Interesting data from Andreas Marx at AV-Test.org. This chart shows the growth of unique samples (by MD5) per year.
(Data below):
Year # of unique samples (MD5)
1985 564
1986 910
1987 389
1988 1,738
1989 2,604
1990 9,044
1991 18,384
1992 36,822
1993 12,287
1994 28,613
1995 15,988
1996 36,816
1997 137,716
1998 177,615
1999 98,428
2000 176,329
2001 155,528
2002 199,049
2003 178,825
2004 142,321
2005 333,425
2006 972,606
2007 5,490,960
It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.
Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game. There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there’s difficult coding needed to deal with rootkits and the like.
It’s why being a security company (especially in AV or antispyware) these days is a whole new game. No longer can a company compete with a few folks in the lab and a group of good programmers. They’re out there: Little companies with small teams working an antispyware or antivirus product, but it’s hopeless. A small platoon won’t win this war. You need a brigade.
Alex Eckelberry
Update: Just to make sure everyone understands, these numbers are not cummulative.