Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
Useful and useless statistics about
viruses and anti-virus programs
Dipl.-Ing. Maik Morgenstern and Hendrik Pilz
AV-Test GmbH, Magdeburg, Germany
Presented at CARO 2010 Helsinki
http://www.av-test.org
2
Agenda
• Disclaimer
• The average anti-malware product
• The average malware
• The typical day in anti-malware industry
• Serious and not so serious implications
• Conclusions
• Q&A
3
Disclaimer
• Not necessarily a scientific presentation
• Bases on data from AV-Test only
• May not be representative
• We are just talking about numbers
• We are not claiming anything and we could
be wrong with what we say
• Still, some numbers could make you think
4
The average anti-malware product
• Based on data from about 30 products (2010)
– Installer Size: 69,6 MB
– Size on Disk: 265,5 MB
– Number of Signatures: 3.666.872
– Size of Signatures: 84,4 MB
– Price: 32 €
– Updates per Day: 6
– WildList Detection: (virtually) 100%
– Zoo Detection: 91,59%
– False Positives: 0,00157%
5
The average anti-malware product
6
The average anti-malware product
7
The average anti-malware product
8
The average anti-malware product
9
The average anti-malware product
• Based on data from about 20 products (2005)
– Installer Size: 12,6 MB
– Size on Disk: 87,9 MB
– Number of Signatures: 104.509
– Size of Signatures: 7,7 MB
– Price: 45 €
– Updates per Day: 2
– WildList Detection: (virtually) 100%
– Zoo Detection: 96,04%
– False Positives: 0,03%
10
The average anti-malware product
• Comparison
– TBD
11
The average malware
• In the year 2010– About 486,87 KB in size
– Most likely a PE File• If not, then maybe HTML/PHP/JavaScript, PDF, some Image or Flash …
– Probably a Trojan (52%), maybe a Worm (11%), a Backdoor (8%), Downloader (8%) or a Rogue application (6%)
– Packed, probably by a custom packer (35%)• If not, then most likely UPX (29%), AsPack (11%), NullSoft (5%), PE Compact (3%), Themida (2%)
– Detected under 6-7 different names
– Usually detected after 2-4 hours
12
The average malware
• In the year 2005
– About 180,01 KB in size
– Most likely a PE File
• If not, then maybe HTML/PHP/JavaScript, Batch File or Script
– Probably a Trojan (35%) or a Backdoor (28%), maybe a
Virus (18%) or a Worm (14%)
– Packed, probably by one of the famous packers:
• UPX (31%), FSG (14%), PE Compact (10%), Morphine (6%),
AsPack (5%), NsPack (4%), uPack (4%)
– Detected as the same family by all products
– Usually detected after 10-12 hours
13
The average malware
• Comparison
– TBD
14
The typical day in anti-malware industry
• In 2010
– 574 Signature- and Program-Updates released per day
• Thats over 17.000 per month and over 200.000 in a year
– 17 GB of Updates downloaded by AV-Test per day
• Thats over 510 GB per month and over 6120 GB in a year
– Over 50.000 new unique samples received
• Thats over 1.500.000 per month and nearly 20.000.000 in a
year
15
The typical day in anti-malware industry
• In 2005
– 114 Signature- and Program-Updates released per day• Thats over 3.400 per month and over 40.000 in a year
– 1,2 GB of Updates downloaded by AV-Test per day• Thats 36 GB per month and about 400 GB in a year
– Over 360 new unique samples received• Thats over 10.000 per month and nearly 130.000 in a year
16
The typical day in anti-malware industry
New Unique Samples Added to AV-Test.org's Malware Collection
0
100.000
200.000
300.000
400.000
500.000
600.000
700.000
800.000
900.000
1.000.000
1.100.000
1.200.000
1.300.000
1.400.000
1.500.000
1.600.000
1.700.000
1.800.000
20
07
-01
20
07
-02
20
07
-03
20
07
-04
20
07
-05
20
07
-06
20
07
-07
20
07
-08
20
07
-09
20
07
-10
20
07
-11
20
07
-12
20
08
-01
20
08
-02
20
08
-03
20
08
-04
20
08
-05
20
08
-06
20
08
-07
20
08
-08
20
08
-09
20
08
-10
20
08
-11
20
08
-12
20
09
-01
20
09
-02
20
09
-03
20
09
-04
20
09
-05
20
09
-06
20
09
-07
20
09
-08
20
09
-09
20
09
-10
20
09
-11
Un
iqu
e
Sa
mp
les
Ad
de
d
Growth
3 Month Median
Forecast
17
The typical day in anti-malware industry
Total Number of Unique Samples in AV-Test.org's Malware Collection
0
2.000.000
4.000.000
6.000.000
8.000.000
10.000.000
12.000.000
14.000.000
16.000.000
18.000.000
20.000.000
22.000.000
24.000.000
26.000.000
28.000.000
30.000.000
32.000.000
20
07
-01
20
07
-02
20
07
-03
20
07
-04
20
07
-05
20
07
-06
20
07
-07
20
07
-08
20
07
-09
20
07
-10
20
07
-11
20
07
-12
20
08
-01
20
08
-02
20
08
-03
20
08
-04
20
08
-05
20
08
-06
20
08
-07
20
08
-08
20
08
-09
20
08
-10
20
08
-11
20
08
-12
20
09
-01
20
09
-02
20
09
-03
20
09
-04
20
09
-05
20
09
-06
20
09
-07
20
09
-08
20
09
-09
20
09
-10
20
09
-11
Un
iqu
e
Sa
mp
les
in C
oll
ect
ion
Actual balance
Forecast
18
The typical day in anti-malware industry
• Comparison
– TBD
19
Serious and not so serious implications
• TBD
20
Conclusions
• There are a lot of numbers and statistics to measure and to come up with
• Not all of them are useful– No product is like the average
• Those that are useful may only be useful in a limited time frame– Detection rates change, depending on sample set, signature database, …
• Some developments and growth rates can be estimated, many can’t– It is nothing more than an estimation
21
Q&A
Thank you very much for your attention!
Questions?