The growth of malware

Interesting data from Andreas Marx at AV-Test.org. This chart shows the growth of unique samples (by MD5) per year.

Malwaremd5charts

(Data below):

Year # of unique samples (MD5)

1985 564

1986 910

1987 389

1988 1,738

1989 2,604

1990 9,044

1991 18,384

1992 36,822

1993 12,287

1994 28,613

1995 15,988

1996 36,816

1997 137,716

1998 177,615

1999 98,428

2000 176,329

2001 155,528

2002 199,049

2003 178,825

2004 142,321

2005 333,425

2006 972,606

2007 5,490,960

It's worth noting that these numbers are also increasing because of variants -- i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners.

So it's not like there's over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under.

Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game.

There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there's difficult coding needed to deal with rootkits and the like.

It’s why being a security company (especially in AV or antispyware) these days is a whole new game. No longer can a company compete with a few folks in the lab and a group of good programmers.

They're out there: Little companies with small teams working an antispyware or antivirus product, but it’s hopeless. A small platoon won’t win this war. You need a brigade.