Bit9

Ever since Symantec CEO John Thompson's keynote at the RSA Conference this past April, there have been several stories that quote statistics claiming that there is more malware produced than bona-fide good code.  At first it sounds quite alarming, have the bad guys won?  Do bad citizens outnumber the good ones?  As most of us do not believe such alarmist hoopla, these claims merit some looking into.  There may be more and more criminals focusing on Internet theft out there, as the population grows and the opportunities for cyber crime increases.  However, it is questionable whether there is actually more malware produced than good software.

The Bit9 Global Software Registry database grew 300% in 2007.  From what we have seen, by collecting the world's software in this database and cataloguing it, is that the amount of malware has only doubled in that the same period, based on most aggressive of reports.  This leads me to believe that there is not more bad software out there than good software.

Yet, the story of faulty statistics keeps being retold. In InfoWorld, the reporter quoted Thompson as saying there was more malware than good software. In ComputerWorld it was written that only in one month more than 54,000 new applications were discovered (BTW, Bit9 discovered more applications in a single day).  The story said the majority of them were malicious and it attributed the data to Symantec's Community Watch.  What we are not told in this story is that this system is looking only at new and suspicious applications among Symantec Enterprise customers.  And it is ignoring all other uninteresting but good applications.  Think about suspicious apps as something a HIPS or a Behavioral engine would detect.  Does this mean that Symantec's Community Watch approach to discovering malware yields as much as 50% of false positives? 

What is clear, is that there is a significant growth in the quantity of malicious software, as all anti-virus vendors and analysts have spoken about. In fact, Gartner analyst Peter Firstbrook called it the "explosion of the malware universe" recently at the Gartner IT Security Summit Conference in Washington, DC.  The most important takeaway here is that to keep up with this flood of malware, a new set of tools is required.  Existing products will not suffice for much longer, as the industry and analysts are painfully aware, and as such there will be more and more stories and technologies exploring approaches, including whitelisting.