Whilst listening to Stephano Zanero’s talk at FIRST, in passing he uses the phrase “zoo viruses”. A quick search of the term gets me the following definition from Escorcher.
These are viruses that luckily did not succeed in spreading. They are kept guarded in the database of AntiVirus developers (analogy: Animals are guarded in the zoo - that's where the name "Zoo Virus" originated). There is however another category of zoo viruses - outdated viruses. For example the viruses written for old operating systems, that nobody uses anymore, or old diskettes etc.
Now sometimes there appears to be some kudos associated with a virus scanner if it can detect more viruses than any other virus checker but is that really a good metric. If you have ever run a complete virus scan of your system, you’ll note that the scanning time is dependent on the following factors:-
1.No of viruses, your virus scanner can scan for
2.No of files on your hard disk
3.Hardware capacity (ie CPU speed, amount of memory, speed of hard disk etc)
You can see that the only two things under your control in a full virus scan are points (2) and (3).
My first question is – are there really 125,000 plus viruses running out there in the wild that can actually attack my system? (ClamAV claims to have 128,000 virus signatures in their Anti-irus software as of 15 June 2007)
My second question is if there aren’t, what are the reasons that some virus manufacturers still include signatures for zoo or old viruses within their software.