Security

The virus hunter

Network Associates' Vincent Gullotto is on the front lines in the struggle between virus writers and security managers. Which side is ahead? A status report.

As you might guess, Vincent Gullotto, who runs Network Associates' McAfee Anti-Virus Emergency Response Team, gets a lot of early-morning emergencies. The AVERT group is charged with examining and subsequently containing the vast amount of malicious code floating around the Net. Although some types of threats are fading, others, such as spoofs that can lead to credit card theft, are sharpening.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


So which side has the upper hand? Gullotto spoke to CNET News.com about how Network Associates manages attacks and the changing nature of computer security vulnerabilities.

Q: Give a quick overview of your department.
A: AVERT is basically the antivirus research analysis and operating management group for Network Associates' McAfee security business units. On a daily basis, we look at viruses or follow up potential viruses, work out solutions for our customers and determine what steps they should take. We manage services where you can submit a sample of what you believe is a virus to our Web site that will scan it within 60 to 90 seconds and give a response to let you know.

How many funky pieces of code do you guys have to look at in a month or in a week that might be malicious?

We have seen a relatively dramatic decline in the number of mass mailers that have been successful in propagating versus three years ago.
I will break it down on for you in a couple different ways. On a monthly basis, we exchange what we call monthly virus collections with 13 or so other researchers in the industry.

We look at roughly 25 a day. From there, we then add maybe another 50 to 75 to 100 files that come in and are infected with viruses from our customers on a monthly basis. We may see another 100 or 200 or 300 or 500 come in that month, but all of those are then used or looked at with automation that we set up.

On the morning of a virus outbreak, what's it like? Do you suddenly start getting a spate of messages from the Far East or in Europe?
Typically, what happens is that one of the labs will begin to report some suspicious activity or a large number of files coming in within a relatively short period. Once that happens, whoever is in that lab will get in touch with somebody in management, who then begins to have some other folks get involved.

We look at competitor sites, to see if our competition is putting anything up there, and at some of the user groups, to see if they are seeing anything. Then we begin to assess the threat itself, along with the numbers that we are getting in, to see if it is indeed going to become something relatively big or if it may be just a seeding of a new threat. This seeding has become very popular over the past year or two.

What sort of changes are you seeing in attacks?
We have seen a relatively dramatic decline in the number of mass mailers that have been successful in propagating versus three years ago. We are still seeing mass mailers being written, and people are putting them out there, but even those numbers have declined overall.

Most of what we are seeing written today is in the area of Trojans, some type of password stealer or spyware. You may have a multiheaded type of threat. Right now, we are looking at one that actually is a URL spoof. It seems to be preying on eBay and the PayPal folks. What happens is the virus will look inside your cache to see if you have already cached this page.

People have been led into some false sense of hope for the past couple of years.
If you have, it will replace your cached page with the one they send to you.

That is how they target it?
Right. So what happens is that the next time you go to PayPal or a bank or some place where you have to add in your password and user ID, that information is redirected to a hacker site or an e-mail address that they put inside the code or whatever the case may be.

It sounds like targeted marketing. In a way, it seems to allow them an opportunity to try to go under the radar and send it to very few people and possibly net more funds.
I am surprised today that the hacking community doesn't go a bit further. Today, they mostly hack into a Web site and change a Web page--that is still pretty popular.

Have you seen the motives change? It used to be teens, out for vandalism. Has it shifted from that to systematic criminal activity?
I think that we have a little of both going on. We still have the typical virus writer who is simply doing it because that's what he is interested in doing, and he doesn't want to go too far.


Year in review

Worms and viruses
delivered a wake-up
call America couldn't
ignore.


He doesn't try to steal information, and he doesn't have any financial agenda.

But I think that people may be changing their methods and going from breaking into a bank versus getting into a bank in a different way. They have enough intelligence so that they learn how to do this, and it can be considered to be a white-collar crime. Clearly, we have seen more and more password-stealing threats over the past few years than we saw at the height of mass mailers.

Are the methods of attacks becoming cleverer, or is it just that they are more prevalent before actually trying to do more in a systematic method?
Well, it is hard to tell whether they are clever. What we are seeing right now is a great number of different types of threats that are being unleashed. Somebody is just trying to figure out what's going to stick; what's going to become successful.

For instance, there was the child pornography threat a while ago. The e-mail would state that you had subscribed to a service, but had to click on a link to unsubscribe. The natural reaction is to say, "Oh God, get me off of that," and click. That was a more dramatic grabber than, "Please send me money so that I can dig up my fortune in the jungle."

We make it a point to study these threats and look at the architecture of them to be able to find ways in which we can catch them ahead of time. You could probably put a pretty decent spreadsheet together to see what has been effective and what's not and even go ahead and socially analyze it to a point where you can say, "This may be successful."

Where are the hotbeds for attacks? Is it spread all over the globe, or is it concentrated in Eastern Europe?
Most of the activities that we have seen over the past year have come out of Asia. I'd say Western Europe is probably No. 4 these days, Eastern Europe No. 3, No. 2 being the United States--and No. 1 being Asia.

Now, there is nothing really scientific about that deduction. A young lady that writes viruses in Belgium can go to France, where she can launch it. She could target only ".cn" and related e-mail addresses so that it looks like it started in China.

Corporations are always griping about the time it takes antivirus companies to react to a new threat. How long does it take on average, and what sort of techniques can you use to shorten that?
We have a two-hour turnaround time to get the solutions into our customers' hands. But we have tracked our responses over the past couple years, and I would say we are probably closer to 35 to 45 minutes.

In the home, it seems like people will eventually have to move to firewalls. Everyone will have a miniserver, anyways, for their TV and pictures and all that.
I can guess that there would be no harm in me saying this: If somebody would come to me and say, "Hey, look. I have $40 in my pocket. I have to buy either a virus scanner or firewall. What do you recommend?" I would say, "Firewall, if you are a home user." That's going to protect you more from the hacker that tries to do something in your environment.

People have been led into some false sense of hope for the past couple years. Maybe their providers are doing some security work for them; maybe they aren't.