What are the latest trends in the type of threats and vulnerabilities ESET works to prevent? Is there a particular type of malware in fashion right now?
Well, right when you asked, everybody was, and still is, talking about the WannaCryptor (aka WannaCry) ransomware worm. The reason WannaCryptor has received so much attention is that it combines one of the most common current forms of malware – ransomware – with fast-spreading network worm functionality. The worm also depended on an element of luck for its success. It used the so-called EternalBlue exploit from the recent Shadow Brokers leak of what are reputedly NSA hacking tools. EternalBlue exploits a vulnerability in a very old part of the Windows networking code that was present in all versions of Windows from at least Windows XP, and maybe even earlier.
Despite all this though, I don’t think that WannaCryptor is the beginning of a trend. The worm functionality of WannaCryptor has seriously jarred quite a number of people out of what may have been an element of complacency. I strongly suspect that many network firewalls and other security perimeters and controls will have been checked a little more thoroughly than usual over the last few days.
How does ESET stay on top of the constant malware and virus threats that seem to constantly be popping up?
It may be rather anti-climactic, but the answer is that it’s ‘mostly done through automation’. The huge volume of samples of new malware and other “suspect” activity our products see and log is constantly being mined for interesting patterns and new developments. Of course, there are human researchers overseeing all this, as often their experience means they see things better or sooner than the automated systems. Further, human researchers oversee the testing and validation of new detection patterns and other technologies we deploy, either through the cloud or directly to the endpoint security software.
What’s a typical malware analysis look like? How does ESET counter increasingly ambitious hackers?
The new, possibly more challenging and interesting material tends to stick out like the proverbial “sore thumb”. Usually what follows is nothing like typical. Sometimes it takes thinking outside the square, such as how researchers thought to look for what turned out to be early IoT malware and such.
Do you have a favourite piece of malware? Something nasty, but you kinda admire the ingenuity of it?
Not that I’ll identify publicly! Seriously though, you do occasionally come across something whose elegance, or whose key ideas are so simple yet had not been thought of or tried before, gives you pause to admire the ingenuity or skill that resulted in this piece of malice being built. Mostly though, you just groan at the unending ordinariness of it all, or even have to laugh at the abject stupidity and you are left scratching your head wondering how many more errors and bugs would have been needed to render the code entirely useless, as opposed to its current state of near-uselessness.
When ESET detects a vulnerability, what is the typical time frame from when the issue is detected and a response is released to customers?
In the case that we become aware of vulnerabilities in our own products, we work as quickly as possible to remediate and release updates to fix the issue. As the complexity of vulnerabilities can vary greatly, it is very difficult to put a likely or typical timeframe on preparing and shipping such remediations, but in the few such cases since I have worked for ESET, our responses have been measured in days rather than weeks or longer timeframes. Further, it is often the case that we could ship detection updates to detect and block attempts to exploit such vulnerabilities, thus protecting our customers until we can ship a full repair.
In the case that we become aware of vulnerabilities in the products of others, we work to responsibly disclose the vulnerability to the affected vendor and assist them in remediating the vulnerability if they wish to work with us. Again, it is likely that we could ship detection updates for exploitation attempts to help protect our customers until the affected can ship an update to fix the issue.