At Blackhat2011 during an interview about ESET'S recent Global Threat Report, a reporter asked me why we still see very old strains of common, long-detected malware. After all, haven't we detected these threats in the wild for years by now? It seems we should have caught them all. Well, really it's a combination of factors.
- Some of the old malware infects operating systems that are no longer supported with security patches from the vendor. After the vendor announces the end of life for that version (or they go out of business), they tend to steer customers toward newer products, and this is one of the justifications they give. Vendors have a fixed development/support/bug-fix budget, and they don't see the payoff in supporting legacy systems, as opposed to spending their budget on adding new features and bug fixes to more modern products that customers still purchase. This is good for profit, bad for security on legacy systems. Also, some third-party software vendor licensing can change, precluding continued active support.
- People reading the SC Magazine Cybercrime Corner probably have some keen interest in security and probably have some security implementation in what they do computer-wise. They keep up on technology, try out new features, purchase new hardware and software, and so forth. Because of this, they can stay abreast of more secure options when they purchase/upgrade existing systems. People with 10-year-old PCs, who treat them as an email and web browsing appliance, however, do not. They have set patterns, like eating the same meal at the same restaurant every day at lunch, and they're not going to change until smoke comes out of their computer some morning and they're forced to. When it finally breaks, they'll want a new appliance.
- It's been long enough that malware gangs think they may be “off the radar” malware-wise, and may be able to pick up some low-hanging fruit by doing drive-bys on older computers. Sometimes they're right, as some other anti-malware companies remove detection for older malware if it has not been detected for a while. As a corollary, an older piece of malware may be obtained by a newer, less-skilled criminal gang, who then use it with only minor changes to command and control (C&C) servers or payload.
Bottom line: A proactive approach makes sense, and so does keeping security systems in place for awhile after the immediate threat has subsided. Basically, being conservative in your cyber life results in a little peace of mind and might prevent your computer from being infected with some of the old, familiar (if infamous) bad news of yesteryear.