You might find it hard to believe, but that’s the number of new unique malware samples we detect on average every day in the wild. During the second half of 2008 our products detected a total of nearly 95 million unique malicious files. The total number of distinct malware files we detect every day in the wild is even higher: 841 thousand unique files (that’s the daily average over 2H08) however malware is often detected during consecutive days or even longer. Half a million is the daily average of new unique samples detected every day during 2H08.
These numbers are huge. However we need to remember that there are a couple of reasons that contribute to this huge malware proliferation. Here are some of them:
- Virus infections - One virus can infect many different files, each one of them can then infect more files. While they all stem from the same virus, hash-wise all these infected files are different.
- Polymorphism – There are several scenarios here. For example in server side polymorphism, the server provides a slightly modified copy of the malware each time. Therefore when a thousand users connect to that server, they’ll likely get a thousand different copies of the malware, but all these copies basically share the same functionality. Another scenario is polymorphism that happens during malware replication: when malware spawns a new copy, that new copy might be a slight modification of the original one, yielding a high number of unique copies. Often many of these replicated samples are corrupted and cannot execute at all. But note that in all the statistics here, we did not include counts of known damaged files.
The Microsoft Security Intelligence Report (SIR) Volume 6, which we released this month, includes more details. For example, here is the total number of unique samples we detected during the second half of 2008 broken by the category:
Quite expectedly, the most common malware samples are files that got infected by viruses for the reason explained above. Yet, the numbers for the other categories are high as well. Over 16 million unique trojans, 5.5 million malicious downloaders and droppers, and nearly a million unique exploit files were detected. Here’s the monthly trend:
Many of the trojans are used as part of rogue security software. In particular, we started removing the trojans with the MSRT in December in addition to blocking them with our other products. These trojans use server-side polymorphism and that explains the spike we see in the number of trojan samples in December. During that month, we detected nearly a million new unique samples of the Win32/FakeXPA trojans. In contrast to malware, spyware and Potentially Unwanted Software usually do not use these tricks to evade detection and their number of samples is comparatively low. Yet they still affect large number of users. See the SIR and the following blog post for details.
Here are the malware families that had the highest number of samples in 2H08. First, two families of viruses show:
And then other malware families follow (some of them are viruses as well).
Overall, these numbers show that any attempt to block malware by maintaining lists of bad hashes is doomed to fail. Security vendors should focus on generic and heuristic signatures to maintain effective protection against malware proliferation.
For more information, please see the “Trends in Sample Proliferation” section in the most recent SIR.
Joe Faulhaber & Ziv Mador
Microsoft Malware Protection Center