Robert Lemos

Defining success in your own life can be fairly straightforward: Figure out what goals matter to you and achieve them. However, for the competitive set–you know, the ones who ask all the milestone questions at high-school reunions–comparing your level of success with others is very difficult: Does my eight kids trump my boss’s vice president position? Does my house in the country beat their apartment in the city?

The difficulty in comparing different measures of success holds true in the world of malicious code as well: If worms had high-school reunions, what would they brag about?

This question–about worms, not high-school reunions–came up during an interview I was doing with some antivirus researchers. We were hashing out how to define a successful worm, primarily because the old measure–how widely a worm has spread–isn’t necessary the most relevant one.

Online attackers looking to turn an exploitable vulnerability into a profit are no longer cranking out worms that spread widely. Compromising less than 10,000 machines can be very lucrative and drastically lowers the chance of detection. The same theory is behind the targeted Trojan horse attacks that aim to infect a single machine in a corporation or government agency; the turned system then allows attackers to quietly do reconnaissance on the network and eventually stage a smash and grab, stealing important data.

The old measure–how widely a program has spread–would likely make a 2-year-old virus, one of the Netsky variants, the most successful piece of malicious code in circulation today. However, that ignores the cumulative population of common code families of bot net software, such as Agobot and SDBot, which have thousands of variants but in aggregate have infected millions of machines. It also ignores Microsoft’s data that shows that 61 percent of all PCs (the largest fraction by far) cleaned by its malicious software removal tool had been compromised by a Trojan horse.

Other measures are equally poor. Damage numbers are perhaps the worst measure, since quantifying damage is so difficult. Articles which rely on such numbers should strenuously qualify that these numbers generally count as a guess. For instance, a recent article that trumpeted The 10 Most Destructive PC Viruses of All Times, put ILOVEYOU in the top position, claiming–without mentioning the source–that the virus caused between $10 billion and $15 billion in damage. Most likely, the figures came from Computer Economics, a market research firm that has put damage guesstimates on virus outbreaks.

The amount of money illicitly transfered using malicious software as a key part of the scam could be another measure of success. However, that data is even harder to estimate. I’ve done a considerable amount of research of the methods behind various numbers–especially the untrue claims that cybercrime profits exceed those from drug trafficking–and concluded that most cybercrime numbers amount to back-of-the-napkin guesstimates. I talked with Thomas X. Grasso of the FBI at DEFCON this year and he could not name any reliable numbers collected by the FBI on cybercrime profits or damages either.

Perhaps, taking a page from the self-help genre is the best bet. Just as people may have a purpose-driven life, perhaps the best way to look at malicious code is to generally focus on its purpose. Worms and viruses of the past focused on self-propagation and were counted successful if they spread widely; rootkits focused on evading detection; bot software on effectively controlling a network of compromised machines; Trojan horses on social engineering the user; and crimeware on turning vulnerabilities into illicit gain. In some ways, this become just another version of the classification problem that many researchers are working on.

Of course, this approach still leaves problems to be solved. Many programs combine facets of all of the different purpose-driven components. The measure also still leaves the issue of how to collect specific kinds of data, such as cybercrime profits.

Yet, focusing on purpose does have the benefit of highlighting what matters when measuring success–as any self-help book will tell you.