Symantec Global internet Security threat report
Appendix D—Malicious Code Trends Methodologies
Malicious code trends are based on statistics from malicious code samples reported to Symantec for analysis. the data is gathered from over 130 million client, server, and gateway systems that have deployed Symantec’s antivirus products in both consumer and corporate environments. the Symantec Digital immune System and Scan and Deliver technologies allow customers to automate this reporting process. Observations in this section are based on empirical data and expert analysis of this data. the data and analysis draw primarily from the two databases described below.
the Symantec AntiVirus research Automation (SArA) technology is a technology that helps detect and eradicate computer viruses. it is used to analyze, replicate, and define a large subset of the most common computer viruses that are quarantined by Symantec Antivirus customers.
On average, SArA receives hundreds of thousands of suspect files daily from both enterprise and individual consumers located throughout the world. Symantec then analyzes these suspect files, matching them with virus definitions. An analysis of this aggregate data set provides statistics on infection rates for different types of malicious code.
Malicious code database
in addition to infection data, Symantec Security response analyzes and documents attributes for each new form of malicious code that emerges both in the wild and in a “zoo” (or controlled laboratory) environment. Descriptive records of new forms of malicious code are then entered into a database for future reference. For this report, a historical trend analysis was performed on this database to identify, assess, and discuss any possible trends, such as the use of different infection vectors and the frequency of various types of payloads. in some cases, Symantec antivirus products may initially detect new malicious code heuristically or by generic signatures. these may later be reclassified and given unique detections. Because of this, there may be slight variance in the presentation of the same data set from one volume of the Symantec Global Internet Security Threat Report to the next.
Geographic location of malicious code instances
Several third-party subscription-based databases that link the geographic locations of systems to ip addresses are used along with proprietary Symantec technology to determine the location of computers reporting malicious code instances. While these databases are generally reliable, there is a small margin of error. the data produced is then used to determine the global distribution of malicious code instances.
Malicious code that exploits vulnerabilities
Symantec maintains a malicious code database to analyze and document individual instances of malicious code dating back to 1998. the database includes metadata for classifying malicious code by type, discovery date, and by threat profile, in addition to providing mitigating factors and manual removal steps. Where applicable, this database includes correlations between malicious code instances and vulnerabilities from the Symantec vulnerability database. this capability was used as a basis for the data in this metric. Symantec examined the means by which the malicious code propagated, and counted those that propagate by exploiting vulnerabilities.