Juraj Malcho (source: Courtesy of ESET)
ESET is a global leader in providing computer security solutions with more than 20 years of experience and more than one hundred million users of its products. It has been on the market since the first widespread appearance of computer viruses, which were mostly intended to demonstrate the ability of their writers, and now combats a whole range of sophisticated cyber-threats.
The Slovak Spectator spoke with Juraj Malcho, chief research officer at ESET, about current threats to computer systems, cybercrime, current trends in the computer security industry and much more.
The Slovak Spectator (TSS): What is the difference between malware, viruses and worms? Who creates them and why?
Juraj Malcho (JM): The answer to this question is actually a ‘window into history’. Malware is a shortened word for malicious software, i.e. any code designed to do something malicious. But this term started to be used only relatively recently. The first malware were computer viruses. This is a term that has resonated everywhere and has been used generally to refer to the entire category. However, technically it is incorrect; a virus is just one specific kind of malware, even though it was the first kind. A computer virus has a parallel in biology – a virus needs a host to survive. This means that a virus is a piece of malicious code that infects user’s files in a computer and here it survives and spreads further. Then there was a period of worms, which also have a parallel in biology. A worm, in contrast to a virus, can exist on its own and crawl – i.e. spread in the IT context. Then there were Trojan horses, malware with hidden intentions (hence Trojan horse), which can provide full control of the infected system for the attacker to steal sensitive information or otherwise harm the computer system. The classification system could be even more detailed but this is important only for experts, not for ordinary computer users. What is important is that all these are now fused in some way into something that we call blended threats.
As to who writes these codes, at the beginning they were computer and software enthusiasts. In this phase I called the viruses ‘electronic graffiti’, because this was literally a form of self-presentation. Later, some people identified malware as a way to steal and make money and that
was the start of cybercrime in 2003-2004.
Today we can say that stuff written for self-presentation has become a marginal issue and that all malware has become a tool of cybercrime used for range of activities, from spying and stealing passwords to directly robbing victims’ accounts (often by automatically stepping into an online transaction), or other illegal activities. For example, there are botnets (networks of infected computers), which, being controlled by a botmaster, can be turned into a powerful tool for a variety of purposes. A typical use is sending spam or performing DDoS (distributed denial-of-service) attacks. This is also a way of earning money because somebody can use this to put another person or company out of operation and gain some advantage against one’s competition or for a kind of racketeering – if you don’t pay we will continue to attack. All these are ways in which malware is monetised.
TSS: How does ESET respond to these threats and what does the process of developing security products look like? When do you decide that a particular kind of malware has become so serious that it needs a response?
JM: We benefit from the fact that we have been on the market since the very beginning and have been able to respond to all threats which have emerged so far. That has also allowed us to gather important intelligence and experience about malware, and establish cooperation with our competitors.
The antivirus (AV) world is a whole community; we know each other, in many cases personally. We actually have friends in other companies, something that is quite unusual compared with other industries. From the commercial point of view we are rivals but in terms of technical issues we are on the same side, especially after malware became a tool of cybercrime. We all began to fight against this evil and this actually made us join forces.
Based on mutual agreements, the established firms exchange samples of potential malware among themselves. These are external resources to know what is happening outside our user base. We also have our own monitoring systems and sensors through which we catch suspicious new codes and analyse them. Our products also have embedded mechanisms for collection of suspicious files. These are quite huge amounts of data, as we collect about 200,000 unique pieces per day. We also receive suspicious files from our customers and partners. Then we analyse them to decide whether these are harmful or benign, which is the work of experts in our labs. Because of such huge amounts of data, there is need for a lot of intelligent automation. What is special for ESET is that our engine, meaning the scanning core, searches for similar or distinguishing features and this helps us to detect the whole malware family, not only its individual pieces. You could think of it as identifying the DNA of a specific family. It is necessary to have this kind of effectiveness so that we can force a big change on the other side by small changes on our side. This means that our creation of one such advanced detection method, or a generic DNA signature, takes just minutes while the malware writer needs several hours to write a new one. This is the whole strategy.
Of course, for completely new threats a thorough analysis may last much longer, even some days, such as was the case of the infamous Stuxnet worm, where the analysis took weeks and months.
TSS: When does a piece of software start to be harmful? Where is the border between only a bothersome code and a harmful one?
JM: This is a difficult question. At ESET we have already addressed this issue two times in presentations at Virus Bulletin, the biggest annual event in the AV world. In the first presentation titled ‘Is There a Lawyer in the Lab?’ I explored the boundary between legitimate and illegitimate applications as many applications are not the typical malware used in cybercrime nowadays that have the aim of financial profit but rather they are potentially unsafe or unwanted applications. Typically, the only genuine benefit of such software is for the company that develops it and makes money out of it. From my point as a technical expert, the situation is clear and such applications should be detected. But this causes conflict because suppliers of such potentially unwanted software often have a very good background, for example online casinos. And of course, if somebody really wants to gamble, it is not a potentially unwanted application for him or her. But here the situation gets even more complicated because gambling is illegal in some countries and the casinos complain that we are stripping them of their sales.
So it is debatable whether to detect these applications or not, and we’re certainly not limiting ourselves to online casinos. In these cases, we are not only considering the software itself, but the whole business model (affiliate networks, pay-per-install business models), marketing aggressiveness (such as promoting the products via spam) and the reputation of the software. The pay-per-install business model, if uncontrolled, is a particularly easy way for botmasters to monetise the power of their botnets by pushing unwanted software onto the infected machines of unaware victims. Last but not least, a very important argument for detection is complaints from our users.
The first indications of this emerged about five years ago and now we receive a letter each week in which a company complains that we are detecting software they claim is not harmful, does not represent any threat and that we should cancel its detection or they will file a complaint with a court. This always varies from one case to another and it is not possible to generalise. The Anti-Spyware Coalition was established and it has created a set of documents that describe what good, legitimate and useful software should do and what sorts of behaviour cannot be tolerated. The opposite side, of course, tries to write software taking into account these recommendations so that they bypass the reasons for detection. Thus, this is a very dynamic field. We are detecting these applications as potentially unwanted applications and leaving it up to the consumer to decide whether to have it detected or not. Our argument to the complainer is that it is our customers who require this and expect protection, and it is our duty to inform them that something potentially unwanted or unsafe may have entered their PCs. Of course, as I said, this is a very sensitive topic for both sides and we must be very diplomatic.
TSS: How is security software tested and evaluated? How can a consumer decide which product to buy?
JM: The typical consumer has quite a difficult time in deciding among products. This is because the testing of products is very complicated and demanding. It is almost impossible to do a good AV test under normal conditions. This is because an enormous amount of malware exists and it is impossible to analyse, or even collect, all the samples out there. During a test, only a small set of malware is selected and then tested. Based on the detections the tester makes a conclusion. But among these files there also might be corrupted (non-working) files, false positives (or false alerts), and so on, and that means invalid and inaccurate detections. And there are only very few testing labs that are able or willing to do a proper analysis of detected files because this is very time-consuming, resource-intensive and expensive. Then there is a problem, which I’ve already mentioned, about what to detect and what not to detect. All these factors bring various distortions. Each test focuses on something different. There are also performance tests of security products, which measure the impact on the operating system, memory consumption, how much they slow down the computer while working on the internet, etc. When you look at some of the main tests, you mostly see that the rankings differ significantly. Moreover, tests have become a marketing tool. Companies often commission private tests and then highlight tests showing positive features of a given product and downplay those in which the product is not so good.
A consumer should have a look at three or four series of various tests and see how the ranking changes. If a product is keeping higher rankings, it would be one of the better... of course, price matters as well, especially nowadays. But to say it briefly: one best AV or best detection system does not exist.
In the case of experts or companies, the situation is a bit different. First, these people have technical backgrounds and they should already know something about malware and its cleaning, and they know the threats they need to protect their businesses from. For them, the important features are stability, low numbers of false positives and support from the company delivering the security product, meaning whether the security company is able to deliver a custom solution or how quickly it is able to respond to a new threat.
TSS: Are smartphones and social networks also targets for cybercrime?
JM: All popular platforms are targets for cybercrime. The mafia is a business – it is looking where people are and where money is and has no interest in any other places. So simply said, cybercrime looks at any popular platform whether it is mobile or something else. Malware has been detected on Facebook as well as in Android, the operating system for many mobile devices. We are actually detecting multiple pieces of malware written for Android each day. But in terms of overall significance, the Windows platform is definitely still the most interesting one for cybercrime. But human foolishness and unwariness is the weakest link in the whole chain and people should be very careful when loading up free applications with content that they cannot verify.
TSS: How would you assess Slovaks in terms of awareness and knowledge about malware and its threats?
JM: Unfortunately, I don’t have statistics dealing with this in detail; I can only use our general malware prevalence statistics for countries. Based on typically-detected threats we can say that typical users in Europe or the US are in the higher part of the ranking in terms of computer literacy. This is because they have more or less gotten accustomed to a legitimate operating system which updates regularly as well as an antivirus program. They also have learned not to fall for the simplest social engineering tricks. What is detected here belongs mostly to that grey zone, to potentially unwanted applications and adware which are, for example, slowing down the computer. When we look at Asia or Indonesia, for example, the situation is much worse, and USB worms rule there. This means that people generally don’t care about security much, or at all.
With regards to experts – from the viewpoint of an AV expert – I see that companies have problems finding people able to analyse suspicious activity or anomalies in the corporate (or government) networks (I mean the real geeks here). In some cases the companies may underestimate the risk of internet-borne attacks; this is especially true for small businesses which cannot afford trained IT personnel. In Slovakia, compared to the USA for example, the pressure is probably not as high as targets here are not so interesting for hackers. Nevertheless, such attacks really occur everywhere and daily we are hearing from the news that this or that company has been caught unprepared or a server has been compromised. So there is globally a lot to improve and it will have to start by developing more educated and trained professionals.
TSS: How do you perceive links between academia and practical work in Slovakia?
JM: When it comes to IT security, the current situation in linking education with practical work is not good in Slovakia and also more generally, though there are some exceptions. There are only a handful of universities in the world which systematically address malware research in their curriculum. At ESET we are trying to do something about this and we have started cooperating with the Faculty of Electrical Engineering and Information Technology of the Slovak University of Technology in Bratislava. We had a small pilot project last year and now we want to offer a basic course of reverse engineering at the university. Based on the feedback and interest we will go further to malware analysis.
I also see it as a question of demand and supply: when firms require more experts then there will be pressure on schools to develop such experts. But here in Slovakia we have an additional problem – the huge gap between incomes of teachers and experts in the private sphere. It is difficult to motivate teachers to stay at schools and develop future experts when they see that they will be rewarded much worse than people in the private sector.
This is why we want to be helpful and teach some limited hours at the faculty and contribute with our knowledge and experience. The course will start this summer semester.
TSS: Where does ESET have its research and development centres? Why have some been established abroad?
JM: In Slovakia, other than in Bratislava we have a team in Košice. Currently, our most important R&D team abroad is in Krakow, Poland with over 40 people who work directly on the development of our core technologies and malware research. The official research and development centre there was opened in 2008 but we had been cooperating with an expert there for about two years who is now the head of the office. Last year we opened a lab in Prague. We also have two people in Moscow, teams in Buenos Aires, San Diego and Singapore and we are just now opening a lab in Montreal, Canada.
The reason we open labs abroad is people. We work in a very specific field that requires expert knowledge which is not easily learned. We have already drained Slovakia quite well in terms of experts. So like other AV firms, we are trying to dig talent from anywhere and launching branches abroad is solely about finding the best people for our company. In general it works in the way that we start cooperation with a local expert which then gradually develops into something bigger if we see prospects there. This was the case in Krakow, which is also an appealing city where both local people and those from abroad want to live. Our Krakow and Bratislava teams are actually international, with talented people from Russia, Ukraine, Romania, Belarus, Greece, Italy, Lithuania and Portugal.
TSS: What is ESET’s current position in the AV market?
JM: Globally, ESET is a small player and our market share is about 2.5 percent. The biggest player, Symantec, has about a 36-percent market share, and the top three players together cover two-thirds of the market. This means ESET has room to grow. However, the situation is different when looking from the installation share point of view, where our products cover 9.2 percent.
There are dozens of antivirus products in the world but many of these are actually based on licensed products. In this respect ESET has one significant advantage against its competition: we have our own scanning core and the technology on which we have been working for over 20 years, something that no one can take from us. At the same time, only a few people have left the company, so all of the knowledge and experience accumulated over those years is daily put to good use.
We cannot compete with Symantec and their broad portfolio of products, with its thousands of employees, while at ESET we globally have around 800 employees. Our strategy is to focus on the core technologies, i.e. the components that are directly related to computer and user security, which has traditionally been our strong area.
With regards to general current market trends, more free antivirus software is on the market and there is a threat that Microsoft might offer a free AV program in the next version of its operating system, Windows 8. The final quality and effectiveness of the product is still to be seen but one thing is for sure: it is impossible to have only one AV solution on the market because it would be very easy to attack. So there must be certain diversity which leaves opportunities for other players. Nevertheless, this is shaking the market and everyone is thinking hard how to keep one’s position. The fact is that the consumer segment, households, is heading towards free services and thus our strategy is to focus on small and medium-sized businesses and generally the corporate environment. This is not only about delivering a piece of antivirus software, but also about providing something more: timely and effective signature updates to maintain the high protection level, customised customer solutions and quality support. After all, a security solution is not just a product, it’s a service.
