If you've been in the world of information security for a while, you've undoubtedly seen an article or two comparing biological and computer viruses, and proposing ways of mimicking the biological immune system in the world of computers.
Many of these articles view the immune system from a very high-level viewpoint and the analogy breaks down fairly quickly. A recent talk by Guillaume Lovet and Axelle Apvrille at Black Hat Europe aptly gives a very in-depth view of the human immune system and compares all the individual components, including how they compare to different, specific security technologies.
In short, the body uses a layered defence strategy (including both blacklisting and whitelisting detection techniques) to protect against a fairly limited number of possible attacks. As the variety of attacks against computers is infinite and malware often employs anti-analysis techniques, it is far more difficult to protect a computer than a human.
On the other hand, biological viruses do not have financial motivation or the threat of prosecution – biological viruses as a class of organisms will continue to reproduce until there are no more creatures left to be hosts.
For both biological and computer viruses, if a sufficient number of people have received vaccinations for a given virus, it can effectively wipe the virus out because it has too few connected hosts to infect. According to Lovet and Apvrille's paper, vaccines are most analogous to anti-virus updates, as they provide protection against a limited number of specific, known threats.
It is generally considered that around 80 per cent vaccination is required for the Herd Immunity threshold to be met. That is the point at which the whole community gains greater immunity when a sufficient number of individuals are protected.
If you consider only the Windows ecosystem separately, certain locales might qualify as having achieved that level of coverage, but it is likely that the 80 per cent would include people who are not using up-to-date products, or those who regularly disable scanning. That dilutes the ‘vaccination' effectiveness significantly – this is why you still see ancient malware occasionally making the rounds.
What we would ultimately like is not simply the end of one specific virus, but all malware. It is unlikely that if 80 per cent best-use-case coverage were achieved for all known malware, they would simply disappear.
The detection rate of anti-virus alone is not high enough to be considered a universal vaccine, and each day the battle begins anew, as more and more malware is created.
Fortunately for us, with malware there is a point of diminishing returns. If we manage to collectively make it too expensive or dangerous for malware authors to get what they are after, they may take their attention to other moneymaking endeavours.
Unfortunately, there is also a point of diminishing returns for individuals and organisations for protecting their systems. How far are these points from one another? It may be that there is something like a universal herd immunity threshold for malware. In this case, that would likely take the form of deterring a sufficient number of malware writers due to either skills or cost required to compromise machines.
What would the threshold point be for computers? Given the increasing number of breaches and malware variants created, clearly very few computers are sufficiently protected against easy forms of attack. It is unlikely targeted attacks (especially politically motivated ones) will ever go away, as cost is a much less important concern to the attackers.
If that 80 per cent included people using both blacklisting and whitelisting, and firewalls in addition to advanced anti-virus suites, we might start seeing a decline in malware numbers, or at least a slowing of growth.
It is undeniably a tall order, and I would not advise any of us to hold our breath waiting for that day to come, but it will be interesting to see, if that day ever comes, if malware writers move to greener pastures.
Lysa Myers is a virus hunter for Intego