SophosLabs has discovered a technique in anti-virus marketing, which we detect as Spin/BigNumber-P. Typical behaviour involves phrases such as “Product detects X viruses!”, where X is a large, rather exact-sounding number. Some variants involve high-tech numerical displays updated in real-time with ever growing numbers. This technique has been spotted in the wild.
Never one to be left out, SophosLabs would now like to publish the number of malicious files we detect:
Yes, that’s right: We currently detect an infinite number of malicious files. While that shouldn’t surprise those familiar with SophosLabs, let me explain.
Talking about a specific number in relation to total malicious file detections reveals a misunderstanding of how malware and malware detection operate. The vast majority of threats we see are polymorphic, meaning we see many variations of each threat. Some are modified by the malware authors, others are generated by server-side programs and others modify themselves as they spread. And then there are file infecting viruses, which potentially modify any clean file on a system into a malicious one. An infinite number of threats.
When a quick response is required, our analysts and automated systems can block a specific file. But the bulk of our protection comes from generic detection which looks for characteristics of known malware, rather than an exact match. Just one such identity might detect hundreds, thousands, or an infinite number of variants.
Let me be clear: There are no practical limits on the number of different files we can detect, nor the number of identities our product can handle. If we were relying solely on exact files matches using checksums, we might quickly run into performance issues and memory limits, or restrict detection to only the most active threats (a practice followed by some other vendors). Instead, we maintain a multi-layered detection framework based on static characteristics and/or run-time behaviours.
Even with such an impressive detection number, we’re not about to rest on our laurels. In fact, by this tomorrow, our detection number will be an even larger infinity. If that seems paradoxical to you, you probably didn’t take Pure Mathematics in University. But I did, so let me offer an example: The set containing all positive, even numbers (2, 4, 6…) is infinite. So is the set of all positive numbers (1, 2, 3, 4, 5, 6…), but it is larger because it contains everything in the first set plus infinitely more.
Too theoretical? Consider Troj/VB-EUH which, when run, creates about 100 variations of itself on the host system. Running any of these variants on a new system will create 100 more variations. It’s easy to see an automated system left running could quickly create hundreds of thousands of new, malicious files which would all be detected at Troj/VB-EUH.
Hmmm, maybe it is time to get our own real-time counter.
View full post on SophosLabs blog
