[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] windows future



On Fri, 04 Sep 2009 15:46:19 BST, lsi said:

> - approximate date when number of NEW threats reached 1 Million: 2008
> 
> - approximate date when number of NEW threats will reach 1 Billion: 2015
> 
> - approximate date when number of NEW threats will reach 2 Billion: 2016

This is assuming an exponential growth model, when there's no realistic
reason to believe it to be so.  There are however good reasons to expect
that the correct model is the "logistics curve" (slow growth at first,
a steep middle section, then flattening out asymptotic to a horizontal line).

For starters, new threats have to come from *somewhere*, and there's only
a limited supply of dark-side code hackers, and a limited supply of people
worth fleecing (sure, OLPC may distribute 100M laptops - but those are going to
people who can't be monetized easily).  From whence will the 1 billion
new threats in the 2015-16 span come from? Who will create these, and who will
make money from them?  At what point will some of the marginal players leave
the game and find other avenues of making money?  Remember - if the threat
pool is 100,000, and you have 1,000 threats, you have 1% of the market, and
can probably live well off that 1% if monetized.  But if you have 1,000 threats
in a pool of a billion, you're a marginal player and not likely to get rich
fast doing that.

> - charts showing this: 
> http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> 
> - will the AV companies be able to classify 1 billion new threats per 
> year? that is 2.739 MILLION new threats per DAY (over 1900 new 
> threats per minute).
> 
> - will your computer cope with scanning every EXE, DLL, PIF etc 1 
> billion times, every time you use them?

You don't have to scan it a billion times. You need to scan it *once* for
one billion attacks.  And proper pattern-matching should help a lot here - quite
often, you'll have 2,934 exploit codes in the wild, all using the same attack
code lifted from Metasploit or milw0rm or whatever.  So only one check is
needed.  A bigger danger here is if we start seeing *single* threats that
include a really good real-time polymorphism/obfuscator - *that* could really
suck.

> - aside from the theoretical limits imposed by hardware and software, 
> there is one extra limit, imposed by users.  Users will not tolerate 
> machines operating slowly, and will seek alternative platforms well 
> before 100% CPU utilisation (either as a direct result of the size of 
> the blacklist, or indirectly caused by swapping due to low RAM).  
> This user limit might be lower than 20% CPU utilisation.  If users 
> figure out that 20% of their time is being wasted, and rising fast, 
> they will run for the exit.

Interesting statistic - year before last, around 10% of all new computer
purchases were replacements for malware-infested boxes.  Just buying a new
one was easier/cheaper than trying to fix the old one for a lot of people.

Second interesting statistic - the vast majority of that 10% ended up using
the exact same operating system.

So even when it's well past the 20% mark and the box is basically unusable,
they *still* don't run for the exit.

Attachment: pgpLv_wK95mxv.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/