Saturday, September 4, 2010

Infinite Malware & Infinite Protection?

Infinite detection of malware? In Sophos' blog entry "To infinity and beyond" it's pointed out that there's an infinite number of malware threats (and that there'll be more tomorrow). It's also implied that customers are protected against these infinite threats by infinite detection capabilities - which is obviously taking the theme in to some far-flung infinite parallel universe with infinitely better anti-virus solutions that we have in our particular reality.

Nevertheless, their perspective of infinite malware is quite correct. Given that malware can by dynamically generated (checkout the paper on x-morphic attack engines), exhibit polymorphic capabilities and is generally created faster than it can be counted, captured and cataloged, then for all intents and purposes it is infinite.

Which means I have to chuckle when I hear or read any media coverage about the number of malware a particular vendor has captured and written detection signatures for. It's like saying "look, I tripped over 2,543,234 pieces of malware around the world last year and developed protection of each of them". Then, with my mathematicians hat on... infinite threats minus 2,543,234discovered threats still leaves an infinite number of threats. Or, expressing detection coverage as a percentage of scale of the threat = zero percent.

Obviously that's not precisely true. Anti-virus technologies are generally OK at detecting the stuff they've seen before and with generic catch-all signatures they can often capture or label related families of malware as being malicious - or at the very least "suspicious". The problem tends to grow in to frustration when practically every binary file downloaded from the Internet gets marked as "suspicious" - and hence the label becomes meaningless.

Despite all this, Sophos is spot on - there's an intinite number of malware out there, and there'll be more tomorrow. Welcome to the day after yesterday.

1 comment:

  1. so here's where the infinity argument breaks down.

    there are only a finite number of possible 1 byte files (256 of them, to be precise). the number of possible files up to and including 2 bytes in length is 256^2 + 256. for 3 bytes it would be 256^3 + 256^2 + 256. for 4 bytes ... well you get the idea. by induction, the number of possible files up to and including any finite length is itself a finite number.

    since we don't have computers that can hold infinitely large malicious files, therefore there cannot be infinitely many malicious files.

    and frankly, the idea that people would start thinking about infinite detection/protection/whatever is just downright scary. most would confuse it with perfect protection in spite of the fact that it means much, much less than that. i could write detection for any file that begins with a particular well known 68 byte string - it would have the potential to alert on an infinite number of files, but it only actually detects 1 (pseudo)threat.