This series of write-ups celebrates the Lenovo Forum's family of volunteer advocates - moderators, gurus and outstanding members of the Forum, who consistently go out of their way to help out in this community through sharing what they know, dissecting, delving and diving into various issues to educate other users and solve one another's problems. We salute and honor your dedication and hard work!
Imagine yourself as a graduate student who poured months into your thesis, only to start up your computer one day and find your work being wiped out in seconds by a virus. Or perhaps your personal banking or investment accounts are compromised and your accounts are depleted, or your identity stolen through some kind of Trojan attack. Increasingly, these situations are becoming less science fiction and more general news of the day. Fortunately, there are many talented individuals working to combat these events on a daily basis. Aryeh Goretsky, or simply, goretsky, as he is known in our Lenovo Forums, is a well respected malware researcher. Read on to find out what inspires him in the ongoing war against malware.
Serene: You are now a Distinguished Researcher with ESET, and I am sure the road to attaining that honor must have been very interesting. Tell us more.
Aryeh: I began my computing career in 1989 at McAfee Associates (now simply McAfee). I was the first employee hired and did many things while there, but my job was technical support, and I started as an engineer and later, moved on to managing the department as the business grew. Back then, information was not as readily accessible as it is today; internet connectivity was rare, slow and expensive, so I relied heavily on books, magazines and co-workers for my technical education. Managing technical support is more about metrics and numbers than technology, aside from mentoring the newer techs, I never lost my passion for troubleshooting or educating others. After I left McAfee Associates, I worked at one of the first instant messaging companies as their director of support, and later, as a consultant for small businesses, followed by taking up a position as a senior engineer at a VoIP hardware manufacturer, where I made such gear as handsets, PBXes and Ethernet switches. Ten years after I left McAfee Associates, I came full-circle and joined anti-virus firm ESET. At ESET I ran support for North America for a year and then moved over to research, where I initially held the post of a manager, but now hold the position of Distinguished Researcher.
My interest in computers was sparked since I first used one, an Apple II at school; I wanted to understand how they worked and how to make them do interesting things. Later on, I got my first computer, a Commodore 64, and soon after a modem, which allowed me to reach and connect to the broader computer-using community online. There was no public accessible Internet back then, but I did make use of local bulletin board systems, one of which was operated by John McAfee. That eventually lead to occasional meet-ups for things like pizza parties, where I met other users as well. A few years after that, John left his day job and started his anti-virus company. After a few widely-publicized malicious programs appeared (the Datacrime virus and the Morris Internet worm) it seemed to me like John had the makings of a business and I asked him for a job. Thus began my career answering the single phone line at John McAfee's kitchen table.
Serene: That’s an amazing back story. As a researcher now, you must come across many variants of malware –which, in your opinion, is the worst, and why?
Aryeh: I would not classify the malware's damage by its specific actions but rather by its affect--not on computers, but on people. I remember speaking to a PhD student who had the single copy of her thesis completely overwritten by a computer virus (years of work gone in a few seconds), saw small businesses close because they lost all their records and spoken to people who had their bank accounts emptied. These are horrible things to have happen; it's not necessarily physical damage like having your home burn up in a fire, but the feelings are similar: People tend to personalize their computing experience, and there is an incredible sense of violation when one runs afoul of a computer virus or worm or bot or whatever malicious program it was that took their livelihood or their savings away from them.
Serene: Scary stuff. Given the proliferation of technology and the accelerated rate with which digital products are being rolled out , how do you keep abreast of what’s new and what’s happening?
Aryeh: The threatscape changes constantly and a large part of my job is monitoring what is going on, both on the offensive and defensive sides. I read constantly about the latest developments, as well as share information with colleagues around the globe about the latest threats. In some respects, the job consists of going from one emergency to the next, and it becomes important to compartmentalize that very stressful work and take time for oneself. I have some fairly regular hobbies like reading and movies, going out to dinner with friends and so forth. One activity which is perhaps a little out of the ordinary is that I like to troubleshoot computer problems; not just those involving malware, but those involving hardware, software and networking issues. I tend to think of them more as a type of intellectual puzzle which needs to be solved--a kind of cerebral recreation.
Serene: Do today’s punishments fit the crimes?
Aryeh: My opinion of those that create or use malware for criminal activity is that they are criminals. They may be better educated than the average street mugger or bank robber, but at the end of the day, they've done the same thing.
Serene: What do you think the kind of threats will be like in 2012?
Aryeh: I do not expect there to be many truly novel security threats in 2012. What I do expect, though, is an escalation of existing types of malware. In particular, I expect to see more malware targeting Android as well as an increase in rootkits. In 2011, I watched Android malware go from something that showed up every few months to something every few days. While most of it tends to be relatively unsophisticated and modifications to earlier code, it is gradually increasing in complexity. On the PC side, I saw an increase in bootkits. A bootkit is a particular form of rootkit that infects the boot areas of hard disk drives, such as the master boot record (MBR), boot sector or volume boot record (VBR). These are not files, per se, but rather small pieces of code located at the beginning of a hard disk drive that get read into memory and executed after a computer finishes initializing its hardware. Originally, they were just used to load the actual operating system, but malware authors have taken to replacing them with their own code. This allows malware to run before an operating system in order to circumvent its security procedures. What is interesting to me about this is not that it is a new technique; but rather a very old one, dating all the way back to the very first computer virus for the IBM PC, the Pakistani Brain. What happened is that the concept has been reinvented, and now targets additional security measures in 64-bit editions of Microsoft Windows.
Serene: Sounds like in addition to our PCs, our phones and tablets are at risk too. Short of unplugging and embracing our inner Luddite, what can we do?
Aryeh: There really isn’t any reason to stop using computers, but people have to be realistic about protecting them. Practicing good computer hygiene by keeping your operating system and applications up-to-date, using good passwords and only using software from trusted sources like the author is just as important as running anti-malware software. There's no panacea, but you can take measure to reduce the likelihood of being infected.
The public don’t really make mistakes regarding protecting their systems. Rather, they have misconceptions about the nature of malicious software, as well as the software which combats it.
Malware these days is financially-motivated, which means that the goal of the malware author or operator is to make money in some way. The criminals who use malware have been successful in this regard and, as a result, have developed highly automated systems which search for compromised systems and infect them. At any given time, they may have thousands, tens of thousands or even more computers infected. Infected computers are managed by other infected computers, sometimes in a hierarchy, reporting into tiers of what we call "command and control servers," and other times in decentralized peer-to-peer swarms. Unless an attacker is targeting a specific computer or network, they often themselves may not be aware of which individual computers are under their control. What does this mean? Well, for one thing, it means that individuals and even businesses usually are not specifically targeted. They were infected because a vulnerability was exploited on a computer, or perhaps were tricked into clicking on a piece of software to install it--what we call "social engineering."
On the anti-malware side: People, and this is mostly home and SOHO users--SME are more understanding of this--tend to think of and treat their security software as a kind of invisible forcefield which protects their computers from malware and frees them from the consequence of their actions while using a computer. No anti-malware program offers perfect detection for all malware; detection rates can be very high, but there is always some small percentage of malware which is going to get through. Unfortunately, since the host population for malware is so large--potentially all personal computers out there--even a small fraction of a percentage getting through means that large numbers of undetected malware appear each day. At my employer, we typically receive around 200,000 new samples a day, and there have been a few days where we have received over 300,000 samples a day. That's a large number, and requires a concomitant expenditure of effort for analysis. In my view, anti-malware software is perhaps less of a forcefield and more like an automobile insurance policy. You may not like having it, but if you ever need it, you will be glad that it's there.
Sun Tzi’s Art of War proclaims: “ If you know the enemy and know yourself you need not fear the results of a hundred battles.” Get to know more about malware and security in our English community’s inaugural special event, from Nov 27 – 30, where expert panelists including Aryeh Goretsky will be on hand to answer your questions about keeping your systems safe.