Q&A: Kaspersky Lab’s Chief Technical Officer
During online security firm Kaspersky Lab’s annual Security Summit, held recently in Moscow, Russia, IT News Africa had the opportunity to sit down with Kaspersky Lab’s Chief Technical Officer Nikolay Grebennikov.
IT News Africa spoke to Grebennikov about why some users make use of free anti-virus, whether or not viruses will ever be stopped, and the growing sophistication of malware and online attacks.
* If some free anti-virus programs are highly ineffective, why do users still download them?
Simple answer, because they are free. In general, people do not like to pay for software. If it is not clear whether the free solution is good or not, people do not conduct a very deep analysis or do research into the products.
Unfortunately the issue is that anti-virus software is actually a risk-management software. In normal life, you do not need it – it is not business software or a game.
But when you talk about risk-management, here we have a real risk event cure. And when you have an infection, it will be the moment when you will see the quality of your solution that you chose or the support that the company provides to you or its disinfection capabilities.
The result is that people really like free software, but it is not so easy to see the real quality of the software. I know of people who were really infected, who then changed their mind about free software and decided that they needed real protection.
* Will viruses ever be stopped? Or is it an on-going battle that will never truly cease?
Here we have a global issue with sword and shield. Since the dawn of civilisation, every time someone created a new protection technology, the opposition created a new technique to bypass this protection. It is a big cycle.
I think it is possible to reduce the level of risk and the amount of malware using white-listing technology and using digital certificates, as well as concepts like Apple’s App Store where everything is checked in one place. But, unfortunately, I do not think it is possible to provide 100% protection - because in any concept there will be some weak areas and bad guys will try to find ways to get money.
When you try to steal real money, you will go to jail. But when we think about virtual money, it is a very attractive target. I think people will try to find more and more ways, and, realistically, it is not possible to have 100% protection.
* Is it possible to prevent exploits from happening? Who is at fault when an exploit is discovered?
The reality is that Windows OS, for example, is a very complicated piece of software with millions of line of code and hundreds of thousands of DLLs, libraries – and the nature of Windows is to be expandable, so that people can write addition plug-ins and all that.
It was not designed with security in mind from the beginning and right now we are seeing the same story with infrastructure devices. If a vendor tries to think about security, they can create more secure software – like the latest version of MS Office.
If you compare Office from 2002 with Office 2010, you find that Office 2010 is more secure with less vulnerabilities, because we analyse for vulnerabilities at the development stage. Maybe my daughter will live in a world when all software will be developed with security in mind. But for our generation, we use a huge amount of software that was not developed with security in mind.
For some systems, like banking, then they connect to the filing system, that system is 15 years old and it is a very long process to change the system.
The question if anti-virus programs can be pro-active, instead of reactive, was answered by Nikita Shvetsov, Vice-President of the Threat Research Unit.
Our new technology, Automatic Exploit Prevention, is designed specifically to provide proactive protection to zero-day exploits. The idea is that we do not have to know the zero-day exploit, but we analyse the behaviour of the vulnerable application and we can then understand that it creates a new process and downloads the process when something goes wrong.
It is interesting that it is possible to implement with a very low rate of false alarms. So this is our next step to create true pro-active protection.
* On a technical level, how sophisticated has malware become?
Shvetsov: Several months ago we saw a first proof-of-concept malware which infects the BIOS. It is really hard to detect it and even harder to clear it because you have to write your clean-up procedure to the specifications of the infected motherboard.
This is just one example, but because this is only a proof-of-concept, it is not widespread at this point. Another example of the technical level of the new Trojans is the use of multi-scanners by criminals to check if they can bypass all major online security vendors.
When they bypass just one program, they have to be sure that they can bypass the proactive scanner as well so that the malware will not be detected.They just keep on updating their Trojans to a different version and we see how they try to avoid our detection.
Grebennikov: If you look at the question from a systematic point, there are three dimensions that bad guys have changed over the last few years. First, their creations are deeper in terms of penetration of local machines – it is not just applications, but DLLs and maybe some code that executes to the memory, to systems drives and boot keys.
The second point is that they understand that with a local machine, they are faced with a very complicated anti-malware solution like from Kaspersky. They try to change focus on the connection side (like DNS settings, Host file settings) and they try man-in-the-middle attacks and also attempt to change website certificates.
The third dimension is that they hugely use social engineering to bypass protection mechanisms, as they weakest point of a system is a human. They will try to make complex attacks against complex protection software.
Charlie Fripp – Consumer Tech editor