Malware has become too sophisticated.
In 2005, Panda Software reported that a new strain of malware was discovered every 12 minutes. In 2016, the cybersecurity company McAfee says it found four every second.
And those were just the strains the companies could detect. For malware—the umbrella term for parasitic software like viruses, worms, and Trojans that infiltrate and interfere with computer functions—hasn’t only proliferated: It’s evolved to better evade detection.
Faced with this tsunami of sophisticated malware, antivirus software like McAfee, once practically synonymous with personal cybersecurity, has struggled to keep pace. In 2014, a senior vice president at Symantec (the company that created McAfee competitor Norton Antivirus) went so far as to publicly say he thought that antivirus software was “dead.” At the time, he estimated that the technology only caught about 45 percent of cyberattacks.
Antivirus software is struggling to keep up because the primary strategy on which it relies—signature detection—is based on the outdated assumption that the malware you saw yesterday will look the same today. Generally speaking, when a cybersecurity company sees a new type of malware, it will analyze and create a detection signature for that specific strain. Like the immune system recognizing a pathogen it has seen before, antivirus software uses these signatures to scan files for known threats. This strategy worked reasonably well when viruses were mostly made by amateur hackers. But in 2003, according to McAfee, we saw the first real for-profit malware and since then, the growth of organized cybercrime has brought forth a series of innovations that allow malware to rapidly change its appearance. If the viruses of the early 2000s were the common cold, sophisticated malware of today is like HIV, able to change its protein coatings to avoid detection.
One of these innovations is a process called “crypting,” which allows a developer to transform the appearance of a piece of malicious code using encryption tools and test it against antivirus software until it is undetectable. Similarly, developers can also use polymorphic code to turn malware into a chameleon, capable of changing its appearance every time it runs. One 2013 analysis found that 82 percent of malware disappears after an hour, and 70 percent of malware only exists once. This short lifespan means just a small percentage of antivirus detection signatures—0.34 percent in one analysis—catch active threats. The rest just hunt ghosts. Though some companies have introduced new strategies to combat these adaptations, they haven’t been enough to fully keep up with fast-moving threats.
Despite its diminishing effectiveness, a startling number of users still use antivirus software as their first, or only, line of defense. According to a 2015 Google study comparing digital practices of security experts and nonexperts, 42 percent of nonexperts said antivirus software was among the most important steps they took protect themselves online. The response topped the list of measures taken by nonexperts, even ahead of “using strong passwords.” But, tellingly, it didn’t even crack the top five among those who work in the cybersecurity field.
This knowledge gap is significant and worrying, because modern malware attacks can be devastating. One type of attack that has grown dramatically in recent years is ransomware, which encrypts one’s files and holds them for ransom. In 2016 alone there were 4,000 ransomware attacks a day, according to IBM. As we store more and more personal information on our computers—home videos, photos, financial information—the cost of infection only grows. So how can the typical user keep up their cyberhealth in a post-antivirus age?