Malware samples doubled in one year, F-Secure says

So far this year, it's collected 250,000 examples of malicious software
- Finnish security vendor F-Secure has collected twice as many malicious software samples this year as it has over the last 20 years, a trend that highlights the growing danger of malicious software on the Internet.

Through the end of 2006 and 20 years prior, F-Secure counted a total of 250,000 samples, said Mikko Hypponen, F-Secure's chief research officer. This year alone, 250,000 samples have been counted, he said.

Statistics on malware from antivirus companies can vary since the data is often derived from what their customers experience while using their software, and it depends on how widely that software is used.

But other security vendors have also noted the flood of new malware on the Internet over the last few years. Symantec said earlier this year that it detected 212,101 new malicious code threats between January and June, an increase of 185% over the same period a year prior.

The astounding increase shows that hackers "are generating large number of different [malware] variants on purpose to make the lives of antivirus vendors more difficult," Hypponen said.

A variant is a piece of malware that has a unique look but belongs to a known family of malware, sharing common code and functions. Hackers use techniques such as obfuscation, which jumbles up code and makes it hard to determine what the program is, and encryption, to trick security programs.

"Genuine innovation appears to be on the decline and is currently being replaced with volume and mass-produced kit malware," according to F-Secure's report, which focuses on the second half of 2007.

Higher numbers of malware samples put more pressure on vendors to ensure they have fine-tuned products. To handle the surge, F-Secure has hired more security analysts and is continuing to develop automated tools to evaluate malicious software, Hypponen said.

Any new malware must first undergo an analysis. Then most security software vendors create a signature, or an indicator, that allows its software to detect the malware.

Automation makes the task of analyzing malware somewhat easier, but "in the end, a human makes the decision where we add detection [signatures]," Hypponen said.

Users, Web developers vent over IE7

Microsoft blog about the browser's success draws scores of complaints

- Users of Internet Explorer 7 (IE7) turned a blog post by a Microsoft Corp. program manager into a complaint free-for-all that took the company to task for not following through on browser upgrade promises and alienating Web developers.

In the posting to the IE team's blog, Tony Chor, the group program manager, used the passing of IE7's first year to tick off several milestones for the browser, including a claim that its user base recently reached 300 million. "This makes IE7 the second most popular browser after IE6," Chor said in the post. "IE 7 is already No. 1 in the U.S. and U.K., and we expect IE7 to surpass IE6 worldwide shortly."

Chor also said that IE7's integrated antiphishing filter stops an estimated 900,000 phish attempts each week, and that the support call volume for Microsoft's browser line is down 20% from a year ago. "This is typically a sign that the product is more stable and has fewer issues than the previous release," Chor said.

But while Chor was loquacious about IE7, he gave short shrift to news about the next edition. "While we're happy with how well IE7 is doing, as always, we continue to listen to our customers and find ways to further improve Internet Explorer. Look for more news on this front in the coming weeks."

That drove some users to question Microsoft's commitment to a statement made by Bill Gates last year that the company would upgrade Internet Explorer more frequently. In March 2006, Gates acknowledged that the six years between the release of IE6 and IE7 was too long an interval, then said Microsoft would crank out a new edition of Internet Explorer every nine to 12 months.

"Congratulations. In the same time frame [since IE 7's debut], Firefox went 2.0 and launched 3.0 beta, Safari has gone to 3.0, including a version for Windows," said someone identified as Paul. "Let's see ... six years for IE7, so you guys are on track to have IE8 by what, 2012? Your problem is you think in terms of years."

Others took exception to Chor's statistics on IE7's uptake and the number of security issues found in it during the last year. But it was developers who seemed to bash Microsoft the hardest. "Instead of wasting our time with crazy back-patting uselessness, will Microsoft please just admit defeat and close up development of IE and hand [it] over to people who care about the Web and handle it properly?" said Ryan G. "I have wasted so many hours developing sites to work in this browser that work without further modification in every other browser."

"Another post on this blog, and not a single word about being open with the community, IE8, bug fixes, new features, transparency, public bug tracking, etc., except by every developer/manager/tester/designer/user/security expert commenting on this blog," said a user identified as Bradley. "What's the issue here? If [Microsoft] is not going to commit any time, resources, material to any of this, ISSUE A POST indicating such (preferably with a reason)!"

But the most pointed comment came from someone labeled only as dk. "You all continue to underestimate the dramatic spillover effect this poor developer experience has had and will continue to have on your other products and services. Let me drive this point home. I am a front-end programmer and a co-founder of a start-up. I can tell you categorically that my team won't download and play with Silverlight ... won't build a Live widget ... won't consider any Microsoft search or ad products in the future.

"And the reason is because of IE -- because Microsoft disregards its most important relationship with us. Until this relationship is repaired, nothing else stands a chance."