The malware numbers game: how many viruses are out there?

The malware numbers game: how many viruses are out there?

Summary: How many distinct strains of malware are in circulation today? If you said hundreds of thousands or millions, you're way off. A close look at numbers from one leading security company helps explain why some big numbers don't tell the whole story.


How many strains of malware are in circulation right now, for Windows PCs, Android devices, and Macs?

That seems like a straightforward question, but the answer is far from simple. And the number might be a lot lower than you think.

If you check with the leading security companies, you might be tempted to pick an answer in the millions. After all, that’s how many listings you’ll find in the definition files for common antivirus programs. At day’s end on April 12, for example, Symantec published the summary shown below, noting that its latest Virus Definitions file contained 17,702,868 separate signatures.

Oh my. 17.7 million? That certainly sounds like a very big number. But before you get swept away, it’s worth taking a closer look at what it really represents.

Eight days earlier, on April 4, that same Norton/Symantec definition file contained 17,595,922 separate detections. With 106,946 additional definitions in a mere eight days, you’d probably conclude that malware is out of control.

Because the Norton brand name is primarily associated with Windows PCs, you’d probably also assume that all of that activity was aimed at the Windows platform.

And you’d be wrong in both cases.

Definition files are a great way of assessing the degree of activity at a computer security company. They vaguely measure the current intensity level of the cat-and-mouse game between malware authors and security companies. But counting signatures says nothing about what’s new.

I took a closer look at the Symantec definitions for that week and found a very interesting story.

Symantec, to its credit, publishes detailed information about what’s in each new definition file, including what’s new. On any given day, it displays the total number of new and revised detections, followed by their details, like this:

In the eight days between April 5 and April 12, only 12 new detections were added to Symantec’s certified definition file, with six of them added on a single day, April 10. Here’s a breakdown:

  • Three were generic detections for malicious packages (Packed.Generic.360 through .362). These aren’t really new strains of malware, only new forms of packaging. The accompanying writeup calls each one a “heuristic detection for files that may have been obfuscated or encrypted in order to conceal themselves from antivirus software.”
  • Four are generic detections for existing fake antivirus packages (Trojan.FakeAV!gen90 and gen91, SmartAVFraud!gen2, and SecShieldFraud!gen5). These are also heuristic detections, designed to identify rogue anti-malware programs by their behavior rather than by their ever-shifting content.
  • Two were aimed at Android-powered devices: Android.Tigerbot and Android.Gonfu.D are both backdoors found in malicious Android apps.
  • One new entry is simply called Adware.SafeTerra, with no associated description.
  • One new entry is for something called Trojan.Darkshell, which has only a vague description (“may perform distributed denial of service attacks”).
  • One is the infamous Flashback, for Macs, formally known as OSX.Flashback.K.

The total number of named entries listed in the summary of those definition files during that period was 303—12 new and 291 revised. So where does the 100,000+ number come from? It appears to be a count of individual pieces of identifying data—signatures—associated with those named entries. Counting every signature is an easy way to get to an impressively large number, but it isn’t an accurate way to asses the current threat landscape.

That list includes a lot more than malicious software, too. Categories include Adware, Hack Tool (many of which are legitimate), Joke, Misleading Application, Potentially Unwanted App, and Security Assessment Tool. When I excluded those categories, I ended up with only 213 named entries in the Trojan, Worm, and Virus categories.

I was surprised to find that many of the definitions on this list are for very old pieces of code. During this one-week period in April 2012, Symantec updated its definitions for the following pieces of ancient malware and bumped up the counter in its definition files accordingly:

  • The SubSeven Trojan, which was a big deal in the late 1990s but was officially shut down in 2003
  • W32.Chir.B@mm, a mass-mailing worm from 2002 that targets Internet Explorer versions 4 through 5.5
  • Spybot, a family of worms that spread using the Kazaa file-sharing network and a variety of Windows 2000/XP flaws that were patched in 2003
  • Netsky, a 2004-vintage mass-mailing worm
  • Mydoom, another mass-mailing worm that spawned one of the first botnets; it was programmed to do most of its damage in February 2004 and fizzled out within a few years

In addition, these April 2012 definition files include multiple revised detections for Waledac and Rustock, the Trojans responsible for two prolific spam botnets that were decisively shut down in February 2010 and March 2011, respectively.

For each named entry, Symantec includes the date when that entry was first added to its definitions list. Out of the total of 213 new named entries on the list, more than 85% were from 2010 or earlier. Only 31 entries were discovered in 2011 or 2012. And one-third of those were from non-Windows platforms.

Two of the recent samples were for OS X—the original OSX.Flashback, from last fall, and the newer OSX.Flashback.K, which wreaked havoc on Mac owners over the past month.

Most interestingly, eight entries on the list—more than 25%—were for Android-related malware. Given the size of the Android installed base and the lack of any central control over Android app markets, that shouldn’t be surprising. On its Latest Threats and Risks list, Symantec includes writeups for more than 80 Android-related programs, most classified as Trojans or Spyware. That's 11% of the total of 720 items on the list.

To make sure those numbers were representative, I looked at the Symantec definitions database for the entire month of March. In all, 66 new named entries were added to the list, or about two per day. Of that total, 36 represented new, named Trojans, viruses, and worms. Five of them were aimed at Android devices, one targeted OS X (no, it wasn’t a Flashback variant), and there was one new entry each for Symbian OS, Linux, and an Adobe Flash Player exploit.

In its 2011 Security Intelligence report, released earlier this year, Microsoft security researchers noted the problem with trying to measure the threat landscape by counting unique malware samples:

Ever since criminal malware developers began using client and server polymorphism (the ability for malware to dynamically create different forms of itself to thwart antimalware programs), it has become increasingly difficult to answer the question “How many threat variants are there?” Polymorphism means that there can be as many threat variants as infected computers can produce; that is, the number is only limited by malware’s ability to generate new variations of itself.

If you look carefully at the Windows malware landscape over the last 10 years, it’s apparent that a relatively small number of families are responsible for almost all the damage we’ve seen. I’ll look more closely at those families, and the evolution of Windows malware, in a follow-up to this post.

Topics: Security, Android, Google, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Great Piece!

    Sure makes it seem like we STILL need to be vigilant, but that keeping up the pressure on malware types ??? especially, denying them payments for scareware, and tracking ownership of accounts that use stolen numbers, is making it relatively unprofitable for new forms of mischief, and ergo, nothing like the catastrophe that we had in the XP days when almost EVERY PC that wasn't behind a solid corporate firewall was at risk.
    • Agreed.

      But it really doesn't take much these days to protect yourself:

      1) Accept all Windows security defaults (Firewall, UAC, AV, Windows Defender, Updates)
      2) Do not open e-mail attachments from unknown sources
      3) At home, put a router between your computer and your Internet connection
      4) At home, protect your wireless connection with WPA2 Personal security
      5) Do not follow links from unsolicited e-mail
      6) Do not transact business with unknown web sites
      7) Process all Windows and AV updates as soon as possible

      Follow these guidelines and it is unlikely that your computer will be compromised.
      M Wagner
      • There is much more simply choice:

        Don't use Windows at all. Move to Linux and open source software.
  • And, by extension, the safest platforms for consumers are

    1. RIM QNX
    2. desktop BSD (take your pick)
    3. desktop GNU/Linux (take your pick)
    4. Windows Phone 7
    5. Blackberry OS
    6. Apple iOS

    Why? Apparently, there's not enough malware to bother reporting on any of them.
    Rabid Howler Monkey
    • I'd quibble with 2 & 3 (remember that MacOSX is a BSD variant) ...

      ... but the real point of your post is that those systems that are most vulnerable are also the systems used by the most consumers. The bigger the target, the more likely that you will be attacked. Simple measures dramatically reduce the likelihood of a successful attack though.
      M Wagner
      • RE: I'd quibble with 2 & 3 (remember that MacOSX is a BSD variant)

        [i]the real point of your post is that those systems that are most vulnerable are also the systems used by the most consumers.[/i]

        OS usage is a factor, but not the whole story. Apple's iOS usage, through the iPhone, iPad and iPod Touch, has pretty much caught up with OS X usage. Significantly, neither Oracle's Java (or OpenJDK) nor Adobe's Flash Player, two web browser plug-ins with long histories of vulnerabilities, are permitted on iOS. Thus, Apple's tardiness patching Java did not impact iOS users. In addition, sandboxing was implemented from the beginning on iOS, whereas it's still a work in progress on OS X. Finally, the walled garden known as the iOS App Store also offers considerable security advantages over OS X (this will be changing with Mountain Lion).

        With regard to the BSDs, they, including FreeBSD, do a much better job of patching than does Apple. Mach (from Carnegie Mellon) is as important as FreeBSD in the OS X kernel. Also regarding the OS X kernel, I don't believe that the I/O kit for device drivers traces back to BSD. And Carbon (slowly diminishing), Java (completely removed in OS X Lion) and Cocoa are not application platforms in FreeBSD as they are in OS X. While there is much FreeBSD in OS X, calling OS X a BSD variant seems a bit strong today. The BSDs, generally, haven't made any compromises wrt security vs. convenience. OS X, however, like Windows, has tended to favor convenience over security.

        As for GNU/Linux, what does it have to do with either FreeBSD or OS X (aside from the experimental Debian kfreebsd project which uses the FreeBSD kernel in place of the Linux kernel).
        Rabid Howler Monkey
  • Why not start with MS.

    I'm sorry Ed, but once again, you are showing your true colours -- A MS Fanboy Evangelist.

    Quick grade school math question here.

    "In the month of March, 36 new named pieces of malware were listed by a major security company.

    Five targeted the Android OS. One Targeted Mac OS X, and one each targeted Symbian, Linux and Flash.

    How many Windows Virus', Trojans and Worms will Ed Bott ignore and downplay in order to once again make his story more sensational and headline grabbing, even at the extent of accuracy?"

    Don't worry... I'll show my working here.

    Lets see. 5+1+1+1+1=9.

    36-9 = 27... Yup 27 new exploited windows vulnerabilities (I will assume they are windows exploits, since you took such great care to name all of the other pieces of software targeted).

    For those of you looking for extra credit, that's 27/36, or 3/4, or 75% of all the malware in March targeting Windows machines, and you choose, once again, to dedicate 100% of your lead article to the other 25%.

    And that's only half of it. You mentioned 66 named entries. That's an additional 30 older virus' trojans or other nasties, all of which (again i assume, though feel free to correct me if i'm wrong) targeted Windows.

    Now, you will be quick to point out, they are updates to older malware definitions, from 2010 or earlier. Indeed, be that as it may, the more-than-decade-old Windows XP still commanded a 47-percent market share as of today, in 2012. So you will forgive me for not wanting to simply write these off as non-issues as you seem to have done.

    With those figures added into the mix, in March 2012 58 of the 66 updates from the aforementioned vendor were Windows related (including the one flash vulnerability, which targets windows machines), or nearly 88%.

    And yet you choose to go with another "Windows is safer than you think, and all other OS's are much, much worse" piece.

    Nice going Ed.
    • Uh, no

      Please show me where I said or even implied anything close to "Windows is safer than you think, and all other OS's are much, much worse."

      This post is about numbers and families of malware. Your first hint should be the headline, which uses the word "numbers," not "safety." Nothing in this post said "Windows is safer than you think." In fact, I do not use any form of the word "safe" in this post. You're attacking a straw man.

      And you are welcome to go back to the original source material and prove yourself wrong. I've provided all the links so you can do just that.

      Hint 1: A virus/worm/Trojan that is not in circulation cannot infect a PC, regardless of what OS that PC is running.

      Hint 2: A newly named family of malware is not a "new exploited Windows vulnerability."
      Ed Bott
      • Don't mind the so called "we know better than you do"

        As long as you keep replying to them they will keep on showing of that they are better than you and that you are someone whom they don't respect.

        I don't even know why they still read your articles if they keep on bashing you. :| Like seriously, if they wanted to show off what they know why won't they start their own blog or something. Just start ignoring them and don't mind them. If you continue to reply them, no matter how tempted you are because of their taunting, they will continue with their smug attitude.
      • Ed, you're so pathetic and not even funny at all

        Why not to admit that there are hundreds of millions of malwares for you sugar daddy Windows? And things are getting worse every minute from now on.
  • By Another Meassurement

    But if you were to quantify by the severity of infection per machine, by amount of damage, and/or by downtime, not just viral populations, it would be quite obvious that Linux and its derivatives are much safer systems than Windows.

    Of course, one has to take into account the architecture of each operating system and how the viruses propragate and affect the environment for which they were designed. Numbers tell only one part of the story.

    Don't be surprised if you start to see many municipalities follow Munich's lead.
  • The malware numbers game

    Nice article, It's always good to get some useful information. It's as I have suspected for some time; but being a layman couldn't back up my assumption. A few viruses; plus lots of different variants and packaging.
  • Interesting read

    However, I'm not sure what this was supposed to accomplish. Sure, some people are authoring malware for non-Windows platforms on a regular basis. We know that already. But what makes any singular piece of Windows malware a far bigger threat than the rest aimed at alternatives is the [i]relentless efforts made to distribute the malware to users of Windows[/i]. For instance, you could have 10 new bits of malware for Windows and 10 new bits of malware for alternatives created in a given period of time, but those 10 bits of Windows malware are always going to get much wider distribution than any other, making the Windows user significantly more likely to encounter malware in a given period of time.

    I also don't know how anyone could be so dismissive of the old Windows malware signitures. The reason old malware is not being widely used anymore is because the antivirus software vendors continue to maintain the signitures in their databases even today, making continued distribution efforts unprofitable. If antivirus vendors ever stopped doing this, many of those old Windows malware variants will simply return in droves. The web isn't the only source of malware threats. Every other Windows user you share data with is a threat to your Windows PC. For instance, I've seen old malware on archived document files burned to disc years ago. And earlier this year, I saw older malware from three years ago being used to further infect one of my dad's accounting machines after it had already been compromised by newer malware and had eliminated the antivirus software. The infection, which included a rootkit, came from a file originating from one of his clients.
    • I'm not dismissing old malware signatures

      I'm pointing out that there is little need to update those signatures daily for a threat that doesn't exist anymore. Some families of malware that were around three years ago are still in circulation today. But Symantec's definition files included daily updates to strains of malware that literally have not circulated in 9 years. The point is not to remove those from the definition file, it's to avoid counting what is obviously not an indication of current activity.
      Ed Bott
      • Can't agree with that

        Sorry, but your claim that old malware is no longer a threat doesn't really hold water. That's merely an assumption on your part, since you're not the one sampling malware submissions every day and determining the nature of and response to the threats. If Symantec is updating definition files for old viruses, it's because they are aware of something that [i]you[/i] are not. For instance, I did a little bit of googling and found that people are still complaining about that Subseven trojan as recently as this year, 2012. So much for dead viruses. I even found the results of a virus submission that indicated an infection with the Subseven trojan. That submission was made on February 18 2012, which proves that your assertion that the virus is no longer infecting machines is nothing more than wishful thinking.
      • @eMJayy

        He didn't say old malware is no longer a threat he said that it is not neccessary or accurate to count them again just because they are listed in the update files.


        What is unhelpful is that you have dispelled the myth that there are 17 million new variants of malware but you haven't done much to provide a real picture of the malware landscape. You tell us its not as bad as it sounds but you neglect to tell us how bad it is.

        FYI... some people for one reason or another are running unpatched machines but counting on those malware definition files to protect them from that old malware just incase it is still floating around. Not exactly the best idea from a security standpoint but in some cases neccessary.
      • @techadmin

        As I said in the last paragraph of this post, I am planning a follow-up post on exactly that subject. Stay tuned.
        Ed Bott
      • @Ed

        Sorry I missed (or forgot) the paragraph regarding a follow up. A definite must read. BTW, just read and researched about a Linux virus that was still active in the wild (and may still be) after 8 years. It occurred to me, after doing a little research, that some malware can't be patched at the OS level. It all depends on the transmission vector. Viruses like the Linux/RST-B virus depends on users giving permission and running code on a system and no OS patch can stop a user from running malicious code. Outside of clean room implementations, only detection/removal can rid systems of such threats.
  • I can't believe this flame war

    Malware ISN'T a Windows/Microsoft only issue. It a greater issue, and it doesn't matter what platform you use, security is an issue YOU need to be aware of. It's YOUR issue, not Apple's not Microsoft's, or Google's. YOURS. It is up to YOU to make sure your machines/devices are up to date on security patches whether you use Windows, OS X, iOS, or Android. If you want to be mad, go yell at Apple for sitting on the Java patch for so long while they let their users out to dry.

    Claiming ignorance ("Windows, waaaa!", "OS X doesn need that", or "Linux doesn't need this!") makes you part of the problem. Wake up and smell the coffee people.

    And before I leave, I should ask this: The White Star Line once claimed [I]Titanic[/I] was unsinkable, and people bought it, and look what happened. Apple claimed the same thing, and people bought it. Are you going to let history repeat itself? Or are you going to take action to prevent yourself from sinking. It's up to you to decide.
    The one and only, Cylon Centurion
    • They will not wake up. They flatly refuse as its not needed in their world

      A long long time ago they could have woke up. But they refused then under the ideology that while Macs were not perfect, Macs were not impervious, but that the long and short of it was that Macs had never been compromised in any significant way and there was nothing in evidence to believe they would be at any time in the near future.

      Numerous arguments were made to them OVER AND OVER AND OVER again but to absolutely no avail. It didnt matter who said what and what expertise they came with, every argument that Macs had vulnerabilities too, were met with "prove it, and if you try I will deny and refute it, no matter what you say". And to that they remained true.

      The Mac/Apple Guy commercials only encouraged this behavior and many Mac users, for reasons really unknown, that is outside of psychology journals, became totally immersed in the ???Macthink??? that Macs were not simply avoiding attack by way of security by obscurity, but in fact were simply a target so naturally hardened against attack due to the sheer genius and care that went into the design of OSX that there was not really any need for security concerns

      This is by far not the first time its happened. Some may remember the David Maynor Mac Airport card scandle that Apple responded to with carefully parsed press releases to avoid dealing with the issue head on and the Mac Mad fell right into that although any careful internet search on the matter will reveal what the facts were. Many websites actually apologized for jumping to conclusions that crucified Maynor for claiming an exploit at the time.

      Don???t bother to try and unravel the thinking of the truly Mac converted. There is no simple cure. Why its so important to them to avoid confronting the security issue that exists in Macs is bewildering but unsolvable by simply explaining the obvious. What was once unacceptable in terms of a Windows OS is now understandable for OSX. What was once a terrible fate only endured by the lowly misinformed users of Windows machines is now the unworrysome non-issue Mac users face.

      Let them wallow in their fantasy land and befall whatever comes their way. Let them learn the hard way.