Reading the Symantec exploit numbers

[Fenton]

I'll start by example: Please take a look at
http://www.symantec.com/avcenter/global/index.html
and click any of the threats in the left column.

All the exploits I clicked have the same numbers, 0-49 infections and 0-2
sites.

Clicking the 'infections' brings up a glossary that says,

Number of infections: Measures the number of computers known to be infected.
Number of sites: Measures the number of locations with infected computers.
This normally refers to organizations, such as companies, government offices,
and so on.

Okay, so it seems clearly defined, yet the numbers for the infections seem
awfully low and it's odd they are the same. Is Symantec *really* saying, "we
know of somewhere between 0 and 49 computers out there that have this
threat"? This would make Symantec's feedback or knowledge of the wild
rather limited.

Or maybe it is, "we think between none and 49 per cent of all Windows
computers have this." This is a pretty darned broad range, with zero being
way to low and 49 too high.

Is there some hidden legend to these numbers?

 

[Virus Guy]

http://www.symantec.com/avcenter/global/index.html
click any of the threats in the left column.

All the exploits I clicked have the same numbers, 0-49
infections and 0-2 sites.

the numbers for the infections seem awfully low and it's
odd they are the same.

First thing, you won't get many replies to this because it involves
Symantec (which many people here discount as a respected piece of AV
software - or at least which many here do not use). Second, few
people know the internal workings of Symantec enough to be able to
speculate as to how Symantec knows the world-wide distribution and
time-line of infection of various agents.

I doubt that Symantec has any coherent world-wide ability to "sense"
the number of agents that are infecting systems in a real-time manner.

I think the numbers you are seeing have no basis in fact and are
simply there as a legacy display that might have been, at one time,
the result of some real human effort on their part. Since the
explosion of new agents in the past few years, I think they've given
up on updating that display of infection stats. But it's still there
- perhaps they want you to think that they have this all-knowing,
all-seeing knowledge of world-wide viral distribution. At least it
makes them look authoritative on the matter.

 

[Art]

I'll start by example: Please take a look at
http://www.symantec.com/avcenter/global/index.html
and click any of the threats in the left column.

All the exploits I clicked have the same numbers, 0-49 infections and 0-2
sites.

Clicking the 'infections' brings up a glossary that says,

Number of infections: Measures the number of computers known to be infected.
Number of sites: Measures the number of locations with infected computers.
This normally refers to organizations, such as companies, government offices,
and so on.

Okay, so it seems clearly defined, yet the numbers for the infections seem
awfully low and it's odd they are the same. Is Symantec *really* saying, "we
know of somewhere between 0 and 49 computers out there that have this
threat"? This would make Symantec's feedback or knowledge of the wild
rather limited.

Or maybe it is, "we think between none and 49 per cent of all Windows
computers have this." This is a pretty darned broad range, with zero being
way to low and 49 too high.

Is there some hidden legend to these numbers?

The fact that they include zero instead of one in the ranges, suggests
to me that they may actually be counting only official ITW (In The
Wild) spotters. These official spotters are separated geographically.
Thus, with zero included, you could have a situation where no official
spotters have reported the malware ... zero official reports and zero
official incidents. Yet they know the malware is ITW because
unofficial spotters have sent them (or other av vendors) samples.

Another situation might be two official spotters where one reports
five incidents (in a governement or industrial site) and another
reports ten incidents in such sites. Then the numbers would be
two and fifteen.

Just my guess and speculation.

Art

http://home.epix.net/~artnpeg

 

[Fenton]

I'll start by example: Please take a look at
http://www.symantec.com/avcenter/global/index.html
and click any of the threats in the left column.

....snipped...

Thanks for the replies.

Okay, where, then, would I go to find decent infection statistics? Thanks.

 

[Virus Guy]

Okay, where, then, would I go to find decent infection statistics?

Suggest you enter that very term "computer virus infection stats" into
google.

Also search for the term "honey pot".

The "Internet Storm Center" also comes to mind, as well as "The
Register" http://www.theregister.co.uk

Here's a few nuggets I found:

http://beaune.acs.ucalgary.ca/~itstatus/Virus/

http://beaune.acs.ucalgary.ca/~itstatus/Virus/lastmonth.html

http://www.securitystats.com/virusstats.html

http://www.microtech.doe.gov/assist/

There's a difference between infection attempts and infection
successes. It's easier to measure the attempts with honey-pots, but
hard to know the infection rate of a given agent.

 

[Art]

...snipped...

Thanks for the replies.

Okay, where, then, would I go to find decent infection statistics? Thanks.

Google "virus prevalence" or "computer virus prevalence".

Art

http://home.epix.net/~artnpeg

 

[GEO Me]

/snip/
Here's a few nuggets I found:
http://beaune.acs.ucalgary.ca/~itstatus/Virus/
http://beaune.acs.ucalgary.ca/~itstatus/Virus/lastmonth.html
http://www.securitystats.com/virusstats.html
http://www.microtech.doe.gov/assist/

/snip/

Good!! Thanks.
I particularly like the first one.

Geo