There’s often much confusion regards what are the best practices to keeping yourself safe online, from viruses, malware and all the other potential threats out there in cyberspace. Computer users often pay little thought when they enter personal data into a web browser, and we’ve all got that friend or relative who has so many tool bars that have mysteriously popped up in Internet Explorer they’re browsing the internet with a window that’s about half the size it should be. There are lots of businesses who’re worried to, particularly with Microsoft having recently pulled the plug on poor Windows XP users – which is still a rather large market share.
We’ve conducted an interview with Bogdan Botezatu, Senior E-Threat Analyst over at Bitdefender Antivirus, one of the leading online security software companies, which will help provide insights into how to protect yourself online, how viruses and other malicious applications work – and even give you the lowdown on User Account Control (UAC) for Windows. While some of the questions are basic to appeal and help newer users, there are some great little nuggets of insight for the more technically advanced user too. Oh, and at the bottom of this very interview Bitdefender are giving away 5 keys to their Bitdefender Total Security 2014 package too, which has won the “Best Antivirus of 2014″ award, having the highest protection against infections and negligible impact on your systems performance!
Could you explain what are the differences between a Virus, Spyware, Trojan and a Worm?
Bitdefender: Traditionally, malware was split into four main categories, depending on how they behave on the computer. For instance, a virus – also known as a file infector – would have malicious code that specializes in infecting other files on the machine. It is the only category of malware that interferes with other files. Spyware specializes in harvesting specific user information. It is extremely hard to remove and often used to hijack advertising or affiliate sales. Trojans are the most generic families of malware – they impersonate a legitimate program (i.e. a codec). A worm can propagate itself from one computer to another. Worms often use vulnerabilities in the operating system to “jump” from one machine to another or, more often, from one USB drive to a computer.
Modern malware, however, is not that easy to classify. For instance, modern Trojans also have a viral or worm-like behaviour and almost all of them collect information that is particular to spyware.
How have Bitdefender evolved their software over the years?
Bitdefender: The antivirus industry is a cat-and-mouse game. Cyber-criminals often build their malware in a way to make detection impossible or extremely difficult, which forces antivirus companies to add extra layers of technology to counteract the new pieces of malware. Our antimalware products have evolved specifically for better detection, faster response and minimal impact on the resources. The latest technologies that have become available in the Bitdefender line-up are AVC – a subsystem that monitors applications and assigns them hazard points, the cloud – a critical component that allows us to immediately make available malware signatures or malicious patterns to customers, as well as Photon – a technology that makes sure that the antivirus only scans applications that need scanning, so the entire system runs lighter and faster.
On average, do you feel the average consumer is more aware of the various threats on the internet now, such as phishing emails and viruses, or is this offset due to the increased skill of scammers and virus creators?
Bitdefender: There are two distinct categories of users: those who have finally learned that there is no Nigerian prince willing to cut them a share of their fortune, and those who are new to the Internet and, subsequently, lack the experience of a scam. Antivirus companies have made all efforts to inform people about current threats and provide mitigation (i.e. not to click on links in e-mails) but, at the same time, cyber-criminals have also started to make their creations more sophisticated to require little to no user interaction. Modern threats are now delivered via zero-day exploits: the user only has to visit a hacked server and their computer gets infected in no time. Educating the user is only part of the solution. Of course, an educated user would at least know what to expect while online but, as the number of threats is currently so big, education alone is not enough. Users can’t stop all cyber-threats even if they pay attention to what they’re doing. There is always that one website that gets compromised and, in its turn, infects the user. Here is where automated defences like an antivirus solution or web filter come in handy.
Has the introduction of UAC (user account control) and along with the other security measures in Windows helped malicious applications from embedding themselves in your OS?
Bitdefender: Initially, yes. There was this huge gap between Windows XP and Vista when some malware stopped working altogether. Vista brought significant innovation security-wise, such as restrictions on which locations and registry keys can be written to, address space layout randomization, the introduction of UAC and so on. Vista was also the first 64-bit Windows distribution aimed at mass-adoption. All these crippled the existing malware (and some commercial applications) to some extent, as threats found themselves unable to properly copy themselves into the system directory or set themselves to automatically start on boot. However, the cyber-criminals behind them have rapidly “updated” them for the new operating system. New malware runs on modern operating systems just as they used to run on XP.
How difficult is the detection of new viruses and Trojans, particularly when they are newly released and your team is learning how it works and operates?
Bitdefender: The number of malicious pieces we see every day is huge, but most of these individual samples are re-packaged, morphed versions of known, common malware that poses no problems to identification and remediation. Once in a while, however, we see pieces that are written differently; they are usually the brain child of a very determined actor, be it an organization, a state or a private contractor. These incidents are rare and don’t target the mainstream consumer, which is exactly why they stay undiscovered for so long.
Let me try to explain this better: an antivirus is a combination of layered technologies that assess the security status of code via different approaches. Most antiviruses have an unpacker to separate the viral code from the shell that attempts to fool the signature check, a heuristic engine and, last and most important, behavior-based malware detection. Whenever suspicious behavior is detected, the file is isolated and a fingerprint of that file is sent to the labs. However, by only targeting an organization, the number of recorded incidents is minimal, so chances of that file being reported and manually dissected by a human analyst decreases considerably.
As to the original question, we don’t manually look into each and every sample to understand the workings of the virus, because we see hundreds of thousands of viruses a day and we only have a limited number of analysts. Having them spend a couple of hours for each virus would be a waste. Most viruses are extremely common and can be easily processed by an automated system. These automated systems churn samples and output signatures, heuristics, some other sets of rules and, of course, disinfection. The malware analyst in the labs can then focus on looking into really special pieces of malware for forensics, documentation or education.
Many computer users – particularly those with either Linux or Mac, operate without an AV solution. They believe since they’re careful while downloading files and using an OS that isn’t traditionally attacked by the creators of malicious applications, they are safe. However with the growing popularity of these OS platforms, are we seeing a growing danger of a virus spreading rapidly?
Bitdefender: There is a common misconception among non-Windows users that their operating systems are immune to viruses. This partial immunity is caused by the fact that most cyber-criminals often go for the biggest pool of victims, and, since Windows is the dominant operating system for desktops, this is also cyber crooks’ favourite. There have been massive incidents however, affecting all popular platforms. Last year, the Flashback virus infected more than 450,000 Mac machines in just a day and should have served as a tough lesson for OS X users. Linux also has its share of vulnerabilities that could allow someone to escalate their privileges on that respective computer and compromise it, but its desktop market share is under 2 percent so it is irrelevant to crooks. As a general rule, the more users an operating system has, the more potential for cybercrime.
While DDOS attacks have frequently made their way into the news, many do not understand what they are. Would you be able to provide a basic overview of how a DDOS attack works?
Bitdefender: DDoS stands for distributed denial-of-service – a type of attack in which many computers try to simultaneously connect to a specific server or infrastructure. Since that infrastructure may have not been designed to withstand that much traffic, it crashes under the load and is rendered inaccessible for everyone. Multiple types of DDoS attacks make use of various tricks to top the server’s connection handling capability, but the end result is always the same: the server becomes unusable, which results in operational loss.
What advice would you offer the average computer user to remain safe? Is a good (and updated) AV solution, web browser and OS all that’s required or do you suggest further action?
Bitdefender: Most attacks nowadays are fully automated and require automated defence mechanisms to block them. System updates, third-party software patches and a state-of-the-art antimalware solution would definitely help the user fend off these threats, but nothing is a substitute to common sense. No antivirus solution can stop the user from disclosing private information on social media sites or to disable the antivirus to still be able to visit a page that had been blocked.
Would you provide us with a little day in the life at Bitdefender – Such as a few of the strategies your team would to keep ahead of viruses?
Bitdefender: There are more than 220 million unique samples of malware today, and the number of new infections is quickly increasing, as more and more cyber-criminals resort to polymorphism to flood antivirus companies with samples that they might not detect. This surge in malware has also prompted us to heavily rely on automated systems that perform analysis and detection, as there is no way for a limited team of human analysts to deal with this many viruses a day. What human analysts do is create technologies that can accurately cluster various malware samples into families and extract their common features, as well as develop machine learning algorithms to proactively protect against new samples.
Web servers vs traditional desktop models – what are the differences in defending them for attack? Is it primarily their role (with a web servers being more open to web traffic and yet typically having more experienced users at their helm?)
Bitdefender: Web-servers are usually always-on and available for everyone to connect and probe. At the same time, they are very specialized systems that run two or three services and use only a handful of ports for connectivity. Proper configuration and hardening somewhat alleviates the risks, but the complex ecosystem of server-side applications still can be breached (for instance, by using SQL injection techniques) and used by criminals to compromise the web server and its contents. These servers are designed to be always up, so system administrators postpone the installation of security updates in order not to reboot the server or take it out of production.
The main difference between webservers and workstations is that the latter has a much larger attack surface – many other third-party applications running in the background, as well as that the end-user’s actions could put the machine in danger. Dedicated webservers are not used by humans to surf the web.
Let’s discuss mobile phones and tablets security. With smart devices becoming increasingly common, people are growing more reliant on these devices to store their data. Are antivirus apps and other products becoming more important than say two years ago?
Bitdefender: Mobile malware has been on the rise for two years, as Android has become the world’s first choice in the mobile OS space. Mobile security solutions are more than antiviruses: they pack a web surfing component, an anti-theft module and possibly parental control along with the antivirus engine. Subsequently, a mobile antivirus would be highly recommended for any Android user, as it does more than scan apps: it can help you get your phone back and can stop web-based badware such as phishing attempts, scams or other types of dangerous content.
While we’re on the subject of mobile phones and tablets, which practices are best to defend your personal data on mobile?
Bitdefender: The major problem with mobile phones nowadays is the way data is sent from the application to the application’s server. Some ad-monetized applications often leak personal information which is then sent via unsecure (http) connections. Since most smartphone users often connect to public wi-fi networks, the applications leave room for man-in-the middle or wi-fi snooping attacks. The two most important pieces of advice any user should follow would be: a) use 3G whenever possible and only connect to wi-fi networks you trust; and b) use a VPN solution when connected to untrusted Wi-Fi networks. There are plenty of free VPN services that the user can choose from.
With Microsoft finally ending support for Windows XP, what steps do you suggest users who wish to stick with this OS take to remain secure? Will an update to date web browser and AV be enough, or would they be better off moving to a different OS if possible?
Bitdefender: Use an antivirus solution and update all third-party applications – especially the browser, Java, Flash and Adobe Reader. This is not enough to ensure that your system will stay safe, but it will make exploitation more difficult and buy users more time until they decide to migrate to a supported version of Windows. However, full migration to a supported OS is highly recommended.
Regarding the Heartbleed vulnerability warnings – can you talk a little about what Heartbleed and how and if users need to tape steps to protect their security and privacy?
Bitdefender: Heartbleed is the stage name for a vulnerability found in the open source implementation of the SSL protocol. SSL/TLS is the protocol used for securing banking transactions, logins and critical data. By exploiting Heartbleed, someone could extract the server’s private key and decrypt the information exchanged between the user and the server. This is a massive vulnerability that has gone under the radar for more than a year, so the number of servers potentially affected is huge. Presumably, any server could have leaked user information stored in the server’s random access memory, including the server’s administrative credentials.
Unfortunately, there is little that the user can do, since this is a server-side vulnerability. Users should check whether the services they use have fixed the vulnerability, and then change the account password immediately.
False positives are an issue with many Antivirus applications, and with Bitdefender there were reports of users (myself included) experiencing those reports on Steam along with other titles. What steps are Bitdefender taking to reduce false positives and could you explain how false positives are detected?
Bitdefender: False positives occur when a malware signature has patterns in common with legitimate applications. This issue has impacted all antivirus vendors at least once but, ever since the introduction of cloud-based verifications, we can accurately tell malware from legit files.
To detect potential false positives, we have also established a quality assurance process that identifies potentially problematic signatures before they are delivered to our users. If the signature matches a known clean file, it is forwarded to a human analyst for additional verification.
Thanks again to BitDefender for the great interview, here are the Giveaway details!
Bitdefender are giving away 5 keys to their Bitdefender Total Security 2014 package too, which has won the “Best Antivirus of 2014″ award, having the highest protection against infections and negligible impact on your systems performance. All you have to do to enter the competition is to re-tweet this Twitter status OR to share the article on FB using the following link. Competition closes in 3 weeks time, meaning it’ll be closed on the 26th June, 2014. Winners will then be announced!