Simple Security – Threats "In the Wild", ascertaining your true risk

Once upon a time, back when viruses were primarily created for reasons other than financial ones, there were quite a number of viruses which existed solely in the confines of virus research labs. That is to say, they had never infected a “real person’s” computer. Perhaps they were sent directly to the research labs by the virus authors or by non-researchers who’d infiltrated the virus writers’ bulletin boards (or later, the virus authors’ websites). So AV products contained a lot of detection for things which would never end up affecting the general population.

These lab-bound threats were referred to as “In the Zoo”, as they are captive and not a threat to the general populace. Viruses which had been found to have infected users’ machines were said to be “In the Wild”, not under lock and key and therefore a potential threat to the public.

AV vendors (among others, inevitably) had to deal with a heck of a lot of questions about these lab-bound viruses, as one entity or another would raise a stink about some novel new Zoo virus. In order to clarify this matter with clear statistics, in 1993 Joe Wells created the Wildlist. This list was an terribly useful thing for a couple reasons: Dispelling FUD and independent virus-detection testing.

For the purposes of dispelling FUD, this list was something akin to crime statistics: The possibility of being gored by a rhino while waiting for the bus is truly a frightening one. But then, if no one has ever actually had this happen to them, one can reasonably quit worrying about it. And because this list contains all the viruses people have reported being infected with in any given month, this makes it an excellent test set for putting AV products up against the exact viruses which are likely to be found on a real user’s machine. There are in fact several third-party testing organizations which use it for exactly that purpose.

Now, let us fast-forward back to the financially-motivated present – what does this list mean to you now?

In February 2007 there were 761 viruses reported by 2 or more vendors and 1211 reported by only 1 vendor. How does this compare to just a few years ago, before the rise of the bot? In February 2004, there were 269 reported by 2 or more vendors, and 423 reported by 1 vendor. These numbers are not exactly cumulative; they’re only what are currently circulating. If something has not been reported for 12 months, it falls off the list.

These numbers by themselves are pretty staggering. But wait, there’s more!

This list doesn’t include trojans or adware. Regardless of whose numbers you view, both trojans and adware make up a significant portion of the total numbers of nasty things on the internet now. Inclusion of these categories would inevitably increase the numbers very considerably.

For better or worse, at this point Zoo malware is something of a rarity. Why create malware for the hope of a little notoriety when you can make a few thousand bucks by infecting people with bots instead? About the only Zoo malware seen these days are those which are “proof of concept”, showing that it’s possible to infect certain new OSes or file-types, and many of these malware are only marginally functional if they are at all.

With the current modus operandi of malware authors being to use malware created to target specific organizations, or to send as many unique threats as possible in order to stay under the radar, many things that infect real users’ machines may never make it to the Wildlist. Consequently, it’s better to cover your bases as broadly as possible. Don’t worry so much about the specific malware, but about how to cover yourself as broadly as possible. Think about how you use your computers, what data goes in and out (e.g. Do you use your machine to swap Office files? Surf the internet?) and focus on how you can organize your machine to deal with those particular activities safely.

Next on Simple Security: Infection in action – Watch how common security applications (such as a firewall and IPS) deal with an unknown infection.