Wednesday, October 05, 2011

Malware prevalence != Infection rates

There have been a number of presentations of late that have tried to document howend-users get infected with malware.

Both Google's malware report and a recent report from CSIS purport to tell us how people get malware, based on how what malware they detect most frequently online, and what exploits it uses to get onto a client machine.

Google goes so far as to say:
Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware.


Google may well be right in the numbers they are reporting (I don't doubt their analysis) but this number tells us nothing about the frequency with which users encounter those malicious sites that employ social engineering to infect users.

Percent of sites on the internet is not directly correlated to a sites popularity. As a quick thought experiment, what if facebook.com or twitter.com or even google.com were distributing social-engineering malware. They would represent a very small percent of total websites, and yet a tremendously large number of users.

My hope is that companies such as FireEye can provide the world some details on exactly what exploits they are seeing with that frequency (have they already done that?), but even there the numbers in a corporate environment may not align that well with what a home-user sees, as many companies that deploy FireEye also do web-filtering that prevents users from ever visiting certain types of sites.

The bottom line is that right now we can approximate what causes infections by looking at what the attackers are doing, but we don't truly know which of those attacks are having success and at what frequency.

If someone has more data to provide on that, I'm all ears...


2 comments:

Dan Guido said...

Hey Andy,

I just wanted to sum up the comments I made on twitter.

Google, CSIS, and myself all have statistics for which exploits are launched at potential victims. Any of these exploits will work if the victim isn't patched and you need to defend against all of them for any defense to be effective. Defensive strategies that only protect against a subset of exploits launched will fail. Information that indicates which exploits were ultimately successful at infecting a victim is therefore a distraction.

Rather than use this data to say that app X needs to be patched more than app Y, we should try to come up with effective defenses that more broadly effect the entire data set. I analyzed trends in this data set in slides 54-56 in my SOURCE Boston presentation to come up with a minimum set of defenses, that works without patching, and defends against every launched exploit.

http://cryptocity.net/files/presentations/EIP-1.1.pdf

--
Dan Guido

Anonymous said...
This comment has been removed by a blog administrator.