Hunting Down Virus Writers with F-Secure’s Mikko Hypponen

In part 1 of this interview, F-Secure director of antivirus research Mikko Hypponen spoke about getting his start in computer security 13 years ago and the changes he has seen over the years.

In this continuation of his chat with the E-Commerce Times, Hypponen talks about what it might take to nab malware writers — and why a virus-free future might be a dream that never becomes reality.

E-Commerce Times: Have you had any run-ins with virus or worm writers?

Mikko Hypponen: Some, yeah. As an example, back in 1999 when our company was still called Data Fellows, one virus group registered the domain “datafellowes.com” and started sending mail around in my name, using the address [email protected] instead of the real datafellows.com address. For example, they were sending out infected Word files as articles to various editors, as well as sending requests for virus sample to fellow researchers. Pretty nasty stuff. I’m happy there haven’t been many incidents like this.

ECT: What would it take to catch more malware writers?

Hypponen: Global Internet police that would have the expertise and the jurisdiction needed to go after the virus writers, hackers and spammers that are rerouting their attacks through dozens of countries, including far-away places that have little or no legalization or authorities to track down crimes like these.

ECT: Do you think a global Internet police force can be created, or are there too many politics involved?

Hypponen: I really hope we could get something like this running, but obviously it won’t be easy. Let’s start by having countries like the USA and China agreeing on the rules of such an international Net police force. It should be downhill from there.

ECT: How can companies and individuals defend against new worms that do not require any interaction on the part of the user?

Hypponen: Different types of firewalls, both hardware and software, at various levels is really the only solution. Any type of reaction-based solution simply will not work, and this includes traditional antivirus.

ECT: Why don’t reaction-based solutions work to defend against new worms?

Hypponen: They do, against e-mail worms and the like. They don’t work against automatic network worms, which are simply too fast. But firewalls typically handle those.

ECT: If they’re ineffective, why is it such a booming market?

Hypponen: Antivirus scanning is an easy concept to understand, so people like it. And unlike generic protection software or firewalls, it will actually tell you which virus it stopped, which people also find useful. And they do stop a majority of the current threats nicely.

ECT: What is currently the safest computer configuration for a home user?

Hypponen: Probably a Mac. That’s what I would recommend. Coupled with Xbox for games, you can’t really beat it, and no virus problems!

ECT: Why do you think Macs are so protected?

Hypponen: It’s mostly about market share. Virus problems used to be much worse on Macs back in the late 1980s, when [Apple] had a much bigger percentage of the user base. The Mac system has vulnerabilities and security holes just like Windows. Or Linux. But attackers go after the masses.

ECT: Speaking of the masses, how do you think Microsoft is doing in terms of improving the security of its systems?

Hypponen: The biggest sin Microsoft has ever done is simply that they’ve become too popular, making them target number one. I actually believe Microsoft has done a pretty good job after 2001 in trying to improve the security of their products at all levels and being able to respond fast to new vulnerabilities.

ECT: As SCO has shown us, a single company can be the target of anger. Do you think there will be more incidents like this in the future, when companies are “punished” by irate virus writers?

Hypponen: Definitely, and we’ve already seen similar attacks against RIAA and Microsoft. [In April], two Netsky variants will start a DDoS attack against these sites:

www.edonkey2000.comwww.kazaa.comwww.emule-project.netwww.cracks.amwww.emule.dewww.cracks.stwww.cracks.amwww.keygen.us

ECT: Do you think a “superworm” capable of spreading worldwide and wreaking major havoc is likely to arise?

Hypponen: Oh, yes. In fact, the Witty worm found [in late March] wasn’t that far away from something like that. We got lucky because it only affected a minority of the world’s computers, those running BlackIce firewall. If a worm like that had been exploiting a really common vulnerability, such as ASN.1, it would have happened already.

ECT: Why haven’t virus writers been targeting common vulnerabilities like ASN.1?

Hypponen: Can’t really explain that, except that most virus writers don’t have skills to write their own exploits for that vulnerability, and public exploit code hasn’t been circulating. Yet. Otherwise this would probably be a really tempting vulnerability for them, as it’s very common.

ECT: How can corporations and individuals be prepared to respond?

Hypponen: Hardware and software-based firewalls are supposed to keep threats like these outside. Combining several layers of firewalls with constant OS patching and up-to-date antivirus is your best bet. Or running different systems than everybody else.

ECT: What kind of systems do you mean?

Hypponen: Like replacing Outlook with Eudora, or running Opera instead of Internet Explorer. You could also replace Microsoft Office with OpenOffice. These are the kind of tactics that bring more variety.

ECT: Is it possible to create a system that would prove to be a silver bullet for computer and network security?

Hypponen: Nope. Because this is not a technical problem. It’s a social problem.

ECT: What are some of the social issues?

Hypponen: To fight the bored kids writing viruses for kicks, we should focus more on education early on in schools. Kids should be told that viruses are not cool and that they are illegal and you will go to jail if you write them.

To fight the more organized activity, the majority of which is coming from places like ex-Soviet Union states, we should bring real opportunities to the skillful programmers living in places where they can’t support themselves by doing legal stuff. Internet crime gangs are a social problem, just like real-world crime gangs are a social problem.

How to fix that? You tell me.