Oliver Auerbach, Cosmin Ancuta and Robert Harja Avira
In January 2008 Av-Test.org published statistics about the rapid increase in the volume of new malware. In particular, the report states that more than 10,000 different malware files appeared every day in the previous year and the outlook for the current year does not look any better. Avira's own statistics don't look any different from this, apart from the fact that many of the files belong to the same family and do not differ significantly from a functionality point of view.
Malware analysts have started to add to their products sophisticated detection for malware families instead of individual variants, in order to increase proactive detection and make it harder for the bad guys to release new, and not yet detected variants. As a result of these generic detection routines the number of individual samples that need to be analysed is much lower and the side effect is a reduced workload.
The addition of generic detection routines does not reduce the number of file submissions or other malware-relevant support incidents itself. In fact, the use of malware to steal money and the number of new inexperienced computer users has led to an explosion of malware-related customer incidents. Processing large numbers of requests with labs in different time zones and countries that serve customers all around the world, who all expect an answer immediately, is proving to be a significant challenge. This is in addition to the prioritization, de-duplication, outbreak detection and handling that must all to be taken into consideration.
This paper describes how to handle the never-ending flood of requests appropriately using an internally developed tool called VCC - Virus Control Center. The application is far more than a customized helpdesk application interacting between customers and researchers. The main purpose for the VCC is to handle de-duplication, assignment of jobs to analysts according to their priority and relevance, while not losing related information and files on the way. In simple terms this is the virus lab's heart in terms of daily sample processing and customer interaction.