How Virus Hunters catch the Bad Guys (Part 2)

The volume of viruses, Trojans and other malware running loose on the Internet has mushroomed in recent years. In one day alone, our Avira Protection Lab honeypots will receive more than 130,000 new malware samples to analyze, and we’ll receive reports of 20,000 malicious websites to evaluate.

malware-analysis
A 3D illustration of Avira’s statistical analysis of malware. To detect zero-day threats, Avira uses big data analysis to automatically determine if a newly discovered sample belongs to a known family of malware.

Analyse, identify and neutralize a virus in seconds

Many of these hack attempts are merely variants of malware we’ve seen before, so we can quickly handle them. But the exploits known as “zero-day” attacks are much more complicated to handle since they exploit unknown security holes in browsers, Java, Adobe Flash and other common software to infect the victim’s computer. How does one analyze massive data streams, identify unknown malicious files, and reverse-engineer them to code an antidote in seconds?

We’ve written some very clever code to help us 😉

We use various types of ‘big data’ analyses coupled with some proprietary multi-variate statistics and clustering (and you thought you’d never use statistics after college!) to actually predict which samples are likely to be malware. We make those predictions based upon our automated analyses of the malware characteristics – and statistical comparisons of those characteristics to other ‘families’ or clusters of malware with similar characteristics. The picture above is a 3D illustration of what these families look like when we plot all the defining characteristics onto an XYZ graph.

When we encounter a potential ‘zero-day’ threat, we can quickly plot its key characteristics in the graph and see if it might be similar to a known family of malware – and hence a known set of counter-measures to stop it. Keep in mind that the bad guys use many tricks to obfuscate their executables in order to evade detection by our automated anti-virus detection systems – they use clever algorithms to slightly alter key elements of their executable payloads in order to ‘look’ different each time. Fortunately, our predictive analytics can update our scanning engines fast enough to stay one step ahead.

From there, Avira’s Cloud Protection can automatically program an anti-virus counter-measure to thwart the malware or website phish and immediately start protecting every Avira customer. Our machines are so fast we do all of this analysis in seconds, repeatedly, 24×7. In fact, at any given minute, we are processing 1.3 Million malware updates on our servers worldwide.

Obviously we can’t tell you exactly how everything works (because the bad guys read this blog, too), but the big data and statistics tricks described here make sure that Avira stays ahead of the bad guys and keeps you, our customer, safe.

In Part 3 of this ‘How Virus Hunters Catch The Bad Guys’ series, we’ll explain how Avira protects your computer and mobile devices before they get infected.

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.