Virus Prevalence Survey 2001: ICSA Labs. (Security).ICSA See TruSecure. Labs' 7th Annual Virus Prevalence Survey describes the existing computer virus problem in desktop computers and computer networks. The survey was organized by ICSA Content Security Labs 'sponsors of the survey. Trained interviewers located a random sample and gathered responses from 300 qualified respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. who worked for companies and government agencies with more than 500 PCs, two or more LANS LANS Local Area Network Server (Cisco) LANS Landelijk Actieplatform voor Nationalistische Studenten LANS Leadership Alliance National Symposium LANS Los Angeles AFB Network Support (DOD) , and at least two remote connections to the site. The publication covers many aspects of the virus situation in 2001 in some 66 pages. The following abstracts indicate the general conclusions of the survey Since it contains some 29 illustrations, to obtain full value from the survey readers are strongly recommended to obtain a copy from ICSA...... Editor What does the survey say? The virus problem facing corporations continues to worsen wors·en tr. & intr.v. wors·ened, wors·en·ing, wors·ens To make or become worse. worsen Verb to make or become worse worsening adjn . Regardless of other items that may be garnered from this survey, the clearest message is that companies continue to experience an increasing number of virus incidents with higher virus incident costs each year. The likelihood of a company experiencing a computer virus or worm worm, common name for various unrelated invertebrate animals with soft, often long and slender bodies. Members of the phylum Platyhelminthes, or the flatworms, are the most primitive; they are generally small and flat-bodied and include the free-living planarians (of has approximately doubled for each of the past survey years through 1999 and has continued to grow approximately 15 percent per year for the two years since 1999. This is true for either infection rates or costs, as well as for whether one considers only the data within this survey period or if this year's data is compared with data from previous surveys. Consequently, the virus (malicious Involving malice; characterized by wicked or mischievous motives or intentions. An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification. DESERTION, MALICIOUS. code) risk is growing significantly notwithstanding persistent corporate efforts and in spite of in opposition to all efforts of; in defiance or contempt of; notwithstanding. See also: Spite increased protective expenditures each year. How common are virus infections? The group of 300 organizations had 1,182,634 encounters on 666,327 machines during the 20 months of the survey period from January 2000 through August 2001. This translates to 113 encounters per 1,000 machines per month over the entire survey period. Is the virus problem getting worse? The data showed worsening wors·en tr. & intr.v. wors·ened, wors·en·ing, wors·ens To make or become worse. Noun 1. worsening - process of changing to an inferior state decline in quality, deterioration, declension of the computer virus problem in the period of January 2000 through August 2001. In addition, global infection rates calculated from the surveys of 1996 through 2001 continued a significant annual growth rate of approximately 20 encounters per month per 1,000 PCs for each year in that period. What are the characteristics of virus disasters? This year's survey shows a decrease in the number of reported disasters. Only 28 percent of the respondents had experienced a virus disaster -- that translates to 25 or more PCs or servers infected in·fect tr.v. in·fect·ed, in·fect·ing, in·fects 1. To contaminate with a pathogenic microorganism or agent. 2. To communicate a pathogen or disease to. 3. To invade and produce infection in. at the same time in comparison with 51 percent in last year's survey and 43 percent in the 1999 survey. It should be noted, however, that a major virus incident originated after this year's survey commenced. The Nimda event of September did not get complete coverage as a significant number of respondents had already been surveyed. It is quite possible, if not probable, that the disaster numbers would have risen significantly had all data been gathered after the event. What are the effects of virus disasters? In 2000, 36 percent of those reporting disasters estimated that servers were down one hour or less. By contrast, 65 percent of this year's respondents reported downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. of one hour or less, with 53 percent claiming no server downtime at all. The average server downtime was 14 hours, while the median downtime was reported as zero hours. It is obvious from those skewed skewed curve of a usually unimodal distribution with one tail drawn out more than the other and the median will lie above or below the mean. skewed Epidemiology adjective Referring to an asymmetrical distribution of a population or of data numbers that several respondents had disaster experiences requiring much longer recovery time. More than 80 percent of those reporting a disaster required 20 person-days or less to recover from their virus disasters. The median response was four person-days for recovery. On average, this cost between $5,500 (median) and $69,000 (average) in estimated direct costs. Based on in-depth analysis of previous years' studies, there is the tendency for respondents to underestimate these costs. When one compares in-depth studies that include cost modeling and productivity analysis to these numbers, one finds an approximate seven to eight-fold underestimati on. With that proportional proportional values expressed as a proportion of the total number of values in a series. proportional dwarf the patient is a miniature without disproportionate reductions or enlargements of body parts. underestimation in mind, one could extrapolate extrapolate - extrapolation that the average company might find costs between $50,000 and $500,000 in total ramifications ramifications npl → Auswirkungen pl (both soft and hard costs) per year for virus disasters. How are anti-virus products applied? More than 95 percent of the respondents reported protection for 90 percent or more of their PCs with anti-virus products. About 90 percent stated that 100 percent of their PCs were protected. Most PCs (71 percent) were reported to be protected by full-time automatic and-virus protection. Between them, Network Associates and Symantic Corporation products were reported to be installed on 94 percent of the PCs in this sample. Last year, almost all respondents used either no protection or incomplete protection on network services such as firewalls, proxy servers Also called a "proxy," it is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers are used to help prevent an attacker from invading the private network. , and e-mail servers See mail server. . This year's study shows a major change. 84 percent of respondents say that all of their e-mail servers are protected by anti-virus software anti-virus software n → Antivirensoftware f , 51 percent cover all of their firewalls, and 45 percent say all of their proxy servers have anti-virus software installed. This year's survey checked to see if companies were not only using anti-virus software at the perimeter The boundary of a system or network, which defines the inside and outside. It is typically determined by firewalls and addresses. See DMZ. , but how many companies were also blocking, quarantining, or filtering files or objects as well. The study shows that 69 percent block, quarantine quarantine (kwŏr`əntēn), isolation of persons, animals, places, and effects that carry or are suspected of harboring communicable disease. , or filter at the e-mail gateway, while only 40 percent do so at the proxy server and only 41 percent at the firewall. How do respondents perceive the evolution of the virus problem? More than three-quarters of the respondents surveyed feel that the overall virus problem is either somewhat worse or much worse than last year. Without doubt this is due to the continued increase in Internet-enabled viruses, especially those that employ a mass mail payload (1) Refers to the "actual data" in a packet or file minus all headers attached for transport and minus all descriptive meta-data. In a network packet, headers are appended to the payload for transport and then discarded at their destination. . Scope of Survey The objectives of the survey were to describe the computer virus problem in computer networks, including desktop computers; application and file servers; and perimeter devices such as firewalls, gateways, and proxy servers. The scope of the survey includes: * Intel-based or Intel-compatible PCs' * Only sites with more than 500 PCs, two or more LANS, and two or more remote connections * Commercial, Government, and Industrial business sectors only * Research Methodology To meet the objectives of the survey, telephone interviews were conducted by trained interviewers who gathered 300 completed surveys of corporate end-users. This sample size provides an accuracy rate of +/-5.5 percent with a confidence limit of 95 percent for questions that relate to the entire data sample. Internal consistency In statistics and research, internal consistency is a measure based on the correlations between different items on the same test (or the same subscale on a larger test). It measures whether several items that propose to measure the same general construct produce similar scores. checking suggests that the reliability of data may be a great deal lower in areas, perhaps as much as 45 percent, where similar data was arrived at by different means and/or by different questions. Selection Respondents for the survey were randomly selected from a qualified list of sites with 500 or more PCS, two or more LANS, and two or more remote connections at that site. The qualified list was procured from Harte-Hanks, Inc. The sample population included all service and Standard Industry Code (SIC) codes, as well as federal, state, and local governments, and explicitly excluded home, SOHO Soho (sōhō`, sə–), district of Westminster, London, England, known for its continental restaurants. Once a fashionable quarter, it became popular among writers and artists in the 19th cent. , and educational sectors. Survey Findings 2001 Demographics The attributes of people in a particular geographic area. Used for marketing purposes, population, ethnic origins, religion, spoken language, income and age range are examples of demographic data. The 2001 survey represents a total of 666,327 PCs and 26,492 file and application servers. The average site in the survey had 2,221 PCs (the median was 1,000) and 90 file and application servers (median was 30). Frequency of Virus Infections All of the companies responding to the survey experienced at least one virus encounter during the survey period. The group of 300 organizations had 1,182,634 encounters on 666,327 machines during the 20 months in question for the year 2000 and January through August of 2001. This translates to 113 encounters per 1,000 machines per month over the survey period with a rate of 103 infections per site per month by the end of the survey period. This rate represents the sixth consecutive year of increase. Table 1 is a comparison of the 1996 - 2001 survey data for the months of January and February. As it shows, virus encounters, in general, have been increasing steadily. These data were arrived at by determining the average of the infection rates reported for the two months prior to the survey. The two months prior (July and August) were selected for comparison because they historically produce the greatest accuracy in respondent In Equity practice, the party who answers a bill or other proceeding in equity. The party against whom an appeal or motion, an application for a court order, is instituted and who is required to answer in order to protect his or her interests. estimates due to proximity in time. These figures show an increased infection rate of 12 infections per 1,000 machines per month each year through 1998 and again from 1999 - 2001. In 1999, there was a surge in the encounter rate. This increase was no doubt the result of the "mass mail" payload of macro viruses A virus that is written in a macro language and placed within a document. Viruses have to be "run" in order to do things. When the document is opened and the macro is executed, commands in the macro language do the destruction or the prank. Thankfully, most viruses are harmless. , Internet worms (networking, security) Internet Worm - The November 1988 worm perpetrated by Robert T. Morris. The worm was a program which took advantage of bugs in the Sun Unix sendmail program, Vax programs, and other security loopholes to distribute itself to over 6000 computers on the , and the scripting viruses that followed. A linear regression Linear regression A statistical technique for fitting a straight line to a set of data points. analysis of global figures showed an annual growth of 20 encounters per month per 1,000 PCs for each year over the study period with a confidence level of 94 percent. Another way to look at this data is that the number of incidents per site per month about doubled each year through 1999. In the years since 1999, the rate has grown at a compound rate of about 15 percent per year. Top Reported Viruses It is obvious that particular viruses are more likely to occur and spread than others. Again, viruses of a certain type, ones that use various infection vectors, or those with a particular payload are increasing in prevalence while others are in decline. Respondents were asked which viruses affected their group during the period of January 2001 through August of 2001. This period was divided into three segments: August 2001, July 2001, and January - June 2001. Respondents were asked, "Which viruses have affected your group's PCs during [a specified period]?" and then they were asked, "How many times [were you affected]?" Due to the large number of viruses and their many variants (approximately 60,000+ known viruses and variants); the often cryptic cryp·tic n. 1. Hidden or concealed. 2. Tending to conceal or camouflage, as the coloring of an animal. naming convention
pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. naming convention in the anti-virus industry; and possibly poor record keeping, respondents were not always able to accurately identify particular viruses. In all instances, every effort was made to identify individ ual responses at least to the virus family name. In instances where exact names were not known, partial names were given, or virus types were given and the data was pooled as [Type], unspecified Adj. 1. unspecified - not stated explicitly or in detail; "threatened unspecified reprisals" specified - clearly and explicitly stated; "meals are at specified times" . The prevalence data for the most common viruses encountered in the survey are shown as encounters per month per 1,000 PCs for each of the survey periods in Table 2 below. These data were sorted and ranked by summing the encounter rate per 1,000 PCs for the three survey periods in 2001. Only those viruses that had a composite encounter rate of at least one per 1,000 PCs were considered for this listing. A complete listing of reported viruses can be found in Appendix B along with a chart showing encounter rates. How Prevalence is Changing? While macro viruses continue to be prevalent, they are fast being outstripped by viruses with a "mass mailing" payload; Win 32 viruses, Visual Basic Script (language) Visual BASIC Script - (VBScript) Microsoft's scripting language which is an extension of their Visual Basic language. VBScript can be used with Microsoft Office applications and others. It can also be embedded in web pages but can only be understood by Internet Explorer. , and Java Script viruses. Additionally, responses identified three "old friends" - AntiExe, Monkey monkey, any of a large and varied group of mammals of the primate order. The term monkey includes all primates that do not belong to the categories human, ape, or prosimian; however, monkeys do have certain common features. .B, and Stealth stealth Any military technology intended to make vehicles or missiles nearly invisible to enemy radar or other electronic detection. Research in antidetection technology began soon after radar was invented. - no Boot Sector Reserved sectors on disk that are used to load the operating system. On startup, the computer looks for the master boot record (MBR) or something similarly named, which is typically the first sector in the first partition of the disk. or infectors were found in the most common viruses. In order to achieve a more detailed picture of the changes in prevalence, the reported virus were classified by types. Table 3 shows the total number of encounters. Virus Disasters Respondents were asked, "Has your group had a virus disaster (25 or more PCs/Servers infected at once) anytime since January 2001?" Table 5 shows that 28 percent did experience such an event. Date of last virus disaster Respondents were asked the month and year of their latest virus disaster. Table 6 presents these as a frequency distribution. 88 percent of the respondents professing pro·fess v. pro·fessed, pro·fess·ing, pro·fess·es v.tr. 1. To affirm openly; declare or claim: "a physics major disaster incidents reported those disasters in the calendar year 2001. 37 percent reported them in September, the month of the interviews. Of the respondents reporting disasters in September (31 participants), 26 were victims of the Nimda virus. Niinda was discovered during the second week of interviews and is probably underrepresented un·der·rep·re·sent·ed adj. Insufficiently or inadequately represented: the underrepresented minority groups, ignored by the government. in this survey. The frequency distribution of responses shows a strong increase beginning with July. This rapid increase is probably due to three viruses: Sircam, first discovered in July; CodeRed II, discovered in August; and Nimda, discovered in September. Participants were asked to identify the virus responsible for their most recent disaster. Table 7 lists these viruses, their frequency, and number of PCs involved. The Survey was sponsored by Gantz-Wiley Research-Network Assocs Inc-Panda Software-Symantec Corp. Copies from ICSA Labs, 1100 Bentcreek Boulevard Suite 200 Mechanicsburg PA 17050.
Table 1
Monthly rate of infection per 1,000 PCs over the two months prior to
each survey 2001
Survey Year Jul-Aug
1996 10
1997 21
1998 32
1999 80
2000 91
2001 103
Table 2
Top viruses for 2001, encounters per month per 1,000PCs
2001 Virus August July Jan - June
Rank Name 2001 2001 2001
1 Sircam 39.60 37.163 3.513
2 LoveLetter 29.167 23.558 8.242
3 Homepage 21.378 1.785 0.017
4 Funlove 5.589 5.577 0.914
5 Anna Kournikova 7.677 0.060 0.901
6 Macro-Unspecified 6.485 1.531 0.223
7 Magistr 2.277 3.716 1.743
8 Hybris 0.408 1.325 2.766
9 Melissa 0.068 1.266 2.706
10 CodeRed 3.351 0.254 0.389
11 Class 1.384 2.191 0.006
12 Story 1.425 1.650 0.053
13 Worm-Unspecified 2.652 0.011 0.014
14 VBS.SST 0.000 2.364 0.001
15 Kak 0.932 0.855 0.302
16 Divi 0.008 1.628 0.003
Table 3
Total encounters reported by types
August July Jan-Jun
Virus Type 2001 2001 2001
File 15,347 8,655 10,251
Macro 14,125 5,961 12,163
VBScript Worm 10,656 911 953
Internet Worm 2,374 318 3,426
Jscript Worm 383 168 286
Boot 5 45 70
Trojan 5 25 51
Joke 0 0 13
Table 5
Percentage of respondents experiencing virus diaster
Answer Frequency %
Yes 84 28%
No 211 70%
Don't know 0 0%
Refused 5 2%
Total 300 100%
Table 6
Date of most recent disaster
Date Frequency %
September 2001 31 37%
August 2001 16 19%
July 2001 8 10%
June 2001 1 1%
May 2001 3 4%
April 2001 1 1%
March 2001 7 8%
February 2001 6 7%
January 2001 1 1%
Don't Know 10 12%
Total 84 100%
Table 7
Virus causing most recent disaster
Virus Name Frequency PCs Involved
Nimda 28 138,650
LoveLetter 12 15,050
Sircam 11 15,232
Don't Know 9 40,200
Anna Kournikova 6 21,550
CodeRed 4 15,900
Funlove 4 40,800
Apost 3 5,500
Homepage 3 4,200
Melissa 3 5,280
MTX 1 450
84 302,812
Figure 6
Frequency distribution of dates of last virus disasters
Date of Most Recent Disaster
Month Frequency
Sep-01 31
Aug-01 16
Jul-01 8
Jun-01 1
May-01 3
Apr-01 1
Mar-01 7
Feb-01 6
Jan-01 1
Don't Know 10
Note: Table made from line Graph
|
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion