Article by: Peter Morley, Network Associates Inc., UK
Courtesy of Virus Bulletin
Since we receive virus swaps each month, McAfee’s Virus Lab at Aylesbury provides an interesting perspective, not only of what AV vendors are doing, but also of where the computer industry is going. This article is an attempt to forecast the future, based on recent history. My previous attempts at doing this have, in general, been factually good, although estimating the timing of events has proved more difficult. You may be in for some surprises, even if you’re an industry guru!
Recent AV History and Projection
2000 was what I would class as a ‘normal’ year in the anti-virus community. Despite various outrageous predictions (not mine!), it was a busy year, with the usual annual ‘quiet patch’ in late summer to early autumn – the period leading up to the Virus Bulletin conference.
2001 was a quieter year, and the annual quiet patch was very quiet. Over the course of the year, the lab processed an average of just over 200 viruses and Trojans per month. Even the number of Trojans fell off slightly, despite the fact that most of the AV vendors are taking them seriously now, and despite the fact that there were a number of major outbreaks, such as CodeRed, and Nimda.
I am writing this mid-March 2002, and the March inputs which in a normal year would be up to speed, are rather low. Since previous years have shown a late-summer slowdown, I anticipate that the same will happen this year. So, I predict that 2002 will be a very quiet year, with a nearly dead patch late summer to early autumn. I believe that we will be down to an average of about 150 viruses and Trojans per month by the end of the year.
I can see no reason why 2003 should be any more active than 2002. In fact, it may be quieter still.
There’s no need to panic yet! While, for many industries, dramatic reduction of input material may be a disaster, leading to industry trauma, business failure, and consolidating takeovers, the same does not apply to the AV industry, because customers still need protection even if there are fewer new hazards.
The Linux Phenomenon
You may have noticed some recent discussion about the rise of Linux, which is an operating system alternative to Windows. Microsoft has certainly noticed it and has introduced Windows XP, bringing together the various previous Windows versions, as well as moving, hell for leather, into the computer games market segment.
Linux is based on the Open Source philosophy, so if you feel the need for a modification, you can make it, or get someone to make it for you. I am unclear as to how this will affect its acceptance in the home computing market.
The spread of Linux is seriously hampered by two things:
- There are many sources, and if you get involved with several of them, chaos can result.
- Linux marketing does not appear to be as effective as it could be.
Despite these setbacks, Linux is coming. I have nine pieces of evidence pointing this way, some of which I shall outline here.
The original statement by IBM of their intention to invest a large sum of money in pushing Linux pointed to the fact that Linux is suitable for large mainframes as well as for PCs and servers, and that it closes the gap between them, working downwards. Three conclusions can be drawn from this:
1. Linux is coming from the top (mainframes) downwards, as well as from the bottom upwards.
2. When, in the 1980s, the computer industry split into PCs and traditional, we thought the split was permanent. It isn’t. Linux can provide the means for the industry to integrate once more, but the process of integration requires takeovers and reorganization.
3. For big customers this is good, because within their own organizations, they can centralize control to a single group, and run the business as an entity.
More recently an IBM statement declared that, by mid-2004, there will be more Linux workstations than Windows workstations. This says ‘We’re winning!’. I am aware of the amount of internal work and approval required before such a comment can be made – it is considerable.
Recently, I discussed some of these topics with Alan Solomon, and discovered that all but two of his 28 machines are running Linux.
The recent discussions about AOL considering going Linux indicate that Internet use is no reason not to change operating systems, and that there may be some advantages. One of those advantages is that there are not nearly as many virus and Trojan hazards if you use Linux.
Articles have started to appear in publications (including Virus Bulletin) about the weak points of Linux, which could provide opportunities for the ‘baddies’.
Sixty-four Bit Processing
PC processor chips using 64-bit processing are coming, in the initial guise of Intel’s Itanium, and AMD’s Hammer. Both are some two years late, and I predict both will be available by the second quarter of 2003, if not sooner.
The effect will be (gradually) to provide much more powerful servers, and to close the gap further between servers and mainframes, working upwards, and making things easier for the use of Linux. The take-up will be gradual.
Linux viruses are the key question. Let’s take another look back at history:
- Back in 1987, when I retired from IBM, the number of DOS viruses was less than 10.
- In mid-1990, when I joined Alan Solomon, the number of DOS viruses was about 220.
- At the end of 1993, when I moved into the Virus lab, it was 3,500, and rising fast.
- Now, in March 2002, there are 60,000-70,000 viruses/Trojans, of which 30,000 (legacy DOS file viruses) are of no interest to anyone except reviewers, and people who keep collections.
- Now, in March 2002, there are 130 Linux viruses/Trojans, and the figure is rising slowly.
It may be tempting to conclude that the 130 will rise over the next four years to 3000 or so. However, I cannot draw this conclusion.
Between mid-1990 and the end of 1993, several virus construction kits were developed in the USA (MPC, VCL and IVP). These kits made it easy for authors with DOS machines, to write many hundreds of simple viruses. These viruses helped the AV industry become established.
Even if several Linux virus construction kits become available now, there are not enough potential Linux virus authors waiting to take advantage of them. And they won’t exist until the Linux explosion starts in the home as well as in business.
Even if the Linux explosion does happen in the home market, potential virus authors will be discouraged by the fact that we now know how to write generics, to detect and repair new viruses before they’re even written.
So, I have to conclude that Linux viruses are not really a hazard.
Sadly, I think that this is the real danger area. I believe that Linux Trojans will come at us in increasing volumes, just as Windows Trojans did. You can expect Backdoors, Password Stealers, Mass Mailers, QZaps, sly Deletions, Illegitimate Accesses, and all the other hazards we know and love.
But, I’m afraid I can neither say when, nor how fast. My best estimate is starting at the end of 2003, and growing to 30-60 per week. The one consolation is that if they are produced using packages, they will quickly be brought under control.
Summary and Consequences
The AV industry is safe, as long as new viruses and Trojans keep coming, because users still need to update their protection.
There are millions of machines which will continue to use Windows over the next five years, and they too, will need to update as long as Windows viruses and Trojans keep coming. If experience is relevant, they will keep coming for five years, and I shan’t attempt to forecast further than that.
The AV industry is in pretty good shape to handle whatever Linux malware comes along.
The slowdown in the appearance of new viruses has a major consequence for me in that I can ease back on removing detection of legacy viruses from AV software. I could even stop for a year or so, without doing much harm. However, I still believe that reviewers and customers should separate legacy DOS file viruses from their virus collections, and stop testing against them! Perhaps I should take out a couple of old rubbish viruses each week, just to keep them awake!
If the computer industry does start to integrate again, it follows that Intel or AMD could become takeover targets. If so, when? My best guess is AMD, at the end of 2004.
Will the use of Linux on mainframes lead to a growth of the anti-virus market? I don’t think it will, but it may lead to the introduction of specific product categories for use on mainframes. Time will tell.
What is the future of Microsoft? Is XP the last, (or next to last) Windows manifestation? I think it probably is. If I’m right, the world will breathe a sigh of relief.
But there is a rider to this one. Recently Bill Gates initiated a campaign to improve the security of all Microsoft products. This could lead to a new XP version. It will certainly lead to multiple patches. And it may even affect the AV industry. As for the future of Microsoft, watch this space.
Will the AV companies become takeover targets for the big mainframe companies? Experience suggests they won’t, because previous attempts to handle viruses in such organizations have been dubious. But it will depend on volumes, and on whether completely new problem categories appear. Wait and see.
Have your say
VB would like to hear your views – do you agree with Peter Morley’s sentiments or do you think his predictions are way off the mark? Send us your thoughts: firstname.lastname@example.org.
Article Copyright 2002 Virus Bulletin Ltd (www.virusbtn.com). Permission is granted to Help Net Security to re-print the article.