Plug a Windows computer into your network and you will need some sort of anti-virus program to keep your computer functioning properly and your data safe. To most of us the anti-virus program is that little icon that sits in the system tray that chugs along help to keeping the computer and your data safe, it updates, generates alerts occasionally but we don't give it too much thought. However, behind that icon is an interesting story an ongoing battle between malware authors and anti-virus companies. Recently I got the chance to visit McAfee's Research Labs in Aylesbury, England. I don't normally cover Windows topics, but this was too interesting to miss.
McAfee produce a range of security solutions from home user anti virus packages right up to network anti virus devices. The site in Aylesbury is one of three threat research centres for McAfee with operations also in Colorado in the US and Bangalore, India, allowing the company to run a 24/7 operation. Guy Roberts who is the Director of McAfee Labs (EMEA region) commented that the Aylesbury site is vital to the company's operations and its engineering teams come up with the most innovations and gets the most patents in the group. Here 40,000 pieces of suspected malware are analysed, some of which will be identified as malware, some as harmless and some will be classed as a Potentially Unwanted Program (PUP) a strange grey area where a user might actually want software that others might class as malware, e.g. some casino software.
Guy told us that there has been an explosive growth in malware production with most of it now being produced by professional criminals rather than lone hackers, sometimes through huge companies producing such things as “scareware”, programs that get money out of users by doing such things as falsely claiming that a virus has infected their computer and they should download their product (which might not be a real anti-virus program) to remove it. Some malware can take control of a user's computer, store unwanted files on it or even use the computer for illegal purposes. This is often done without the user even knowing, so as well as providing software to combat this problem, McAfee also can supply expert witnesses for court cases. As a result of this explosion the company has gone from monthly updates, to weekly then daily and now have a solution called Artemis which aims to deal with virus threats in real time with a service hosted in the cloud. They produce a free daily podcast called the Two Minute Warning where they aim to keep users up to date with the latest threats, it is available at: http://podcasts.mcafee.com/.
With the background explained it was time to see malware in action for ourselves. Alex Hincliffe gave us a presentation and explained that getting hold of people who can research ways to combat malware can be difficult, you cannot just go to a university and recruit graduates who know about this area. Instead the people that can help them often start combating malware as a hobby. For some reason some of these researchers do not want to move to Aylesbury so they are located all over Europe. They are supported by a large worldwide team of analysts. As you might imagine combating malware is a bit of an arms race, the techniques used to create malware and mask its presence change all the time so they use a range of automated and manual techniques. Virtualisation can be a big help in the fight as machine instances can be pretty much “sacrificed” to explore what the malware does, it is also a useful technology for testing remedies as the effect of various updates and patches can be tested with the roll back and roll forward features that this technology offers. These machines are often referred to as “sacrificial GOATs” (Good Old Antivirus Test). However some malware is aware of virtual machines so these images may have to be tweaked.
We were shown an demonstration of how a botnet works with an early example that allows a remote villain to gain access to an unsuspecting user's computer. This program hid itself and was similarly named to a system process. It would have been very hard to spot if it was infecting a system by just looking at task manager. Alex ran this bit of malware on a virtual machine that was on a segregated network. He was able to trick the virus into thinking it was connecting to its home machine but instead it was communicating over IRC with a chat windows that Alex had set up. He then showed us how he could log into the compromised computer and not just get access to files, but also make changes, for example he could manipulate the hosts file so that when a user typed in an address instead get sent to a fake address. As the hosts file has been compromised, the user would be none the wiser as the address entered in the browser is correct. One mitigating factor here is when browsers make secure connections, certificates are only valid for a specific address, so if you get a warning that the name on the SSL certificate does not match the IP address it could be time to scan your system to check it has not been hacked in to (this is not always the case, but if it is unexpected it could be a wise course of action).
Botnets are much more sophisticated now and instead of trying to communicate with a central server some of them will use more sophisticated techniques involving peer to peer networks for command and control. Whole or parts of botnets can be hired out for attacks too. Creating malware is not as difficult as you might think though. Alex showed us a bit of software that claimed it existed for “academic and research purposes” that would create malware for you. All you had to do was tell the it what you wanted the malware to do, what to call itself and what to do if there is a risk of it being discovered. You can even get it to interact with the user with custom messages. To a user who might be using a badly maintained Windows machine they might just assume it is another error to ignore. This is an example of how social engineering is often used to spread malware. It was quite something to see this malware in action.
Once ways to combat new bits of malware have been developed they get put into the updates for McAfee products that get sent out to customers every day. Mostyn Beechy showed us what happens to get these updates out. He has managed 20,000 updates across over one hundred different McAfee products this year alone. Once he publishes an update it can be picked up by 180,000,000 machines worldwide. Despite the regularity of the updates, everything still has to be thoroughly tested and they aim for nothing more than a 0.1% performance degradation of an updated machine as a result of the update. They also do regression testing and 'negative testing' (checking legitimate programs do not get detected as viruses). To do this they have built a large testing facility and aim to run every current version of Windows in every language eventually. I asked how Windows 7 was going for them and he said that it had not caused them any problems. A bigger problem was how long to support older version of Windows for. Updating desktops and even servers to new version of Windows can be done with varying levels of difficulty, but updating systems such as cash machines and robotic production lines is much more difficult and costly for companies so they sometimes ask McAfee to support older versions of Windows for a little longer.
In the final presentation we were shown some of the details about McAfee's new cloud based solution called Artemis. Some of the details of this are unfortunately covered by a non disclosure agreement, which seemed a bit of an odd thing to get bloggers to sign. It sounded impressive anyway.
It was a really interesting event and I'd like to thank McAfee Labs for hosting us and 1000 Heads for organising it. I was struck by how enthusiastic the people we met at McAfee were about their jobs and fighting malware. As for Windows, I will be sticking with Ubuntu, but hopefully Windows 7 will prove to be more secure than previous versions and users everywhere will gradually become more aware of what they can do to keep their computers and data safe.