Posted by: David Harley | November 6, 2015

Counting malware: samples, families, and PUPs

Thomas Reed of Malwarebytes responded on Twitter to my article yesterday on OS X Malware: an Attack of Nostalgia:

I read that report, sounds like a lot of what they saw was adware, not true malware. More details:

He’s referring, of course, to Bit9’s report 2015 – The Most Prolific Year in History for OS X Malware.  And since I still haven’t read that report, I’m happy to take his word for it. But as he says in his own article:

It turns out that the findings are completely true, but depend entirely on your definition of the word “malware.”

Which is fair enough. I feel obliged to make two points, however:

  • As I understand it, Bit9 is referring to samples, whereas Thomas alludes to malware families (six in 2014, three in 2015). So, for instance, he refers to XcodeGhost as one threat, rather than counting all the iOS apps that were compromised by exposure to malicious code as separate instances. That’s a perfectly fair way of looking at it, and certainly less unnecessarily scary for the end user, but it’s not comparing like to like. Some may be reminded of the fuss in the 1990s when a vendor artificially increased the number of viruses it claimed to detect by classifying each sample of a polymorphic virus as a separate threat. I still regard that as inappropriate, and it does illustrate a problem with counting samples. (I’m sure Android would agree.) However, with XcodeGhost, we’re talking about a number of individual programs which may be detected as such, rather than generically, so it’s not the same thing. IMHO…
  • Thomas is basically defining ‘possibly unwanted’ software – and certainly adware – as a nuisance rather than malicious. Which, again, he’s entitled to do, but I don’t agree – a great deal of trouble has been caused by programs that can certainly be described as adware, but also meet the definition of a trojan. Again, it’s a matter of definition, I guess, and without analysis of the individual samples cited by Bit9, I can’t say how many of its samples are adware, or another breed of PUP/PUA/PUS (Possibly Unwanted Programs/Applications/Software), or even ‘possibly unsafe’ (a classification used in the security industry for URLs and applications that may be legitimate, but prone to being misused).

Unfortunately, Thomas has highlighted one of the security industry’s weak spots. Some programs are regarded with extreme disfavour by many in the security industry, but are not flagged as malicious for sternly practical reasons. Instead, they’re lumped in with other ‘possibly unwanted’ programs, and it’s usually up to the AV user to decide whether or not to activate detection of programs so categorized. So it may well be that some or even many of the samples flagged by Bit9 and Carbon Black won’t be flagged as malicious by security products by default. 😦

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: