Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Trojans Outpace Viruses As Threats - free article peer review.

From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 24 Feb 2006 12:32:43 +1100

Hello,
Today we have to have a lesson in statistics.

A previous "article" by Darrin included:
"According to leaders in the Anti-Virus industry, viruses are becoming
less of a threat if you compare the numbers of virus infections to the
number of Trojan Horse infections. In fact less than 1% of the new
threats in 2005 were classified as viruses. Trojan Horses, typically
distributed for profit in a malicious fashion, are gaining tremendous
speed.
Threat          2004    2005
Trojan Horses   38%     42%
Bots                    25%     26%
Backdoors               7%      11%
Dialers                 9%      8%
Worms           6%      6%
Adware/Spyware  3%      2%
Viruses                 2%      1% "

The assertion is made that as Trojans grew relatively from 38-42% and
that new Viruses fell from 2% to 1% growth rate that the 6% growth in
thew number of Trojans being produced makes them a greater threat than
the 1% fall in new virus code.

So how do we assess this. How about we look at the REAL threats from a
factual perspective. Lets start with a single month The numbers
according to CERT are (for Jan 2006 and excluding variants):
        19 new email-born significant virus attacks,
                8 (42%) were graded "low Risk",
                7 (37%) "Medium Risk" and
                4 (21%) were high risk

For the same period (see F-Secure) there where 4 new Trojans reported.
None of these was considered high risk. In fact however some of these
"Trojans" where worms and the term is another that is misused. Further
the statistics can be played with as some Virus code is also a Trojan,
some worms are also Trojans and there is a lot of cross over.

So we can not look at volume. Maybe someone on the list would like to
would like to explain this in real numbers? It is a common marketing
trick to use ratios to confuse data.

Computer virus definitions range (based on the definition of an
individual variant) from estimates of between 5,000 and 40,000
individual virus codes. The difficulty being in taxonomy of polymorphic
code variants and the associated determination. The National Computer
Security Association has estimated that there are 110 new viruses a
month at the moment.

The estimated number of Trojans (which does include some worm and virus
code) lies between 500 - 2,500 on the same sourcing. These are growing
but the actual figures are:
        New Virus code per month        110 +/- 15 at 95% Confidence
        New Trojan Code                 55 +/- 15 at 95% Confidence
So by volume we can not state that Trojans are worse. In fact they may
be growing at a rate faster than virus code, but they are yet to come
close to catching up. This is a call to watch the events - but not a
risk or threat indicator in itself.

Fred Cohen required only ``8 hours of expert work'' to build a virus
that could penetrate a UNIX system. How is this less of a risk?

The threat needs to be assessed based on the impact. Instead of FUD
peddling stating that all these new Trojans are coming, how about
looking to assessing the vulnerability and impact from a quantitative
basis. This means with fact not FUD as designed to push software sales.
It is interesting how the article seems to link straight into software
sales.

Where is the threat analysis in these figures. What is the impact? How
can any reasonable security professional just look at ratio's and
categorically state that "viruses are becoming less of a threat".

Any threat analysis worth looking at needs to actually analyse the data.
Look at the impact and assign a value. This must be done from a
scientific process. This means a methodology that is replicable.

If you want to actually research the relative threats from virus and
trojans over time and how this is in variation, a time series analysis
of the impact is necessary. I was looking at conducting a time-series
analysis project, so Darrin I think that your article may have some
eventual good after all as I will now likely do a real paper on the
topic.

Regards
Craig S Wright

see
CERT, http://www.cert.org/
Cohen, Fred (1984) "Experiments with Computer Viruses"
http://www.all.net/books/virus/part5.html



Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: