5

I am actually working on a scolar presentation about Careto malware. I was really impressed by the time it took to discover it (at least 6 years, according to some compilation stamps), so to improve my presentation I am looking for statistics about the average time before a malware gets detected (i.e. the time between its creation/diffusion and its discovery by someone), to compare Careto to the average malware.

I have searched on Google but couldn't find anything interesting (because "the time to detect a malware" can also be interpreted as "the time to detect a malware on your computer").

Elouan Keryell-Even
  • 173
  • 5
  • 1
    Some of the major antivirus vendors make estimates based on code samples within viruses - I'd suggest reading some of the McAfee or Symantec reports. – Rory Alsop May 13 '14 at 22:08
  • Have you tried constraining your Google search to academic articles? http://scholar.google.ca/ You might also need to narrow your search to the average time it takes to discover a virus based on discovery method (signature, heuristics, etc.) – schroeder May 14 '14 at 15:45

2 Answers2

1

Statistics of this kind would be very difficult to gather unless there was clear and verifiable evidence of a creation date within the sample itself. That is unlikely for a variety of reasons, such as the fact that the vast majority of malware is a minor variation of a similar group or family. The only other way I can think of to "start the clock" would be to have a backdoor into the creation process of the malware, which for operational security purposes is not available.

If you absolutely need these statistics then my advice would be to see if you can buy them from your local mom and pop exploit development shop, assuming they keep track of when their code is first detected by an anti-malware engine.

chiltron
  • 26
  • 2
  • Couldn't you try to guess based on the time it takes to get a second sample of the same virus? I am sure this particular idea is broken but there must be some research and clever ideas out there. – Relaxed May 14 '14 at 10:25
  • Ok I understand that the malware population is way too messy and heterogeneous to get a relevant stat. In fact I'm pretty new to security, and I was interested in that info for a school presentation about "The Mask" or "Careto", which took place this afternoon, so I don't need it anymore. As Kaspersky found a sample of the malware with a compilation stamp going back to 2007, I thought that it was common to retrieve such info. But I think Kaspersky got that code sample from a copy of a C&C server, and C&C servers hacking may be quite uncommon. – Elouan Keryell-Even May 14 '14 at 23:56
1

First, it is important to realize that when using the term "virus" you are speaking about a specific family of malware.

Symantec defines a virus as

Virus is a program written to enter to your computer and damage/alter your files/data... Viruses can also replicate themselves

Viruses also have several subgroups, such as a file virus, boot sector virus, etc... which are usually related to the purpose and route of infection. Because of this, detection can also vary greatly.

Well-funded targeted viruses may exist a long time before being "discovered". This could be attributed to factors such as the quality of work involved, the target, and the attack methods (e.g. rootkit). A potential example is the stuxnet virus (actually a worm..) http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

To put it simply, it is impossible to generalize this topic to the point where you can say viruses on average take X amount of time before being discovered. There are just too many factors involved. My sugestion to you would be that you should redifine your question with specific constraints on the details of the virus (or other types of malware).

Jordan Hanna
  • 378
  • 2
  • 5
  • My bad for the little confusion between "malware" and "virus". Anyway I understand that it is impossible to obtain a general statistic of that kind. In fact I was looking for that information in order to add it to a school presentation that was taking place this afternoon, so I no longer need it now. But what I should have done would have been to compute a more specific stat, on a sample of malwares choosen on my own, just to give an idea – Elouan Keryell-Even May 14 '14 at 23:41