Back to the future - detecting the least polymorphic part

Over the last couple of years the number of malware samples has grown incredibly. At Kaspersky Lab, we've seen over twenty million samples in 2009, which is more than a hundred fold increase compared to ten years ago. The detection of binaries has become a much automated process with as much as 85% of the signatures becoming irrelevant almost immediately after release.
The AV industry has come up with many new technologies to more adequately fight these threats such as behavior blockers and URL blocking. After a long struggle, we're in a position to deploy technologies that can significantly improve protection rates without receiving punishment from outdated tests. What this means in real life is that the big numbers can be made a lot smaller. Rather than focusing all efforts on detecting 100% of the binaries we can analyze infection chains and look at the least polymorphic part of the chain. The main protection method can then be based on that least polymorphic part. The greatest challenge that this approach brings is making sure that already infected users are still getting adequate detection rates. A number of solutions to address this problem will be shown, some of which we have successfully implemented at Kaspersky Lab. Additionally, I will show the results of five case studies based on this approach and the hurdles faced.