ESET's senior virus researcher interviewed by hwupgrade.it

Hi guys, in this thread i post the requested english translation from my italian interview: http://www.hwupgrade.it/articoli/software/1366/index.html

I would also like to thank Paolo Monti from Nod32.it for translating my interview into italian and Nigel Cook for correcting some small english spelling mistakes.

Ok, here it is:

 

Re: The requested english translation

Page 1

Internet has become the main vehicle of infection for computers and the major reason of trouble for experienced and non-experienced users who are forced to surf the web under a virtual "sword of Damocles", being careful to avoid every danger. Virus, trojan, worm, spyware, adware, dialer, phishing, are the main risks that increase day by day and users need to protect themselves to avoid troubles for computers and, in some cases, to avoid "wallet troubles" too!

Since 1980, when viruses really started to spread, the amount of malicious software has dramatically increased, showing numbers never seen before. What is the actual situation? What will the future bring? How has malware changed over these years and how it will change in the future?

Hardware Upgrade is pleased to interview Michael St. Neitzel, senior virus researcher for Eset spol. s r.o, the company who developed NOD32 Antivirus, renowned as the fastest antivirus software in the world.

http://home.arcor.de/antivirus/pic.jpg

We asked Michael some questions to have a general view about the actual malware situation and about antivirus, advanced techniques used to fight viruses.

 

Re: The requested english translation

Page 2

1) Old-style viruses - like file infectors, polymorphics, stealth - aren't as big a problem as they were some years ago. Today, we always have to fight against worms, trojans, backdoors and dangerous scripts. How have things changed over the years of dangerous computer viruses?

These days, the classical viruses such as parasitic file infector viruses, don't play such an important role as they did some years ago. However, a few parasitic viruses are still in the wild. For example, the Parite.B, also known as Pate Virus, is still circulating, especially in the file sharing networks. Another one, which is probably also well known, is the Jeefo Virus, aka HiDrag.

Comment (not included in the original text)
If you like to know how Jeefo/HiDrag became this name read my description and comments here:
http://www.nod32.com/pedia/virusy/Win/Win32/jeefoa.htm

Otherwise there are, from time to time, a handful of new parasitic viruses submitted to our lab; none of them were ever seen to spread widely. Most of them are just "Proof of Concept" or Zoo Viruses. These parasitic, old viruses, mainly getting hosted by users without any antivirus protection or with the wrong antivirus protection.

For Instance, Anti-Spyware Programs do not detect and handle these types of viruses in the same way Antivirus Programs do. That said, scanning the machine with only an Anti-Spyware solution, will result in a clean scan report, even if the machine is infected with such a virus type. These days worms are getting more and more the medium for transportation of spyware and trojans. They install Proxies, Downloader and notifying in IRC channels, the infection status of the compromised machine. This, combined with spamming, is the most consistently seen in the last few months.
The best examples are numerous new versions of Mytob worms - the nightmare of every antivirus researcher for the past few months! They give control over the infected system to use it for spamming or advertising and even to host files on this infected machine. Basically, they are "modern" backdoors/trojans which use worm-like features for spreading to other machines. Trojans and Backdoors do not replicate themselves to other machines, therefore the worm only acts as some kind of transportation medium and as a combined dropper and installer. Most of these worm types recently used security vulnerabilities such as PnP or DCom for spreading. This is often also seen in so called IRCBot's. The newest generation of this is known as "Zotob".

 

Re: The requested english translation

Page 3

2) How has the danger of spyware and adware increased? Today they are often a greater risk than viruses and worms. Why has their role changed so quickly?

There's only one correct answer to this question: There's money involved.

People found out that they can make some money with advertising and spamming. This fact doesn't surprise me at all. So called affiliate programs are the very basic roots for this. Before you can successfully advertise something to a user you must know what he likes and dislikes. For this you need to collect information about the user's behavior. For instance, which websites does he often visit? For what does the user search for when using internet search engines? Which gender/sex is the user? What age group does the user belongs to? Basically, you need to collect as much personal information as possible, to perform successful advertising and sales. For instance, it makes almost no sense to advertise to a man, female clothes like skirts or tops. He'll most likely ignore such stuff unless he really cares about his wife/girlfriend. ;-)

However, we should separate between Adware - which is the most harmless form of "malware" (displaying banner ads and the like) and Spyware (which really collects personal information and might share this with 3rd party organizations in order to make successful advertisements) and the rest of "true" malware like viruses, worms, trojans, backdoors, etc.

Recently Spyware has become more and more aggressive. I remember the virus-like behavior of the Bube "Spyware-Downloader". It will patch the existing explorer.exe executable and write its own code into this system file. This is a permanent change, unlike other code injecting technologies. Basically it acts like a downloader, used to download and to install other spyware packages.

There's one really important fact about such spyware/adware: Usually it alternates the system security settings. This means it might set other security restrictions in the browser zones, enabling, disabling or reconfiguring services which makes the whole system more vulnerable for all other types of malware also, such as worms or trojans. In most cases, it's not enough just to delete a binary file. You should also make some research on the internet as to what the spyware/adware alternates. You might have to re-adjust the changed settings (for instance registry changes for browser security) to it's original settings. A good idea is to also reinstall service packs - some spyware does overwrite system components with other versions which results in an unstable operating system.

It is recommended that you use a dedicated Spyware Scanner together with your antivirus program. I recommend for instance Spybot Search & Destroy. It's free for personal use. You can download it here: http://www.spybot.info

Anyway, it’s important to specify that many antivirus vendors are including solutions more and more sophisticated against spyware and adware, updating their AV signatures on a regular basis and calibrating the heuristic engine in order to intercept and clean this type of malware. The Antivirus industry can already count on tests able to “measure” the efficiency of traditional antiviruses in this new security field. The well renowned test center of WestCoast Labs has already prepared several tests conceived to certify antiviruses against the new, growing menace represented by adware and spyware. For further details, you may consult the following address: http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=8

 

Re: The requested english translation

Page 4

3) During an interview to VNUNet Grisoft, the company which developed AVG antivirus, they warned about the coming era of Linux viruses. In fact Linux, as an operating system, is spreading very quickly, often used by home PC users too. Will there be a real danger of viruses for Linux? With its architecture, will it defend itself from future assaults?

It might increase, but it will not become such a serious problem and grow as fast as with Windows. As long as all Linux stuff keeps Linux stuff and does not try to work like Windows some times. Just take a look at a configured Linux system - usually you work there as a user - not as root, unlike windows where you automatically have administrator rights with pre-installed systems. 95 percent of all home users don't change this; they will always run their Windows machine in administrator mode. The next thing is that you can always run executables within Windows. If you receive an email, you can, in most cases, directly click on the attachment to run it. Under Linux it's way harder... You have to save the executable to disk and then you have to give it executable rights. Before that, nothing happens. It doesn't matter how colorful the email and the attachment appear to be.

Most users who work with Linux, know their system. It's much more difficult to trick someone into executing malware (for instance with social engineering tricks in emails) who knows his system. Of course there exists already Linux malware, Ramen for example, but nothing has been spotted to be a serious problem yet. The strict system security architecture makes it much more difficult for malware to work in this way as opposed to how it could work under Windows.

 

Re: The requested english translation

Page 5

4) We really must talk about mobile phone viruses for SymbianOS, which seems like a whole new era has opened. The most common way to have a mobile phone infected is to always leave Bluetooth connection turned on and in 'discoverable' mode. A lot of users don't like this because of the heavy use of the battery. So will new mobile phone viruses be a real danger for people?

I've run around for 2 years now, with every possible security leak in my PDA (Phone Edition). I took every chance to get infected and never got anything.
They probably don't like me.

More annoying are the short, spam messages that you get regularly. Right now, there is no serious problem with PDA/Phone spreading malware. However, time will tell. So it's a good thing to be prepared for the future. That's why our company, Eset, announced the start of development for such mobile devices last month.

Reference: http://www.eset.sk/company/eset-antivirus-for-mobile-devices

 

Re: The requested english translation

Page 6

5) During these last few days there were new trojans discovered for PlayStation Portable and Nintendo DS; a very interesting thing if you think that devices other than PC's and mobile phones can be "infected". Seems like a partial victory for virus writers, but which is the serious risk?

Well, it's not really "infecting" - it's damaging the device by deleting files based on a known vulnerability with reading TIFF pictures (Remote Buffer Overflow). The user should always be aware that patching the firmware (the trojan was claiming to do this) includes enormous risks. You always have to expect that the device might become unusable when something goes wrong. That applies not only for PSP, but also for all other mobile devices such as mobile phones etc. It's highly recommended to let such things be checked by an authorized dealer otherwise you may lose all warranty cover, regardless if the update was successful or not.

Based on the fact that not everyone (except freaks) will patch their firmware, this trojan was not damaging that many devices. Frankly, you can exploit almost everything. The only question is how "successful" will it be. In this case you damaged your device. But it doesn't replicate itself. So you're basically responsible for yourself - you were well aware that it will alternate system files and you had the time to search for it on the internet

 

Re: The requested english translation

Page 7

6) Techniques used by antivirus software to detect and remove malware are becoming more and more complex every day and effective; heuristics scanning technique has dramatically increased and, today, seems to be the main weapon against 0-day viruses and epidemic situations. In fact, thanks to heuristics, antivirus companies can fill the time gap that's there between a virus identification and signature updates. Will heuristics take the main role in antivirus software instead of signature scanning?

However, you need both. Signature Detection and Heuristics. Only with this combination can you classify variants of already known malware. For heuristics, it's important to have either a good unpacking engine and/or a good code emulator. Most of the new malware is runtime packed to reduce file size and to avoid antivirus detection by simple signature match without the abilities to unpack. Heuristic and Variants detection are especially important in the corporate environment. Once a worm has made its way into the first company email inbox, the chance of employees starting such infected emails is very high. A detection via Heuristics can save the company a lot of money and unnecessary work to clean the company network from malware. NOD32 has proved this many times; that it is not merely a futuristic dream detecting malware with zero delay by Heuristics. Just for one example: Numerous Mytob worms were detected without any virus signature database update - including the brand new ones last weekend.

A question which is often asked: "Why do you later add signatures with the exact names for already detected stuff via Heuristics?" This has basically to do with the web provider side, email scanning. If a worm which was picked up by Heuristics is still circulating a lot, it is better to add an exact name for it. Users can then look up how other vendors are calling this worm, for instance. Another important fact is, that if you add a signature for a runtime compressed worm (for instance UPX packed) it will dramatically speed up the scanning speed, when the email server receives thousands of worm emails. Because there is no need to unpack every single file if you detect it in "Raw" mode. That saves lot's of resources.

In my opinion, with hundreds of different runtime packers and patched malware these days, Heuristics becomes more and more important. It also gives the antivirus company time to analyse malware in a proper way, which is already detected by Heuristics, before they add a new signature with a name. And it's always good to know that if there was something new, that it might be caught by Heuristics, long before other vendors even know that this malware exists.

 

Re: The requested english translation

Page 8

7) Between 1990 and 2000 we saw a big change in the underground world - within virus writers, a reduction in age and skills required. What has changed between "old-school" virus writers and the virus writers of today?

From a technical point of view (as a virus researcher) the "old" classical viruses such as ZMist (Mistfall engine) from Zombie, a Russian virus writer, the ETAP virus from Mental Driller or the Jolla (JollyRoger) Virus are actually some of the "masterpieces" of the old style viruses.

These days you see primary, repacked, simple and "stupid" static malware. There are not that many people who are able to write effective and working assembly codes, which is, for instance, needed for parasitic, polymorphic viruses and who are using their skills for virus writing. It takes far longer to write a (real, working and difficult to detect) low-level, virus than just to write a high-level language worm or trojan in Visual C++ or Visual Basic.

Virus Writers recognized that it's not worth spending that much time developing a parasitic virus, which will be detected without any major problems, by every modern antivirus scan engine. At the same time they also recognized that they can probably gain some money out of their "talents" by writing numerous spyware-components, IRCBot's for building up so called BotNets for spamming and selling or for offering so called undetected backdoor servers. The trend goes, without any doubt, more and more into "money-making-malware". The best example is a trojan called PGPCoder (actually this trojan has a very simple static encryption algorithm) who encrypts Word documents, Excel spreadsheets, etc, and puts a file into this folder which says you have to send an amount of money to the author in order to obtain the decryption program to recover your files. We have already reached this level. Some amateurish malware writer encrypts files on your hard disk (as i said before it's not even a real encryption, however the files become unusable as long as they are encrypted) and requests money, even for this! Or the Mytob worm family - they are "money making worms". There are so many versions of this recently, that you can call this worm "manual polymorphic".

 

Re: The requested english translation

Page 9

Last words are for you and your thoughts: What will be the future of internet security? How can users protect their PC's and their documents?

There's one sentence which sums it up pretty well: "No antivirus solution can protect you from yourself."

As long as people are clicking on every email attachment "just to see what it is" and maybe even ignoring antivirus warnings, then email-worms and other malware will survive. It has been said again and again: Don't start executable files out of email attachments or any other untrustworthy files sent to you! Delete such emails instead of playing with fire.

The other thing is secure web browsing. Don't allow everything to run regardless. Be careful especially with so called ActiveX components. There are lots of them at unknown websites, attempting to install adware/spyware or porn dialers on your machine.

Most important thing: Download all setup and installation programs ONLY FROM TRUSTWORTHY websites. If there is a vendor page, try to download it always first from the vendor page. Read carefully the EULA (even if it bores you to death!). If you're still in doubt, use an internet search engine (Google, Yahoo, etc.). If this leads you to discussions about bundled spyware or other malicious behavior, stay away from this software until you can prove the opposite!

Always keep your antivirus solution up-to-date. Perform from time to time a so called "on-demand-scan" and check that your antivirus program is working properly. A harmless test file, exactly for this purpose can be found here: http://www.eicar.org/anti_virus_test_file.htm

Send suspicious files to antivirus vendors rather than trying them out by yourself. Experienced Malware Researchers can give you pretty quick answers. So don't risk an infection if you have doubts about some files!

If possible, do not run your PC all the time in Administrator/Root mode. Create AND USE limited User Accounts - this prevents lots of malware from running!

Do not ignore operating system updates - always try to be up-to-date with all security and software patches. This helps to prevent malware infection, which uses such known vulnerabilities for spreading.

Basically, there's much much more to consider, but this would probably explode the borders of this interview.

--- END ---

 

Re: The requested english translation

And here is the final document in english - in PDF format.

 

thanks, who is that lady?

 

Mrs. Happy Byte

 

Who was that joker and did place my wifes picture here?
Blackspear?

 

lol, HB! I was wondering the same! It was another picture there. It wasn't me anyway.

 

So how can this happen? Fixed now

 

ROFLMAO, anyone have a mirror to hand to "Mr Happy I did it myself Bytes"