In the Trenches with Antivirus Guru Mikko Hypponen
"All reverse engineers and virus crackers are here in my team, which works from our headquarters in Helsinki," F-Secure's Mikko Hypponen told the E-Commerce Times. "Right now we have people from Finland, Hungary, Spain, Bulgaria and Russia. Everybody has their own area of expertise, such as Windows binary analysis, scripts and macro code, Linux stuff, mobile phone and PDA expertise, et cetera."
Amid this year's ongoing plague of viruses and worms, there has been much discussion about virus creators, antivirus software developers and frequent virus targets like Microsoft and The SCO Group. But one important group still toils in near obscurity: the virus hunters. One of the field's most avid and skilled researchers is Mikko Hypponen, director of antivirus research at F-Secure in Helsinki, Finland.
For the past 13 years, Hypponen has been working in the computer security field, and his weblog on F-Secure's site is required reading for anyone who wants the latest information on which viruses are snaking around the Internet. Hypponen spoke to the E-Commerce Times about security, viruses and why malware is here to stay.
E-Commerce Times: When did you first become interested in computer and network security?
Mikko Hypponen: Around 1991. At the time, I was a low-level programmer with skills in assembly language, which came in handy for reverse engineering viruses. In fact, the biggest problem in recruiting new researchers is the fact that very few people nowadays have assembler skills. Most universities stopped teaching it years ago.
ECT: Why have universities stopped teaching these skills?
Hypponen: Because it's so hard, and because very few people need such low-level skills anymore. It's all C and C++ nowadays.
ECT: Do you think that, in general, universities should take a larger role in training students to be able to detect and examine viruses, in order to minimize the threat?
Hypponen: Indeed, computer science universities are putting quite a lot of effort in teaching things like cryptography, but fairly little emphasis is put on research of malicious code and how to analyze it. I'm pretty confident this is about to change, though.
ECT: How did you know you wanted to take on computer security as a career?
Hypponen: After decompiling and analyzing my first virus -- which was, by the way, the "Omega" virus, which I named. It felt really rewarding to be able to decode and crack the evil program written by someone else, and to help end users while doing it. So I kept at it.
ECT: How did your path lead you to F-Secure?
Hypponen: By chance, really. I was hired to do programming for random projects and just ended up focusing on the data security world, which was one of the things F-Secure was doing at the time. Now that's all we do.
ECT: What is your working environment like? How many people are on your team, and do they have specialized roles, or does everyone pitch in on everything?
Hypponen: F-Secure has 12 offices around the world, with over 300 people in them. All reverse engineers and virus crackers are here in my team, which works from our headquarters in Helsinki. We don't do anything else but crack viruses, the 10 of us. The team has been collected from around the world, and right now we have people from Finland, Hungary, Spain, Bulgaria and Russia in it. Everybody has their own area of expertise, such as Windows binary analysis, scripts and macro code, Linux stuff, mobile phone and PDA expertise, et cetera.
You should be able to get some kind of "feel" on the team members by browsing our public weblog, which is maintained by all team members.
ECT: What are the most significant changes you've seen since starting in computer security?
Hypponen: Well, we have clear virus eras: Boot viruses ruled the Earth from 1986 to 1995; macro viruses ruled the Earth from 1995 to 1999; e-mail worms ruled the Earth from 1999 to 2004; and my best guess is that network worms will rule the Earth from 2005 onward.
Also, the people behind the viruses have changed. We used to be fighting the teenage kids who wrote viruses because it was cool. Now we have more and more "professional" operations, where viruses are being used to generate money for the people behind them by stealing data or installing spam proxies. We've even seen cases where viruses install fake Web shops to infected PCs, and then start to send spam out advertising those shops. These are used to collect credit card numbers from the clueless customers.
ECT: Even though the people creating the viruses have changed, recently it was discovered that some of today's most prevalent virus code has taunts written into it against other virus writers. Does that mean we still have those teenage kids to fear as well?
Hypponen: The majority of new viruses are still generated by kids or by "hobbyists." Examples include Slammer, Blaster, Netsky. But many of the largest recent outbreaks are done by what we believe to be more organized groups. Examples include Sobig, Mimail, Mydoom, Bagle.
ECT: What is the toughest worm or virus you have fought so far?
Hypponen: From a technical point of view, it would probably be the SMEG or the Zmist virus, both of which are pretty old by now. From an outbreak point of view, the biggest challenges have been Slammer, Blaster.A, Sobig.F and Mydoom.A.
From an exhaustion point of view, the multitude of new Bagle/Mydoom/Netsky variants that we've seen since February 2004 is bad. So far we've seen over 60 variants, and they still keep coming -- days and nights, through the weekends -- and this is really wearing us out.
ECT: Why were the SMEG and Zmist viruses so hard to fight? What made them especially tough?
Hypponen: They weren't big outbreaks, but they were technically very, very difficult. Both of these viruses modify themselves on the fly to create billions of different-looking versions of themselves. Creating a 100 percent detection rate of something like that can be very hard. On the bright side, complex viruses like these often fail to work in the real world.
ECT: What do you think is the prime difference between the mindset of malware creators and the mindset of malware fighters?
Hypponen: Black and white. Good and bad. Most antivirus researchers would have the skills needed to write viruses, but won't. Most virus writers wouldn't have the skills to write an antivirus program and maintain it.
ECT: In your opinion, can black hats who have turned legit be trusted?
Hypponen: Well, let's just say that we here don't hire criminals. And that's what virus writers are. I do know that some security companies hire ex-hackers and the like but like to keep the difference distinct.
ECT: What do you think underlies this transformation?
Hypponen: Maybe growing up. Or finding a girlfriend.
In part 2 of this interview, Hypponen talks about what it might take to capture those black-hat hackers.