|
Posted by Art on January 7, 2006, 11:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
>I'll start by example: Please take a look at
>http://www.symantec.com/avcenter/global/index.html
>and click any of the threats in the left column.
>
>All the exploits I clicked have the same numbers, 0-49 infections and 0-2
>sites.
>
>Clicking the 'infections' brings up a glossary that says,
>
>Number of infections: Measures the number of computers known to be infected.
>Number of sites: Measures the number of locations with infected computers.
>This normally refers to organizations, such as companies, government offices,
>and so on.
>
>Okay, so it seems clearly defined, yet the numbers for the infections seem
>awfully low and it's odd they are the same. Is Symantec *really* saying, "we
>know of somewhere between 0 and 49 computers out there that have this
>threat"? This would make Symantec's feedback or knowledge of the wild
>rather limited.
>
>Or maybe it is, "we think between none and 49 per cent of all Windows
>computers have this." This is a pretty darned broad range, with zero being
>way to low and 49 too high.
>
>Is there some hidden legend to these numbers?
The fact that they include zero instead of one in the ranges, suggests
to me that they may actually be counting only official ITW (In The
Wild) spotters. These official spotters are separated geographically.
Thus, with zero included, you could have a situation where no official
spotters have reported the malware ... zero official reports and zero
official incidents. Yet they know the malware is ITW because
unofficial spotters have sent them (or other av vendors) samples.
Another situation might be two official spotters where one reports
five incidents (in a governement or industrial site) and another
reports ten incidents in such sites. Then the numbers would be
two and fifteen.
Just my guess and speculation.
Art
http://home.epix.net/~artnpeg
| 
XML site map