Ask An Expert: The Brainstorming

It’s always good to have a real expert answering your questions. We’ve found the best of the best – members of Kaspersky’s Global Research and Analysis Team (GReAT), the research

It’s always good to have a real expert answering your questions. We’ve found the best of the best – members of Kaspersky’s Global Research and Analysis Team (GReAT), the research arm of the company dedicated to exposing, analyzing and combating threats before they get to you.

brainstorm_title_EN

Did you know that Kaspersky Lab receives over 200,000 unique malware samples every day? We sent your malware, product and security-related questions to them to answer.

Please tell me about the analysts’ work environment: what OS, web browser, and other tools do you use?

Michael Molsner:

We are not bound to a specific setup but rather build our work environment as needed. My oldest machine still runs Windows 2000, other boxes are on WinXP, Win7, CentOS, Ubuntu and FreeBSD.

 

How do you find malware?

Roel Schouwenberg:

With up to 200,000 new malware samples per day it’s all about automation. We have different types of crawlers, which browse the Internet looking for new malware. These systems visit websites to see if they’re infected and capture the exploits and malware. We also have various types of honey pots, such as for email and network traffic. When processing malware that’s been discovered we often find URLs leading to more malware, which then automatically get processed. The anti-malware industry also shares the malware it finds, so we get samples from other vendors as well. Last but not least are manual submissions from ‘anti-malware enthusiasts’, professionals and customers.

 

Do malware creators concentrate on PC or mobile platforms?

Sergey Novikov:

Malware creators target anyone in possession of money or valuable information. They prefer targets that are easier to hack. For mobile devices, users are quite careless. They don’t pay attention to protection data on their smartphones and tablets. That’s why it’s convenient to exploit their lack of awareness. Platform-wise, 99% of mobile-related attacks are Android-specific. In the computer world, Windows malware still dominates because of the huge user base. To earn money, malware owners try to steal financial information or email and social network logins. All this data could be resold to other criminals for various malicious purposes. Hackers also use infected devices to send spam, perform DDoS attacks and other criminal activities. All these scenarios are now multiplatform: we have seen Android and MacOS based botnets already.

 

What is the most common smartphone vulnerability?

Christian Funk:

It is common practice that cyber criminals use legitimate apps as vehicles to disseminate malware. They add malicious code to legitimate apps and re-offer them for download – taking advantage of the name of the official app.

 

What country is best prepared for a “cyber war”? Do you think the political parties and institutions of Europe are aware of these dangers and allocate sufficient resources?

Vicente Diaz:

No country publishes information on sensitive issues. However, it is clear that the country that takes more time getting ready in that aspect is America. China has a large number of resources working on it, and then come technology-leading countries such as France, UK, Germany, Russia or Israel.

 

What kind of malware exists for Mac OS X and where I can download it?

Sergey Novikov:

Macs are no different from a Windows PC – there are keyloggers, botnets and other malicious threats. The amount of malware samples is still relatively low, but it’s growing. It’s untrue that a Mac user has to run a program by himself to get infected – the Flashback/Flashfake botnet last year grew to be so huge (about 1 million Macs) because of automatic deployment via Java vulnerability. Of course, I won’t tell you where to download malware, because it’s illegal.

In term of numbers, the main Mac-related threat is phishing: fake emails and web sites. Most Mac users have something in common – they use an Apple ID to download software and media. Therefore, phishing campaigns about “Apple ID recovery” turn out to be very effective. Some users even give out their credit card details to “prove Apple ID ownership” or “update billing details.”

 

 

What should users do to optimize their protection from Trojans hidden in PDF files and other attachments?

Stefano Ortolani:

Your question is definitely very interesting: there are indeed several attacks that have used and will use PDF and Office docs as the main propagation means; unfortunately, both PDF and Office files, in order to offer more and more advanced features, require more complex players that are more prone to contain bugs, which can be exploited by dangerous codes. Besides having a good anti-virus product installed on your device, my suggestion is the following: use simple, non-sophisticated PDF readers (like the free Sumatra PDF): they are not only lighter, but also less exposed to vulnerabilities. Of course, such a solution only helps to soften the problem and does not remove or permanently fix it.

As a first line of defense, you should always be suspicious and never open files and docs of which you don’t know or recognize the source.

As a first line of defense, you should always be suspicious and never open files and docs of which you don’t know or recognize the source.

Roel Schouwenberg

The most effective method is to simply uninstall any PDF reader. Using the latest version of Adobe Reader and Microsoft Office is paramount. They come with sandboxes, which are extremely hard to break. Running the latest version of Windows, which comes with more and improved exploitation mitigations helps as well. Some people recommend using less popular programs as a way to avoid exploits for more popular office readers. This approach can work for ‘mass malware’ type of attacks. However, it won’t be effective when it comes to targeted attacks.

 

 

I haven’t encounter a phishing site, but it may be because I was not aware of it. So, I would like to know:

– Without anti-virus software installed, how can I notice a web site is a phishing site before or after using the site? What about with anti-virus software installed? Will it notify me with any message?

Michael Molsner:

Browsing the Internet nowadays without security software installed bears much risk. And I say this not because I want to sell you something, but rather because we discover plenty of compromised legitimate websites on a daily basis. Malicious code is often inserted in between the legitimate content, which then attacks vulnerable computers. Without proper protection, visitors of such sites will probably get infected – without clicking on anything at all.

With Security Software installed, you most certainly won’t even see a phishing email because today’s consumer products not only contain Anti-Virus but also defend against other dangers and unwanted content. About 99.5% of phishing emails will automatically end up in the trashcan.

If one clicks on a phishing link, our product pops up a warning window pointing out the dangers of going further.

 

Where do you find phishing links the most? Can we trust the links on the web sites of famous companies/blog sites? Is the advertisement link on other blogs dangerous?

Michael Molsner:

Most phishing links arrive in emails but there are also other ways like direct messages or forum comments.

I hesitate to use the word “trust” with online matters. Even websites of famous companies or blogs are at risk of being invaded, which could result in malicious content being served by them. This happened in the past and will happen in the future.

 

I´m worried about the idea of a virus being created by an antivirus companies. For example, in Android the first virus appeared when the first antivirus came onto the market.

Vicente Diaz:
I would like to set a hypothetical scenario. We analyze around 200,000 samples every day. If Kaspersky created a new virus, this would not make users run to purchase our products. Instead, if the public found out (and everyone would find out) about Kaspersky attempting to do this, the company would have to close the next day.

So as you can see, It makes no sense. We live in a world where there are already quite a few threats and people who earn a lot of money at the expense of others to play that game.

 

Why do I need a smartphone protection? I haven’t encountered any virus on my smartphone for two years. I think I only need a web link checker for mobile.

Sergey Novikov:

 

If you haven’t encountered any viruses, it doesn’t mean they are nonexistent. Maybe you’re just lucky or very cautious. It’s also possible that you simply haven’t noticed a malware infection, because criminals put a lot of effort into making malware stealth. Some backdoor designs sit on a victim’s device without taking any action for a long time – until criminals need it.

There is another important aspect to consider as well; unprotected devices might spread infections to other computers on the same network. So your smartphone could participate in some kind of attack or distribute malware, completely unnoticed by you. That’s why I personally think that people declining to use protection software are irresponsible since they could unwillingly participate in cybercrime without ever noticing.

 

What makes Kaspersky better than Norton or McAfee?

David Emm:

This is always a difficult question for anyone who works for a security vendor to answer, since there will inevitably be a bias involved. Kaspersky Lab is clearly in the vanguard of anti-malware developments. You can see this from the wealth of research data that we publish on www.securelist.com. You can also see it in the broad range of technologies, built by the company from the ground up rather than bought in, designed to keep our customers secure. These technologies are very well explained in various blogs written by Eugene Kaspersky, our CEO.  But it’s also evident from our consistent track record, over time, in a range of different independent tests ,including www.av-test.org, www.av-comparatives.org, and www.anti-malware-test.com.

 

About the adware issue, are you going to take any action or change the policy? I think they should go back to being detected or at least create a detection “adware” or “potentially unwanted program.” The current policy considers a lot of them as legal, causing a real problem for users’ computers, because usually other “goodies” are installed with the adware.

Vicente Diaz:

Software as adware are not always malicious in itself. In fact it is sometimes difficult to determine what is and what is not a malicious action. Nevertheless, it is clear that they are elusive and are often misleading users. You have to block something that is malicious, not just annoying. If the laws, for example, allow this type of behavior, then you need a union of the antivirus industry and users to decide to block this type of software. We seek to improve our products so that our users are as safe as possible. If we find that any threat or adware tries malicious actions, we will block it.

 

What would be Kaspersky Lab’s suggestions for ensuring secure online transactions/ storage?

Christian Funk:

Online transactions, as with all sensitive information, should only be done from trusted computers, not at Internet cafes or terminal PCs. You can never be sure what software is running in the background, if security software is installed and up-to-date or if it’s already infected with malware. Furthermore, if a transaction has to be made, the banking website must be accessed via bookmarks or the address has to be typed into the address bar of the browser manually, not via links from the web or from e-mails, allegedly coming from your bank. This helps avoiding falling prey to phishing scams.

In addition, the user has to ensure that all security updates for the operating system as well as all third party applications are installed on the system before accessing the banking website. One of the biggest attack vectors for malware to infect machines is via software vulnerabilities, which get exploited. These vulnerabilities are an easy target for malware.

As banks are offering various methods to secure online banking, people should ask their banks what they suggest to be up-to-date.

These suggestions, in addition to having an up-to-date anti-virus software installed on the machine, offer a very high level of security, and help keep the money where it belongs: in your bank account.

 

Why did you drop sandboxing?

David Emm:

We haven’t dropped sandboxing, but we did change the name of our sandboxing technology a while ago from “Safe Run” to “Safe Money.” We did this to more accurately reflect the main reason our customers use the technology; to secure online transactions. In addition, we made it easier to use. Instead of having to manually “opt in” to use the technology each time, we now automatically detect most finance-related transactions and implement it automatically when you need it (though you can, of course, add additional websites, if you need to).  By the way, we also use sandboxing within our scan engine to determine if code is malicious or not.

 

Any chance of adding some plug ins, apps and extensions to products like KIS to help users streamline keeping our browsing safe and our web communications encrypted!?

David Emm:

We do have a range of extensions for Internet Explorer, Chrome and Firefox:

•                Anti-Banner scans the addresses from which banners may be downloaded.

•                Content Blocker blocks content from dangerous URLs.

•                URL Advisor checks the security of URLs and provides a visual ‘traffic light’ type display to show their status.

•                Safe Money secures online transactions.

•                Virtual Keyboard prevents passwords being read by a keylogger.

 

If a piece of malware can be identified by anti-virus or through the signature, then why does a creator need to use the “signature?” All software has a signature, and how does the antivirus actually classify the signature as threatening or not? What is actually manipulated by a malware?

Roel Schouwenberg

A signature is something that will uniquely describe a piece of malware, malware family, or type of malicious action. Signatures come in many shapes. Perhaps the detection is made on the code, which is responsible for using a specific algorithm. The signature can also be created to detect certain behavior on the system. Most of today’s signatures are smart. We can detect tens of thousands of different malicious files using just one smart signature.

We, either the automation system or a human analyst, simply choose how to detect a given file. If a particular piece of malware does particular things to complicate analysis, then creating a signature based on that code or behavior may be a very good way of detecting such malicious files. That means the malware author will have to move on to a new trick to try and evade detection. It’s an endless cat and mouse game.

We use both a smart denylist and an allowlist. By having a huge and ever expanding database, we can speed up scanning, prevent false positives and be more suspicious of files we don’t know.

 

How can I better protect myself from DDoS attacks?

Roel Schouwenberg:

The DDoS problem is difficult. There’s no easy fix. DDoS attacks differ greatly in type and magnitude. If an attacker is trying to flood your service with network traffic, then most often you’ll have to work with or move to a service provider, which has experience with DDoS mitigation. For these types of scenarios, IDS/IPS should be able to do a lot of the heavy lifting.

 

Is having open ports a vulnerability?

Roel Schouwenberg

Programs are responsible for opening ports. This means the core question is if you can trust the program that opened the port. If the port is opened by malware then that constitutes a vulnerability. Such open ports will generally be used as a backdoor into the system. When a legitimate program opens up a port, it becomes a question of what type of program it is and if it (potentially) needs a port that’s open to the Internet. Most often the answer to that question is no, which is why it’s important to run a firewall, included in most security products today.

 

Does your Android antivirus protect from Obad malware?

Sergey Novikov:

Of course! Kaspersky Internet Security for Android protects from Obad, it’s not a rare malware.

 

Do you plan to develop a safe browser as a part of Kaspersky Internet Security?

Sergey Novikov:

No, we don’t have such plans. We excel in security and don’t really want to build every other kind of software. Instead of this, we can strengthen popular browsers with a powerful security layer, that’s actually implemented in our Safe Money technology.

 

Are you developing an antivirus for the web, which will reside on a web server and protect my site from various attacks?

Sergey Novikov:

I am unaware of such plans at Kaspersky Lab. However, I do agree, that it’s a major problem because most developers, especially for low-budget projects, don’t pay attention to security.  I can recommend a few simple steps to improve the security of websites. Use very long and complicated passwords to access your FTP, admin console and other server settings. Update server software (including scripts, i.e. CMS) regularly. It’s very simple, but some smaller sites are unattended and not updated for years. Of course it’s a good place for criminals to hack a site and use for malware seeding. We solve this problem on the client side, preventing users from visiting such infected sites.

 

What is the best way to deal with RansomWare?

Christian Funk:

If your machine is infected, get yourself an effective and up-to-date AV solution and update your operating system as well as your browser and third party applications. If the ransomware blocks your user account and accessing your system isn’t possible anymore, you can download our free Rescue CD, which offers scanning and cleaning for the hard drive from the outside via a small Linux system bootable from the CD drive. It also has a rescue tool, which is able to restore the system.

Sergey Novikov:

We have a brand new generic anti-blocker technology in the upcoming version of Kaspersky Internet Security. You have to press a specific hotkey combination to get rid of the current foreground process (a ransomware app).

 

Is Windows 8 safe? Do you expect any security improvements in the upcoming Windows 8.1?

Sergey Novikov:

Windows 8 is very well designed security-wise. We have extensively tested it and can state that it’s much improved in comparison to Windows 7.  Unfortunately, it’s quite impossible to design a complicated product completely flawlessly, so hackers have already found some ways to compromise Windows 8, that’s why it still requires protection software. I can’t really comment about version 8.1, because it’s still in beta.

 

I was scared to see Russian hackers on TV, hacking into a PC in 30 mins. Kaspersky products are installed on my PC, so is it ok to think I am safe? If I still need to be careful, what should I care about?

Michael Molsner:

It is never ok to think that one is safe and there is no 100% security. Of course, with a Kaspersky Lab product installed, online activity is much safer than if unprotected.

 

Tips