Malware threat reports fail to add up

For example, in its malware report for last month, Fortinet said that W32/PackBredolab.C!tr topped the charts of malware variants detected in December, accounting for two-thirds of malware activity in December. It was a new entry to the malware table, the company said.

Kaspersky highlighted three versions of the Kido worm, known more popularly as Conficker, in the top three slots of its own malware threat report for December. Sunbelt listed Trojan.Win32.Generic!BT in the top malware slot as part of its own report, with almost 20% of the activity for December. A quick scan of the other top 10 malware entries for each company reveals few if any matches.

"Comparing the monthly statistics from different anti-virus companies is truly comparing apples and oranges," said Tom Kelchner, Sunbelt Research Center manager. "What one company detects and identifies as a specific, named piece of malcode, another may detect generically."

He argued that antivirus companies have tried to use common names for malware that they find, but that the complex nature of antivirus analysis, combined with the speed of the process, has made it almost impossible to work together.

"Naming convention is one thing. But I think the main problem these days is the way in which detection techniques have shifted," said Roel Schouwenberg, senior antivirus researcher, Kaspersky Lab.
"The shift in detection techniques make naming harder and grouping of malware completely different."

Axelle Apvrille, senior mobile AV analyst and researcher in the Fortinet EMEA threat response team, said that the time window for detections is another reason for the disparity in results. "Even if, globally, Sunbelt, Kaspersky and us encounter the same threats, this may not be true when we consider short time frames (such as a month)," he said.

"It's hard for users, not being able to find information on something under one name," noted Joe Stewart, director of malware research at managed security company SecureWorks. Because anti-malware vendors are also competitors, they have little incentive to work together on normalizing names and detection techniques, he pointed out. "I don't think that there's any solution in sight, because there are so many factors that play into it. Because of the way that the industry works, you can't work around them too well."

In short: is there a problem with the user confusion over threat tables like these? Most definitely. Can we solve it? Apparently not. 

What’s Hot on Infosecurity Magazine?