2.2- Observations of Computer Virus PrevalenceAs shown in Figure 2, there are thousands of DOS viruses today. During the past several years, the rate at which they have appeared worldwide has crept upwards to its present value of 3-4 new viruses a day on average (see Fig. 3).
Figure 2: Cumulative number of viruses for which signatures have been obtained by IBM's High Integrity Computing Laboratory vs. time. There are thousands of viruses, but only a few have been seen in real incidents.
Figure 3: The number of new viruses appearing worldwide per day has been increasing steadily.
Note that the number of new viruses is not ``increasing exponentially'', as is often claimed [11, 3]. The rate of appearance of new viruses in the collections of anti-virus workers has been increasing gradually for several years, at roughly a linear rate. Thus the number of known viruses is growing quadratically at worst. In fact, almost nothing at all about viruses is ``increasing exponentially''. The problem is significant, and it is growing somewhat worse, but prophets of doom in this field have poor track records. While there are thousands of DOS viruses, less than 10% of them have been seen in actual virus incidents within the population that we monitor. These are the viruses that actually constitute a problem for the general population of PC users. It is very important that anti-virus software detect viruses that have been observed ``in the wild''. The remainder are rarely seen outside of the collections of anti-virus groups like ours. Although many of them might never spread significantly, viruses that are not prevalent remain of interest to the anti-virus community. We must always be prepared for the possibility that a low-profile virus will start to become prevalent. This requires us to be familiar with all viruses, prevalent or not, and to incorporate a knowledge of as many of them as possible into anti-virus software. We continue to monitor the prevalence of all viruses, regardless of how prevalent they are at present. Out of the several hundred viruses that have ever been observed in actual incidents, a mere handful account for most of the problem. Figure 4 shows the relative fraction of incidents caused by the ten most prevalent viruses in the world in the past year. These ten account for over two thirds of all incidents. The one hundred other viruses that have been seen in incidents in the past year account for less than a third of the incidents. Most of these were seen in just a single incident.
Figure 4: The top ten viruses account for two thirds of all incidents. All of them are boot-sector infectors.
Curiously, the ten most prevalent viruses are all boot viruses. Boot viruses infect boot sectors of diskettes and hard disks. When a system is booted from an infected diskette, its hard disk becomes infected. Typically, any non-write-protected diskette that is used in the system thereafter also becomes infected, spreading the virus. The dominance of boot viruses is especially striking when one takes into account the fact that, of the thousands of known DOS viruses, only about 10% are boot sector infectors. Boot viruses have not always been dominant. Three years ago, the second and third most prevalent viruses were file infectors, as were 4 of the top 10. The total incident rates for boot infectors and file infectors were roughly equal. Figure 5 provides another view of what has happened to the relative prevalence of these two types of viruses over time. Beginning in 1992, the incident rate for boot sector infectors continued to rise, while the incident rate for file infectors began to fall dramatically. We will attempt to explain this phenomenon in a subsequent section.
Figure 5: Boot viruses have continued to rise in prevalence, while file viruses have declined.
It is interesting to break up our incident statistics even further into trends for individual viruses. Figure 6 shows the incident rate for selected viruses. Note that some viruses have increased in prevalence, while others have declined.
Figure 6: Some viruses have increased in prevalence, while others have declined.
Figures 2-6 raise several important questions:
To begin to address these questions, we now review some of our previous theoretical work on virus epidemiology.
|