Complete Transcript of Interview – Randy: Abrams – ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
November 03 2007
Alan: Once a virus or threat has been recognized, defined and a definition file has been created and sent out – do we really have to worry about that virus or threat again? Our guest today, is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thank you Alan. It’s always great to be back here.
Alan: There are a lot of Consumers and even some Administrators that think that just because a known virus has been eliminated from their system, they never have to worry about that same virus, again. That is really a serious mistake to approach virus threat prevention that way, isn’t it?
Randy: Absolutely – in fact, if you were to rebuild a Windows XP computer from scratch, (especially pre-XP Service Pack 2) and then set it up on the Internet without a Firewall – in a matter of minutes, you would be infected with many of the old viruses. That includes Blaster – that’s probably the first one that you would hit.
Alan: I know that when we talk about hurricanes and tropical storms, there is some kind of method to its naming. But, who comes up with the names of all these threats and viruses, like Blaster and Storm Worm with all these cutsie names?
Randy: Typically, the anti-virus community will come us with some of the names for the threats. For example, the Storm Worm was named the “Storm Worm” because the very first time that we saw it, a link to it was sent out in an email, talking about a storm that had killed hundreds of people in Europe. In some cases, the public and the media name the threat. If you remember the “Melissa Virus” it came in a document and the macro in the document was called Melissa. The rest was actually named after a stripper in Florida. The Anti-virus companies would never have named it Melissa, but it was too late; the media and public had already named it.
Alan: The whole idea of virus writers in the past was to want the notoriety of, “Look, see what I did and I got my name in the paper.” Nowadays, media is pushing the virus around with all of its hype.
Randy: There’s fundamental difference, now. I don’t think the Storm Worm authors really cared what you called it. These are professional criminals that are in it for the money. They really don’t care what you call their stuff. The media doesn’t have any effect on them, motivationally or their pride or whatever. They want to make money. And that’s quite a different scenario than in the old days, where David Smith who wrote the Melissa Virus was probably strung out on Vicodin and thought that he was pretty cool in writing this stuff.
Alan: Viruses are not dead, are they?
Randy: No, not at all. We’re seeing a lot more other threats that are not technically viruses, but even the true viruses, which are self-replicating code, are still alive and kicking and doing just fine.
Alan: Let’s just take the Storm Worm Virus and look at it. What really makes this worm, so vicious? And actually, it’s not really a worm, is it?
Randy: No, not technically; although, the definition of worm is a little bit nebulous. I personally, wouldn’t call it a worm. What makes this so vicious is that you’ve got people who are putting considerable effort into social engineering attacks.
The Storm Worm is not made to exploit any software vulnerabilities. It exploits the gullibility of users. In virtually all cases, an infected user is infected because they opened up an email that they shouldn’t have opened up and then they clicked on a link that they shouldn’t have linked on.
It’s pretty obvious that this is designed to trick people. You don’t get these kinds of emails from people that you know and when you get emails from people you don’t know, you shouldn’t be following the links in them.
Alan: How many people actually opened this particular email?
Randy: As a percentage, it’s hard to tell. Throughout the world, there have probably been more than 10,000,000 people who have opened it and actually clicked on the link.
Alan: That is a lot of people! And if they’re in a business, that can actually make a corporation’s day go bad, very quickly, can’t it?
Randy: Oh, yes, because once they have clicked on it, then it installs a root kit and bot on their computer. And now that computer isn’t theirs anymore - it belongs to the storm network.
It then makes their computer part of a botnet. They installed the program that allows their computer to be automatically controlled from a remote location. So, typically, the computers that are infected will end up being used to send out a lot of Spam. And a lot of the Spam will be what we call, “pump and dump” for stocks. Once the authors Storm Worm have infected the computer, they use that computer to send out emails, which are designed to get people to buy worthless stocks. And guess what? The people behind the Storm Worm probably own a whole bunch of shares of that worthless stock that they’re making 5 or 10 cents a share on it. This doesn’t sound like a lot of money, but if you multiply that by a few million shares, it starts adding up.
Alan: It’s really hard to find the person that started it, because the one that’s making the money says, “Well, I just invested it; I didn’t really know what I was invested in.” But look it’s like a horse race, “Hey, I won!”
Randy: The one who’s making the money doesn’t have to say anything, because they’re almost certainly in Russia and Russia doesn’t have extradition treaties.
Alan: Why did people actually click on the emails? What made them so enticing to open up?
Randy: People like bad news. They got this email, saying 230 dead in Europe, as a result of storm or something like that. They got it from someone they didn’t know; it didn’t come from a news organization that they had heard of. They wanted to see what this video said that it was, because people like carnage! That explains why we have so many violent movies, nowadays. It’s not like there are any quality dialogue in the movie or any quality writing. There are good special effects, I guess, but other than that, it’s really easy to trick people into opening things up. You just tell them that it’s going to be gory and they are right there!
Alan: We define what the definition is and now we make a definition file for that particular threat or virus and we then send it out to the world. Doesn’t that just stop the virus from being bad, anymore? I mean, we know what about it and we don’t even have to let it into our systems, anymore.
Randy: The world doesn’t take what’s sent to them. The big part of the challenge is getting people to keep their anti-virus software, current; getting them to deploy these updates. That’s a huge part of the problem.
Often times, when a computer gets infected with a new threat, it’ll disable the anti-virus software. And if they don’t realize that this has happened, then they might not even know that they’re not getting updates. That’s why it’s important to periodically manually update your anti-virus software, just to make sure that it actually is working, that it updating, properly.
Alan: Once this threat gets onto your system, it goes out there and looks at what programs are running and it recognizes certain words and it tries to knock off every anti-virus program, known to the world.
Randy: Well, it tries to know that out; it typically will also try to take out firewalls.
Alan: If that virus changes just a little bit and now the definition file is almost useless at that point. This is where your heuristics really shines, because I don’t want to wait until the next definition file comes down the pike. It doesn’t take long, whatsoever, for 10,000,000 computers to be infected, does it?
Randy: No, it doesn’t; with the Storm Worm, almost every time someone downloads a copy of it, it looks different from any other Storm Worm, because it’s dynamically being changed both programmatically and automatically. It’s being changed on virtually every download. And that’s why you have to have heuristics like ESET’s NOD32 or else you’re going to behind in the game. There’s no way to generate signatures, as fast as there are new copies of that virus, generated, which are now different.
Alan: And you are one of the very few anti-virus anti-threat companies that stop this, before you even had to send out a definition file.
Randy: It takes a lot of work to generate really, really good heuristics. It’s something that we even go back and forth with some of the malware writers on. Because, they will deliberately try to defeat our heuristics and then we have to figure out what are the proper rules; what is the proper approach to go after these things. It’s a constant battle and some companies don’t have nearly the experience that ESET has.
ESET’s been doing heuristics since 1998, when a lot of companies were still saying, “No, you can’t do a heuristics” – that that won’t work or that we don’t know how to do it right. ESET really has been one of the pioneers in the field of heuristics and now, virtually everyone is trying to do it, but most don’t do it as well as ESET does.
Alan: Everybody uses that word – you see it on the boxes of all the software. That’s like saying, “user friendly”. Well, user friendly to somebody and user friendly to another person are completely different. Heuristics are same. What makes your heuristics work?
Randy: That’s somewhat proprietary, but a lot of it has to do with the fact that 3 different heuristic approaches. There are a lot of different ways to use heuristics. No single way is going to be as effective as using a combination of techniques.
We use what we call generic detection. Some people call it generic signatures. This is very, very well suited for detecting exploits and for detecting the “script kiddie” changes. It measures how somewhere something is to something that we already know of as bad.
We also use “passive heuristics” – this is a technique of examining the file and looking at what it appears that it is going to do if it is allowed to run.
And then, we add to that, our “active heuristics” – our advanced heuristics, which is emulation. We create a fake PC, if you will, inside of our scanning engine, where we keep the system safe from what we’re going to run and we start executing the malicious code to watch what it actually is doing.
So, we have 3 different heuristic approaches, in addition to our signatures to tell us that the file is going to be a problem for the user, before they are allowed to run it.
Alan: I know with definition files, it’s really easy to see whether it’s going to work or not. You have basically a known virus and a known definition file and it’s supposed to catch the known virus and not let it in. But, how do you test heuristics, to make sure that it was working? Do you have some kind of benchmark that you use?
Randy: There are independent companies that test this. And the method that use is called “retrospective testing”. What you do is you stop updating the scanner, in some cases, for 3 months. And now, (during the three month-period), you’ll collect brand-new samples that no one’s ever seen before. So, there is no way that the scanner has signatures for it, because they haven’t had samples. At the end of that time period, whether it’s 3 months or one month, whatever arbitrary time period it is, and all these new samples.
And then, anything that’s detected is detected with heuristics, alone – because we don’t have signatures. When this kind of testing is done, ESET’s NOD32 always performs better than any of the other products.
Alan: This gives you that piece of mind, because you don’t want to wait until a definition file is put out to know that, “Oh, now we’re trapping viruses”, but for the last course of hours or days, you haven’t been secure at all and the only reason you didn’t get this virus was pure, simple luck!
Randy: You need to have really good quality protection, nowadays, being out on the Internet. There’s one tip I’d like to share with your listeners, because we’re coming up on the Holiday Season and people are going to start thinking about buying brand-new computers.
You might consider using your new computer for your games; for your general Internet browsing and for your email. But, use your old computer for nothing but your critical things like your online banking. Don’t use it for email, at all. That’s one way to help minimize the risks to the threats that are out there, nowadays.
Alan: Anytime that you go online, you have to have a reliable anti-virus, anti-threat software. You allow us to test out NOD32 before we buy it, with a full version, that is updatable during the trial period, don’t you?
Randy: That’s exactly right. We want people to choose us because they like what they see and what they’ve experienced. The only way to do that is to test the fully functional copy of the Software.
Very shortly, now, we will have ESET’s Smart Security, which has all the power of ESET’s NOD32 Anti-virus, but we’ve added onto that some special features – a Firewall, that’s actually fully integrated with our Heuristic Engine, as well as the Anti-Spam. And what’s really unique about this is that this was all designed to be a “synergetic software system”. The features of the Firewall and the Anti-Spam actually communicate with the Heuristics Engine. That’s going to provide customers with even better proactive protection and prevention.
Alan: Well, here at Let’s Talk Computers, and Total Solutions, we have been part of the Beta Test Team, testing the new Smart Security Software, from the very beginning. This is extremely powerful Software, Anti-threat, and Anti-virus and now with a built-in Firewall – to really give you that peace of mind, when it comes to threat prevention.
If somebody would like to find more information about NOD 32 and the Trial Copy that they can download, where would they go?
Randy: To download a Trial Copy, they can go to http://www.eset.com
Alan: Randy, we look forward to having you as our guest here on Let’s Talk Computers, talking about ESET’s Smart Security Software, really soon.
Randy: I look forward to being back with your listeners.
