Recently the people over at AV-Test released their annual statistics on viruses.
Various online media have picked up the subject and are now eagerly reporting. Among those is the German newscaster Heise.
However there is one important sentence to consider.
Laut Andreas Marx von AV-Test haben die Spezialisten sämtliche unterschiedliche Dateien gezählt, bei denen sich der Fingerabdruck (MD5-Hash) von den anderen Funden unterscheidet.
This is translated to:
According to Andreas Marx of AV-Test the specialists counted all infected files with a fingerprint (md5-hash) that was unique among other findings.
They go on to say:
Ab 2004 scheint das Wachstum zu explodieren
Starting from 2004 the growth [of the number of viruses] seems to explode.
On the first gasp this appears to be correct.
However we need to consider the following. 2004 marks the first large-scale appearance of polymorphic malware. That is - malware that is able to alter it's own code in order to stay unrecognized when scanned by fingerprint-based AV scanners.
This means that a single virus is now able to produces massive amounts of different unique md5 hashes when analyzed.
Since then the degree of polymorphism and metamorphism has steadily increased.
Of course the real number of malware in the wild is increasing. Last year we saw the Storm-Worm break free which maxed out old edges a lot. There were some new techniques and apparently huge activities. The next years will be interesting as well. OSX-malware has made it to the wild and we'll probably see it spread during 08.
But the vast part of that growth is based on malware altering its form and thus altering it's fingerprint and not actually by a vastly growing amount of unique malware. The approach to raising those statistics will have to be changed. Until then, please keep these thoughts in mind when thinking or reading about malware-growth.
Update:
And if you don't believe me, please listen to SkyOut's blog. He is among the people who know viruses best.