The Wildlist vs. Reality

Back in the day of the virus outbreaks there was a distinction between "in-the-wild" viruses and "zoo" viruses. These words are not very used these days anymore but back then were pretty important.

The first group, "in-the-wild" viruses, were those that were actively infecting computers. The second group, "zoo" viruses, were those that may have infected computers in the past but were not infecting them anymore for various reasons. They could have been programmed as an intellectual exercise and never actually released, maybe they had a very low impact to begin with but their infection rate had dropped to zero or any other reason for them to be sitting in virus archives fetching dust. This was some sort of virus graveyard, the place where viruses went to die.

Obviously the antivirus industry was very concerned about the first group but not very much about the second one, even though they had to detect them to avoid reinfections from old backups (they had to make sure that none of the animals in the zoo could come back from the dead). Since there was a real need to know what viruses were really "in-the-wild", an independent organization was created for this purpose: enter the WildList.

The idea was very good: a bunch of knowledgeable people from the security industry would send samples of viruses they estimated to be in-the-wild. Those files found to be in agreement by many researchers were then published as part of the official "WildList"... simple and effective. Viruses that made it into the list had the dubious honor of being officially "infecting" people. Everybody was protected from them and therefore happy (except people who got infected but at least they had been warned who the enemy was!).

Now, back to 2009... the situation today is wildly different (pun intended). Today, a normal user gets infected from a malicious web page with a virus and chances are nobody else in the whole world has seen the same exact executable. The bad guys craft them in such a way that they are slightly different every time yet they have the same functionality. Is that in-the-wild? it's clearly not in the zoo but no two users will completely agree it's the same exact virus, let alone two virus researchers. Those samples will never end up in that list. Believe it or not, the list is still made in the exact same way as it was in 1999. What is its real use nowadays?

This topic came up the other day when some customer came to one of our training guys asking why on earth a company claims to receive 2000 samples a day (or was it an hour?) yet the WildList only contemplates 800 viruses "in-the-wild" each month in the world. These numbers have quickly grown apart over the years to the point that the WildList in its current state is helping nobody and the users start wondering why the WildList still exists. The irrelevance of the WildList has already been put forth this week by some companies and I couldn't agree more with them. Unless there's a big shakeup in the way it's being collated, the WildList is obsolete, pointless, useless, dead. Goodbye, WildList.