Security Basics mailing list archives
FW: Trojans Outpace Viruses As Threats - free article peer review.
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 24 Feb 2006 12:32:43 +1100
Hello, Today we have to have a lesson in statistics. A previous "article" by Darrin included: "According to leaders in the Anti-Virus industry, viruses are becoming less of a threat if you compare the numbers of virus infections to the number of Trojan Horse infections. In fact less than 1% of the new threats in 2005 were classified as viruses. Trojan Horses, typically distributed for profit in a malicious fashion, are gaining tremendous speed. Threat 2004 2005 Trojan Horses 38% 42% Bots 25% 26% Backdoors 7% 11% Dialers 9% 8% Worms 6% 6% Adware/Spyware 3% 2% Viruses 2% 1% " The assertion is made that as Trojans grew relatively from 38-42% and that new Viruses fell from 2% to 1% growth rate that the 6% growth in thew number of Trojans being produced makes them a greater threat than the 1% fall in new virus code. So how do we assess this. How about we look at the REAL threats from a factual perspective. Lets start with a single month The numbers according to CERT are (for Jan 2006 and excluding variants): 19 new email-born significant virus attacks, 8 (42%) were graded "low Risk", 7 (37%) "Medium Risk" and 4 (21%) were high risk For the same period (see F-Secure) there where 4 new Trojans reported. None of these was considered high risk. In fact however some of these "Trojans" where worms and the term is another that is misused. Further the statistics can be played with as some Virus code is also a Trojan, some worms are also Trojans and there is a lot of cross over. So we can not look at volume. Maybe someone on the list would like to would like to explain this in real numbers? It is a common marketing trick to use ratios to confuse data. Computer virus definitions range (based on the definition of an individual variant) from estimates of between 5,000 and 40,000 individual virus codes. The difficulty being in taxonomy of polymorphic code variants and the associated determination. The National Computer Security Association has estimated that there are 110 new viruses a month at the moment. The estimated number of Trojans (which does include some worm and virus code) lies between 500 - 2,500 on the same sourcing. These are growing but the actual figures are: New Virus code per month 110 +/- 15 at 95% Confidence New Trojan Code 55 +/- 15 at 95% Confidence So by volume we can not state that Trojans are worse. In fact they may be growing at a rate faster than virus code, but they are yet to come close to catching up. This is a call to watch the events - but not a risk or threat indicator in itself. Fred Cohen required only ``8 hours of expert work'' to build a virus that could penetrate a UNIX system. How is this less of a risk? The threat needs to be assessed based on the impact. Instead of FUD peddling stating that all these new Trojans are coming, how about looking to assessing the vulnerability and impact from a quantitative basis. This means with fact not FUD as designed to push software sales. It is interesting how the article seems to link straight into software sales. Where is the threat analysis in these figures. What is the impact? How can any reasonable security professional just look at ratio's and categorically state that "viruses are becoming less of a threat". Any threat analysis worth looking at needs to actually analyse the data. Look at the impact and assign a value. This must be done from a scientific process. This means a methodology that is replicable. If you want to actually research the relative threats from virus and trojans over time and how this is in variation, a time series analysis of the impact is necessary. I was looking at conducting a time-series analysis project, so Darrin I think that your article may have some eventual good after all as I will now likely do a real paper on the topic. Regards Craig S Wright see CERT, http://www.cert.org/ Cohen, Fred (1984) "Experiments with Computer Viruses" http://www.all.net/books/virus/part5.html Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- FW: Trojans Outpace Viruses As Threats - free article peer review. Craig Wright (Feb 24)