A chat with Luis Corrons, technical director at PandaLabs
PandaLabs has just published its Quarterly Report, January-March 2010. This gave me the reason and opportunity to chat with Luis Corrons, PandaLabs’ technical director (but don’t let this stop you reading the full report – it’s well worth it).
We discussed a number of issues. The first was Mariposa, the largest ever known botnet with more than 12 million infected computers at its command. PandaLabs was instrumental (along with the Canadian Defence Intelligence) in the takedown of Mariposa in February, and the subsequent arrest of three gang leaders at the beginning of March.
Mariposa is not the only recent success against botnets: Microsoft has been successful in ‘crippling’ the Waledac botnet. But there is much debate about how successful Microsoft has actually been. This is because Waledac was effectively disconnected rather than destroyed; in theory, or so it is suggested, Waledac could return. So my first question to Luis was simply, will Mariposa stay down? Luis thinks it will.
“We didn’t just get the command and control servers; with Mariposa we got the guys behind it. The problem is that we can take down the botnet but the criminals are still out there and can start a new botnet – that happens most of the times – but in this case the takedown is permanent. The botnet has been dismantled and the organisers caught.”
Luis explained that botherders are generally very good at hiding their whereabouts.
“These guys would use an anonymous VPN service to communicate with the control servers. We never knew where they were. So we could take over their botnet, but we didn’t know who they were. But on this occasion their leader got nervous. We had control of Mariposa. He wanted it back. He got sloppy. He forgot to use the VPN and tried to regain Mariposa using his own home computer. That gave us his IP address – and we’d got him.”
By that one single, simple error did Mariposa fall. Luis is happy about that. But there are two other aspects of this case that are more worrying. The first is that these ‘hackers’ are not true hackers; they seem to have very little genuine technical expertise. What they had was a botkit, a piece of software that can be bought over the internet. There was a time when script kiddies were more of an annoyance, just internet noise, rather than a serious threat. But the quality of today’s scripts, which are now sophisticated ready-made hacking tools, means that just about any script kiddie wannabe hacker can do serious damage. And that really is worrying.
The second concern is worrying in a different way. Luis doesn’t think there will be a jail sentence for the Mariposa botherders.
“Probably they will be released free, without prison. In Spain it is not illegal to have a botnet, even one comprising more than 10m computers. I know the police in this case; they know the guys are guilty and can be proven guilty; but they don’t think that these guys will go to jail. In fact the police had to accuse them of cyberterrorism, which is not really accurate in this case; but that was the only way they could arrest the leader and confiscate his computers for forensic analysis.”
[Memo to Mandelson: WTF are you doing faffing around with trying to get disconnection for private citizens that you cannot possibly prove to be guilty when Spain cannot even lock up proven criminals that have been instrumental in countless identity thefts all round the world? Don’t bother answering that. Just pack your bags and bugger off.]
Next we talked about Aurora. How, I asked him, could anti-malware protect you from sophisticated spear-phishing coupled with zero-day exploits.
“My basic security advice is to have everything patched and don’t trust anyone. But in this case that wouldn’t have worked. The combination of a zero-day exploit and such a targeted attack – someone you know talking about something you’re both interested in with a link to more interesting information – that’s really, really difficult to resist. The weak link in this is always the user, and in general the user is easy to fool – and that’s why so many people get infected. Even if you know about security, and you know you have to be careful on the internet, no-one is safe when something is really targeted at you. I’m not really optimistic – there is no way to be 100% safe – you can be pretty safe, but you cannot guarantee security. OK, you’ve got your anti-virus and it’s up to date, but they will know which anti-virus you’re using and they will test their trojan against your anti-virus to see if it is detected before they attack you with it. They will have studied your movements and know your weakpoints.”
Paradoxically, in such a situation, your security defences merely confirm your security weaknesses. But it was a nice link to my next subject. I wanted to know Luis’ opinion on my claim that the majority of security product testing is a waste of time. You may recall that I said: “If the product in question is in any way anti-malware, the vendor can simply claim that the product kills 99% of all known germs. The validation process will inevitably prove it to be true and the company has a marketing bonus that is actually meaningless. Why? Because the product will inevitably be tested against the Wild List.” I wanted a view from the coalface and expected protestations – but I got a surprise:
“That’s an interesting topic. Using the Wild List as a test to say this particular anti-virus is good is impossible – and most of the tests used could be considered useless anyway. Most take a bunch of virus samples, scan them with the anti-virus product and look at the results. Is that accurate? Well, yes if you’re measuring signature recognitions – but most of the AV companies rely on a whole bunch of other detection measures that aren’t tested. heuristics, behavioural blockers, action in the cloud and others. If a test is a real-life test simulating real-life conditions, it would be good if you could see when and how the threat was stopped. But there are very few people who can do this sort of testing; and it would be really expensive. There are a few AV researchers in universities and elsewhere that are working on this kind of test – but most of the tests we come across are useless because they do not reflect the real situation. But users read them.”
So what can we take away from this interview? We have the technical director of one of the world’s leading anti-malware companies declining to claim that his products would keep you secure from Aurora-like APTs, admitting that you cannot be secure on the internet, and agreeing that most of the product tests we come across are worthless. Frankly, I feel a whole lot safer with this sort of open honesty from a man at the top of the security industry than with the more common ‘we’ll make you 100% safe’ marketing hype we usually come across. PandaLabs just went up in my estimation.