“In the last two years, we have seen a growing number of new viruses…” Panda’s Luis Corrons explains
Differentiating between one type of malware and another is neither easy nor, ultimately, particularly useful. Nevertheless, there is a temptation to say that the purpose of a virus is to attack and probably harm the target, while the purpose of a Trojan is to steal from the target. In other words, a virus is a weapon and a Trojan is a tool.
The very nature of cybercrime is changing: it is evolving from the indiscriminate carnage wreaked by earlier viruses, into an organised criminal business. It is little wonder then, that by 2005, the number of new viruses (weapons) was being dwarfed by the number of new Trojans (business tools). Figures from Panda’s new report, The Cyber-Crime Black Market: Uncovered (of which more in a later post) show that the generation of new viruses was so small that it had to be included in the ‘other malware’ category. Trojans, however, accounted for nearly half (49%) of all new malware.
Luis Corrons, PandaLabs’ technical director, told me that the latest figures show an even greater dominance of new Trojans, so that by 2010 Trojans account for just about 56% of all new malware. Again, this is not surprising. Trojans are the tool by which cybercriminals extort, steal and fraudulently obtain their income. The surprise, however, is that the virus is showing signs of a recovery: no longer lost within the 10% of other malware, during 2010 it accounted for more than 22% of all new malware.
Why? Why should an uneconomic attack weapon resurface when logic would suggest it continue to decline. I asked Luis Corrons to explain.
“We used to get a lot of viruses in the past; and then everything became Trojans and worms, and there were only a few new viruses,” he said. “But in the last 2 years we have seen a growing number of new viruses appearing; not necessarily many different ones, but many new variants of the same ones.”
The cause remains a mystery. “We often ask ourselves, why should this happen?” His answer is a bit surprising. “The virus is, for us, a really painful process; even though as an industry it’s where we come from. A virus is far more complex to detect than any other threat, such as a Trojan or a worm. In the final analysis,” he continued, “with a Trojan or a worm, the whole file is malicious.”
Viruses are different. “The virus embeds itself into good files, making detection considerably more tricky. But the bottom line for us isn’t just detection; it’s disinfection. And we have to remove every trace of the virus from the file, returning it to a clean state similar to its condition before the infection. This takes a lot of time and is something that we cannot completely automate. So it involves high level engineers spending a lot of time on the problem.”
In short, Corrons is explaining that a disproportionate amount of time and expertise has to be spent on anti-virus rather than anti-Trojan activities. But here’s the anomaly. “Some of the new viruses we are seeing these days are really, really complex and could only be written be very skilled people. But most of these viruses don’t have any Trojan content, so financial gain is not a motivation.”
So, what is the motivation?
“Our guess,” he suggests, “although we don’t have any hard proof of this, is that the trojan criminals are also engaged in the creation of these high level computer viruses so that it takes a lot of our time and resources to prevent us focusing on their real business: Trojans and financial theft. We’ve tried to find a better explanation, but we really cannot.”
And that’s a bit worrying. It suggests that the criminal gangs are more organised, better resourced, and more determined than I for one had realised.