean that the UK is more prone to attacks by rogue AV than the rest of the world, though: it's just that there are a lot of different detections for these things. The situation is analogous to bots: while the total number of infections is very high, it doesn't show up clearly in the statistics because there are so many families and variants.
  • Number 7 was an advanced heuristic that picks up an even wider range of malware than INF/Autorun.
  • Number 8 was malware targeting online gamers (2.16%).
  • Number 10 was a highly generic detection for a range of bots and similar malware.

I don't think there's much that governments can do on a legal/governance level (some have some catching up to do, though). The vendor research community does work with law enforcement and even intelligence services to a greater extent than you might suspect, and I wouldn't want to play down the importance of that co-operation. Some ISPs do make a serious effort to block malicious URLs, which are a -major- cause of infection, but they come and go hydra-like. It does help that AV vendors recognize a high percentage of malicious binaries once they're downloaded to a protected system (whereas detection on the site or during download tends to be highly resource intensive). However, I  don't think there's a single, easy solution: anti-malware is only one layer of remediation.

Just to give a little global perspective, the data I drew on here suggest that the threats detected by ESET-protected machines in the UK over October represented about 0.44% of the binaries submitted by all the protected machines in the world, and 1.61% of them were unique to the UK.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Author David Harley, ESET

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
10 Nov 2009
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.