On the track of computer viruses

Sergio Paganoni (31) is Head of Security at SecureSafe. In addition to his skills as a developer, he has extensive experience as a malware analyst. In this interview, he explains how one investigates computer viruses and where one tests them.

Before you joined the SecureSafe team, you worked for the Computer Emergency Response Team “GovCERT”. What were your main responsibilities?

The team is part of the Reporting and Analysis Centre for Information Assurance (MELANI). First and foremost, we investigate malicious software used in cyber-attacks. We perform investigations using static and dynamic analysis methods. To conduct a static analysis, one searches for important information in the software code of the malware itself – for example one looks for information about the server with which the malware exchanges information. When it comes to dynamic analysis, the malicious software is released and watched in a closed system. In this case, the goal is to test how the malware in question behaves.

Does that mean that, as a malware analyst, you “infest” yourself with malware?

You could say that. However, the malware is introduced to a closed system. We use a specific PC, virtual machine or a sandbox system for this purpose. The malware is run and obsrved in this test environment. As is the case with the analyses of the code, the goal is to answer various open questions as to how the software behaves: Which kind of network traffic is generated? Which data is collected/exfiltrated by the malware? What is the malware searching for? How does it spread?

What happens after the analysis?

If you know the characteristics of malicious software, you will be able to identify infected PCs in your own network. We look for computers on which the malware has been installed, create defence measure and protect the data (e.g. by disrupting the communication to the harmful servers). Manufacturers of antivirus programs use malware analysis to create a signature for a specific new malware or malware family. This signature enables the virus scanners to recognise the malware and delete it.

Which challenges complicates the work of a malware analyst?

As a general rule of thumb, a defence is much harder to carry out than an attack because much more software code is needed. One estimates that numerous rows of software code are needed to create a defence for a single row of malicious code. Furthermore, malware is often programmed in clever ways meaning that the software will notice that it is being analysed and react accordingly. As a disguise, it may not show malicious behaviour at all. In such scenarios the analyst needs to circumvent the protection mechanism of the malware to really understand what it is programmed to do.

Who writes these harmful malware programs?

The most common attacks are carried out by well-organized cyber criminals seeking financial gain. Furthermore, you have a number of other players such as industrial spies, governments or political activists, who use malware in order to steal sensitive data.

How did the situation change over the past years?

Cybercriminals are getting more and more organised, which in turn has made the measures needed against malware attacks very costly and complex. On the other side, many security measures work very well. Many attacks are therefore focussed around human beings – as the end-user is often the weakest link in the chain (social engineering). Nowadays, it is therefore of the upmost importance that one understands that security lies in the hands of every individual.