We are Kaspersky Lab's Global Research & Analysis Team (GReAT) AMA!

Hi all,
If you watch Mr.Robot, on scale from 0 to 10 rate how the show actually meet the reality in IT security and hacking field?

Costin here: Mr Robot is a strong 9.5 for me. Most of the scenes are top class and the usage of tools, operating systems and other tiny details, from social engineering to opsec is very good. I guess having help from some real world security experts (the folks at Avast did a great job! - https://blog.avast.com/2015/06/25/are-the-hacks-on-mr-robot-real/ helped. I particularly enjoyed some of the quite realistic scenes, such as the poor developer who can’t help fixing the broken Bitcoin bank and the parking lot USB key attack.

Juan here: Admittedly having only watched the first season, some of the depictions of hacking are surprisingly good. Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation (less than the span of a shower).

So, are you KDE or GNOME? ;-)

Costin here. I’ve been using various *nix systems for over 20 years, so I can say that I’ve spent a considerable amount of time on both KDE and GNOME. About five years ago I switched most of my systems to Ubuntu, so currently, Unity it is. Sorry if that disappoints. ;-)

Now on to the real holy war: vi or emacs?

vim, of course!

0 to 10, how is this NCIS scene?

https://www.youtube.com/watch?v=msX4oAXpvUE

Up to eleven!

Hi guys - I'm Roi - I write for SC Magazine UK. I was wondering if you had any predictions with regards to when we will start seeing mass casualties and perhaps even death from hacking into ICS? Is it possible now? Following from the German steel mill attack, the Black Energy malware and the Swedish air traffic control attack it feels like we're on the brink of something but not quite there yet. Who in your opinion does ICS security well? Do you have any opinions on the state of the UK CNI is like?

Brian here: Hey Roi, great question and a tough one to ask to the experts. In my opinion, it’s a matter of time before someone, somewhere decides to cross that line and cause casualties. If you look at all the critical systems that are still unsecured and vulnerable to attacks, all it would take is one crazy person and a general understanding of how ICS works to inflict damage to the masses. This is why securing ICS should be the #1 thing policy makers and other experts in the field should be focusing on right now. We need more voices like yours out there asking these tough questions to the appropriate people. Regarding who does it well...Again in my opinion, no one is doing it “well”. Well isn’t good enough. It needs to be impenetrable and right now, that’s not the case. This isn’t a mythological unicorn any longer. It’s been done before, and will only get worse.

Vitaly here: Honestly, I don't want to think about it. Last time I thought about possibility of malware crossing the border between virtual and physical worlds to destroy a physical object, Stuxnet happened just the next month. I was thinking only about "why so soon?" back then. I feel same strange feeling every time I hear about sudden disasters such as crashed planes, derailed trains, etc. A security researcher, widely known as halvarflake, said earlier this year (reconstructed from my memory): "Physical objects can be owned and/or possessed by you. Computer systems have additional dimension, which is control: you may own a computer, possess a computer but with current systems design you can never be sure who is in control". This is what wakes me up at night, because this illusion of control we have over computer systems opens infinite possibilities to create tragedies by people who use their power against others. From my point of view, this is what makes human race primitive.

Just to clarify, what makes us primitive in your opinion? The fact that we buy into an illusion of control, or because we as humans will/would cause mass casualties using these illusions?

Vitaly here. The fact that we use our evolutionary development against ourselves makes us primitive. I'd probably prefer to be an engineer of an intergalactic space-travelling gate now. Yet, I am working in a massive planet-size industry that protects "us" from "ourselves". C'est la vie.

What do you recommend as the best anti-virus software?

Really?

Question especially for the Russia guys - how can we trust that Kaspersky isn't being leaned on by Russian intelligence services to downplay reporting? Specifically talking about situations like Red October/Cloud Atlas actors, where there clearly appears to be a Russia/CIS component.

Costin here. First of all, we’re a multi-national team. Our members are distributed across 18 countries. This means the chance of any nation state influencing everyone is very small.

Secondly, we like to think we were the first to publish and expose more Russian-speaking APTs and operations than any other security company out there. Some examples on top of my head: RedOctober, Miniduke, TeamSpy, CozyDuke, Epic Turla, Turla Satellites, Blackenergy router attacks, CloudAtlas. According to my knowledge, no other company has published more APT reports on Russian-speaking APTs than us. Check our APT tracker for all our work.

EDIT: formatting

Hi all,

So I always read your reports with attention, and I came across something funny in the Equation report. It was a good report on the NSA toolset I must admit, but as we say, devil is in the details.

So if we read the report, we see :

18.How did you discover this malware? We discovered one of the first EQUATIONDRUG modules during our research into the Regin nation-state APT operation.

And while looking at 9412a66bc81f51a1fa916ac47c77e02ac1a7c9dff543233ed70aa265ef6a1e76, mentionned in your report as an "EquationLaser installer", I saw that you detected this sample back in 2006 when Regin was not yet used ; but wait this isn't the best part yet.

Let's look at these pictures : [1] [2], [3]

We can see that on the first submission the malware is already signed by some antivirus companies, and that two days later all of them except Microsoft have deleted it. But, when this is resubmitted in 2015 everyone and many others detect it,and with the same signatures.

So my question is : why did you, amonst other antivirus companies, deleted a signature for a NSA malware in 2006, only to put it back later ?

Vitaly here. The file you are referring to was added to our virus collection on the same date (24.08.2006) and was never removed. I guess Costin is right. In 2012 it was additionally added to our cloud-based detection collection (for KSN-based products).

There is no conspiracy here, but it's funny that before Stuxnet was discovered Eugene Kaspersky used to say that we could have had nation-state developped malware or police tracking tools in our malware collection which we detected as yet another backdoor. He was right, but back then maybe we did not have enough skills and techniques to discover and track such actors.

This is a refreshing response considering most attack/def companies tout their code as the best. The humbleness is appreciated.

Thank you :) We like to be as honest as possible and we believe all AV companies should have this mindset.

Vitaly, to your point on "back then maybe we did not have enough skills and techniques to discover and track such actors" - what do you believe has changed that would allow you to detect new threats going forward? In other words, how confident are you that you are suited to detect current-gen or future-gen APT material?

Vitaly here again. How confident can you be when you see a ghost in a room? Are you sure that the ghost has no ghost-friends in the same room? We simply do our best. If you can do better, we'd be very happy to talk to you. So far, this is new land to all of us in infosec and we are just trying to make the first steps very carefully without falling into a trap. And by the way, we are bringing up our own future-gen at homes to detect and fight future-gen APT materials. :)

If you can do better, we'd be very happy to talk to you.

Vitaly, Thanks for the response re: ghosts. I had actually considered GReAT, but was a bit put off from the "must have X published papers or presentations" requirement in the job posting. How exactly would somebody from a career in researching APTs in a "not in the public eye" capacity fit in with your team?

Vitaly here. You don't have to be great to start, but you have to start to be great. A person that thinks like a hacker will always find a way around. What if it's part of our selection process? ;-

Costin here. Hey, that’s a funny username. That’s a good question, however I think you’re seeing steam when there is no banya :). Back in 2006, VT would err from time to time, so it wouldn’t properly scan a sample with all antivirus products. This still happens from time to time and it doesn’t mean anyone dropped detection, only that something went wrong when VT re-scanned the sample. I can say for sure that we didn’t drop the detection in 2006.

What you consider as the hardest part of your job? (it can be technically or moral or whatever)

What's the most dangerous situation you have been for doing your job?

Thanks!

Costin here. I’ve been working in computer antivirus research for more than 22 years. Everything was pretty nice and easy before 2008. Then almost overnight, nation state sponsored attacks appeared. I guess the first big one was Aurora, which hit Google, Yahoo and others. Ever since, my job has been getting more and more complex, from all points of view. Some of the trickiest things to think of include: “when to publish a report?”, “when is research truly finished?”, “is it ethical to research only threats from one side of the world but not another”, “who did it” and “why did you publish it”. I try to navigate around these with a simple system - we research and publish on any kind of threats, no matter the origin. When research is complete and we feel confident our analysis is strong, we publish. And on the internet, answering “who did it” is sometimes impossible...

Vicente here: We, like everybody else, only have partial visibility of things. That makes extremely hard to take some decisions unless you have a very clear code of conduct. In my opinion, we are living in a world where our work has an impact and ethics should be properly set. I like to think of ourselves like doctors or scientists, working based only on technical stuff and not letting other factors to decide for ourselves. And that´s not always easy.

I have not been in any really dangerous situations, but definitely in a bunch of weird, and sometimes scary, ones. There are others who have dealt with some ‘situations’.

In what way are average citizens affected by your work and the malware you fight?

Should I worry about being the victim of one of these "advanced targeted attacks?"

Costin here. In general, advanced threat actors go after governments, military, big companies, cutting edge research institutions, financial and banks, activists and scholars. If your profile fits into one of these then yes, you should worry about high end threat actors. However, if you’re not necessarily affiliated with one of these, you can still be caught in the middle of cyberwar between superpowers. For instance, you might visit a watering hole and get infected simply because you were in the wrong place at the wrong time, or your personal information can be stolen and used for identity theft at a later time.

For the average person however, perhaps the most worrying thing in my opinion is the constant escalation of cyber conflicts as more and more nation states obtain cyberstrike capabilities and work to developer their cyber armies.

What's a good way for a garden-variety programmer to get into reversing and binary analysis? (not necessarily malware as I know I'd manage to infect myself).

I've had a number of false starts trying to learn x86 assembly - mainly because I don't have a specific goal.

Brian here: This is a very difficult thing to learn on your own. I struggled with it for years until I started doing a lot of hands on reversing challenges and capture the flags. Right now, there is one being held by Palo Alto which has a really cool Windows/Unix reversing track. I would recommend starting with something like that, where you are doing things with your hands instead of simply reading a book. Also, a great book that I recommend everyone in our field read is Practical Malware Analysis. It has fantastic labs to go along with each chapter and is very well written. The short answer here is, keep on doing it and don’t give up. One day it will just “click” and you’ll be tearing apart nation state malware before you know it :)

Were there any situations when cybercriminals threaten you guys for your work?

Costin here. Andrada Fiscutean wrote a rather nice article on this for Motherboard. I’d say that nowadays, few cybercriminals are bold enough to threaten security researchers, but it does happen from time to time, mostly with security researcher journalists.

Juan here: you’d be surprised how many of them have lawyers.

Thanks for doing this.

Could you explain to us non-techies how metadata and other data can be used to attribute hacks such as the DNC attack and stuxnet? What can and can't be altered such that firms like Kapersky can attribute accurately?

Brian and Juan here: This is a great question and very rarely answered in detail, partly because letting the adversaries know what you use in attribution allows them to manipulate the very same data. There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution.

The main pieces that seem to be used a lot in attributing attacks usually focus around languages used in the code, the times when the malware was compiled, motivation behind the attacks, types of targets, IP addresses used during the attack, where the data is being sent to after, etc. All of this is used in a sort of “matrix” to determine the potential players when discussing attribution. In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two “groups”.

As a fellow RE, I find myself admiring certain elegance and tradecraft used by the actors. I'm curious to know which malware family each of you are impressed with most?

It would also be great to hear why? (e.g. Duqu2.0 impressed me by bypassing the klif interceptor via in memory patching to leverage the KLIS driver's self-defense mechanisms)

Brian here: I’m fairly partial to Turla, mostly because of their history, longevity, and ability to stay hidden for long periods of time. Their latest toolset we just analyzed literally made me want to jam a pencil in my eye. It was a JavaScript based malware that was heavily obfuscated, ran in memory, and used nothing but Wscript and WMI. While not a very advanced tactic, it has been extremely effective against some VERY high profile targets and was a PITA to analyze. They are also VERY good about having their stage 2 malware only work on the intended target of the attack, preventing reversers who might get the sample from VT or somewhere other than directly from the victim from even decrypting the payload to analyze it.

I envy actors who are very effective at what they do, stay quiet, and make my life hell, and occasional add a “red herring” in there to send you down some rabbit hole.

At summer 2013 Edward Snowden came to Russia. Few years later Kaspersky Lab published information about Equation Group on Kaspersky Kaspersky Security Analyst Summit (SAS) 2015.

Some media are saying, that Snowden works as IT-consultant for some unnamed company. For example here: https://rg.ru/2014/12/23/snouden.html

So here my questions:

• Does Edward Snowden work for Kaspersky Lab? On regular basis or as IT-consultant?
• Did Kaspersky Lab use information that was revived from third parties such as Edward Snowden or Russian government to discover Equation Group
• Did you lose visibility of Equation Group?

Costin here. We have no connection whatsoever with Edward Snowden. As far as we know (based on media reports), he works for a company as webmaster or sysadmin. We didn’t use any of the information from the Snowden leaks to discover the Equation Group - actually, there is no information in any of the leaked documents that could allow somebody to find anything. This is because the documents have been carefully redacted, removing data such as unique DLL names or processes, which could allow someone to catch the malware. We discovered the first Equation sample while analysing a multiple infection on a computer we call “The Magnet of Threats”. This computer has been infected by many other APTs, including Regin, Turla, Careto, Animal Farm, in addition to Equation.

Currently, we have no data on the whereabouts of the Equation Group - it went dark in 2014. However, it still remains one of the most sophisticated APTs we’ve ever analysed.

Is the magnet of threads something you set up, or is there some granny out there playing gotta catch em all?

Costin here. The Magnet of threats is our nickname for a computer system belonging to a research institute in the Middle East. This is not something we have setup, it’s just a computer which for some strange, unknown reason, has become the target of some of the best APTs in the world. Based on our knowledge, it’s a pretty unique situation, which never repeated again after the publication of our analysis on Regin. Yes, this probably means the other guys read our research too.

I am aware of the work Kaspersky and other agencies are doing involving Ransomware, what preventive measures are in place to prevent a malicious coder from introducing a virus or worm like propagation mechanism? In other words, if these go from being black hats spreading them, to independent spreading via hard code can we honestly expect current antivirus scanning methods to be sufficient?

Juan here: I think it’s important to understand that good modern anti-malware software isn’t just ‘virus scanning’ anymore. There are a ton of different systems packed together working off of one another to examine behavior and detect malicious actions whether it’s obvious that the file was going to do that off-the-bat or whether it changes its behavior once its running on the system. With ransomware in particular, our heuristic engine (System Watcher) is primed to catch not just different variants of ransomware but the behaviors themselves that ransomware would normally take so that we can not just detect and stop it but also rollback any changes to the system live.

How effective is your rollback process? I've had a few clients (both business and personal) that had to tear down, rebuild, and restore due to ransomware. If your software offers a real solution to this our shop would consider a change.

Juan here: Someone in marketing will kill me if I don’t try to make a sale here :P.

Basically, on the tech end, system watcher is checking constantly checking processes on the system for matches of heuristic signatures that match the actions of ransomware. So even if it’s an unknown variant, system watcher is likely to catch the actions and performs rollback on the files changed (like if you suddenly see a string of files getting encrypted). Nothing is perfect but we work very hard on this technology and it’s given us good results so far. (Pro-tip: Make damn sure people don’t install the product but disable system watcher!!!)

Ryan here: We think it's very effective but you should test it for yourself.

Just saw the KasperskyES tweet and decided to ask something I had in my mind for a long time ...
I saw several informative videos related to Stuxnet, and it's particular way of attacking SCADA embedded systems. The drivers they used to attack the Windows systems at first instance were signed with JMicron and Realtek certificates. How do you think the attackers got into those? Did they previously attack those companies to get them, or...?
Also, when you discovered you got attacked by Duqu 2.0, how did Kaspersky react to that? And, how was the security breach discovered? (I read it was thanks to an alpha version of your Anti-APT solution, but wanted to know more about that). Thanks for making this AMA, hope the team enjoys it, and also thanks for your incredible job!! :)

Brian and Juan here: OK, so for the first part, as with many other attacks using valid certificates, our best assumption at this point is that those certs were stolen in some way. Whether or not the actors did it themselves, received it from someone else who stole it, or possibly stole it from another thief, the most logical answer is that the cert was used without consent from those companies. At the time GReAT published research into Stuxnet, it was noted that both companies had offices in the same physical location, which suggests an interesting possibility of how the attackers may have gone about getting those.

Regarding Duqu 2, we reacted the same way any other AV vendor would when discovering a very advanced adversary on your networks...We screamed in a pillow for a bit, then went to work figuring out what they deployed. It was discovered in part using an early version of our Anti-APT product called “KATA”. After the initial surprise wore off, we have to admit the reversing ninjas had a great time with it ;)

Hello Kaspersky Lab researchers,

I know you avoid attribution as a policy, but it seems fairly evident that most state-level targeted attacks seem to be carried out by the so-called major cyber powers (U.S., U.K., Russia, China, Iran, etc.). For the sake of this question, let’s assume attributional indicators reflect reality. Why don’t we see more state-level hacking activity carried out by developing or undeveloped nations? It would seem that the cyber espionage game is completely democratic with the wide availability of cheap and free remote access and post exploitation tools.

Thanks!

Vicente here: Following your assumption, it would make sense than countries with more resources to spend in such operations would be the most active, which would reflect the list you mentioned. That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major “cyber-capabilities”. That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).

Also you should consider the “media exhaustion” factor that unfortunately also might limit the information distributed for some campaigns. If someone discovers a campaign of a small tiny country targeting their small tiny neighbour, you probably won’t read about it in any major publication.

Hello Team! Thank you for doing this.
How much and what kind of education did you go through to get into this field? How profitable is it compared to less technical careers? Have you ever had to testify as an expert witness on a case? What was the experience like?

Brian here: I know my scholarly friends will hate this answer, but for myself, I failed out of college. Yes...I had a .16 GPA. That said, I fell into the field because I always liked pulling things apart and seeing how they worked. I am a huge advocate for people attending University and completing their degree, simply because it shows drive and follow through. But, unfortunately, the majority of schools today do not teach the skills needed to hit the ground running in our field. Much of what we do is learned through experience and hands on training.

As for profitability, I think we make a damn good living and the perks are up there too. Where else can you go to work, track bad guys, learn something new every day, and still be a nerd all while making a nice pay check? It’s a very unique field and we need more GOOD people! As for testifying in a case, this is usually left to people we like to call “expert witnesses” (at least in the States). They possess very specific training and processes needed to be able to testify in a legal matter. I personally don’t want to be bothered with red tape and rabid lawyers, so I chose to stay out of that realm.

Juan here: To add to Brian’s excellent answer, we really do need more good people. One thing I found really striking as I got to know people in GReAT and other researchers doing great work in the industry, a lot of them are not CS grads, nor engineers. I happen to know a brilliant researcher who is a PhD in Physics. Some who never graduated high school. It was Philsophy and Logic for me. You get the sense that the more identifying feature here (apart from a love for technology) is the drive to learn new things all the time and leverage that knowledge in cool ways. The security landscape evolves quickly and drastically and it takes constant work to stay on top of it.

Thank you all for answering our questions.

You're welcome :)

Security breaches are not going to go anywhere any time soon to the extent that the United States now has a cyber incident severity schema. My question what are your thoughts on how the government can tackle this issue or should the government not be involved in the civilian sector?

Juan here: Difficult difficult question. There’s definitely a big role for government to play in tackling this issue. More importantly, in a way it has to be the government doing some of these things. For example, the debate on ‘hacking back’ is one that I’d rather not extend beyond the powers of the public sector (as what you might call an extension of the government’s ‘monopoly on the legitimate use of violence’). At a time when attribution is artisanal and reliable attribution is nearly impossible, I’d much rather certain government agencies handle the recourse to hacking back entirely.

Now, as to what government can do right now, two things come to mind:

1. private sector cooperation with law enforcement is essential in taking down certain types of very troubling malware, like Ransomware. When the crypto is properly implemented, the best thing that can be happen is to have law enforcement cooperation to seize C&C servers so we can make decryption software and services for the victims. We can’t seize the servers ourselves so open and empowered cooperation is important.

2. Information sharing initiatives are awesome and there aren’t enough of them with really key sectors, like the financial sector, healthcare, and even certain specialized sectors of tech. These sectors need expertise but often feel they cannot or should not share for fear of the stigma of a hack or potential legal repercussions. It’s great when governments step in and provide a safe haven for companies to reach out, share what they know, what concerns them, and receive the help they need.

How do you get your hands on Virus/Malware samples?

Do you work with large companies to feed you the malware they receive?

Vicente here: We, like every security company, share big amounts of malware with other companies in the industry. We have agreements for sharing samples, and we also get new ones as we find them in the wild. That could be a new virus detected in one of our customers, or that we proactively found such samples in a malicious server, for instance.

For the every day person, is there a "safer" operating system? I hear all kinds of debates. RIP Windows XP.

Costin here. I’d say that nowadays, an operating system is as important as the web browser or PDF viewer you use. This is because most of the attacks happen either through the web, abusing a vulnerability in your browser, or e-mail, through a malicious attachment. With that in mind, we like Google Chrome a lot and try to use it when possible over other browsers. Make sure you have an blocker installed, KB SSL and a password manager.

If you want to go a bit higher in terms of security, consider switching the user agent - so use Chrome with a Firefox user agent and Firefox with a Chrome user agent. Deploy Microsoft’s EMET if you run Windows and make sure Windows itself it 64 bit. For now, I try to stay away of Windows 10, since it collects too much telemetry for my taste.

The next level would be using multiple computers, running different OSes, such as Windows 8.1 x64, Linux and a Mac, and constantly switch between them. Read your e-mail on the Windows machine but open the attachments on the Mac. Browse the net on the Linux machine and so on.

Common sense also goes a long way.

Several years ago, Kaspersky proposed heavy government regulation of Internet use, including "Internet drivers license". Do you stand by this, and if yes, why?

Juan here: I can understand why this is a difficult claim to stomach. I think it comes from the perspective of people in the trenches of cybersecurity for whom the vast anonymity afforded by the internet is a very vexing thing. We analyze all sorts of malicious campaigns.

Sure, attribution for APTs is difficult and inexact but sometimes you run into a ransomware campaign extorting defenseless users by making them think they’re in trouble for child pornography in order to get a few hundred dollars in ransom, or banking trojans wiping out a grandmother’s bank account and there’s a sense of indignation that comes over you. When we can tell who did it (largely by poor OPSEC), then law enforcement can have at them, but most of the time this isn’t the case. In that specific mindset, it would be nice to know where each malicious packet is coming from and who is responsible.

How the hell are we supposed to pronounce Kaspersky? Is it "kasper sky", "kasper skee" or "kaspErskee" or wth?

Correct.

About to finish Software engineering degree, what does one do to get involved in security? My uni sure as hell has no 'formal subjects' on the issue and I don't know how I'd get involved. Internship? Are there online courses? Or do I have to just go ham and do self-research?

Costin here. For me, security has always been the most interesting aspect of computer science. No matter what I was doing, security would come on top as one of the main issues to care about. In my case, I became serious about security in high school, when our network was infected by a virus named BadSectors.3428. Back then, no antivirus product was able to detect it, so using my assembler skills I took it apart and wrote a cleaner for it. I remember spending half a day and a whole night to do it – I was so afraid that somebody else in our school would come up with a solution faster than me.

After this incident, my friends started sending me other computer viruses and asking for cleaning tools. By this time my parents had bought me a 16Mhz 80286 computer with 1MB of RAM and 40MB of HDD, which is where I developed my antivirus called “MScan”, later renamed RAV.

If security is something you enjoy, I recommend applying for an internship with a large internet security company. It’s an excellent opportunity to see if this is something you enjoy.

Vicente here: In my opinion you can find online all the materials in the world to get you started, and even more. Probably a formal education can guide you and save your time, so I believe it is worth checking the formal syllabus just to know first steps and how everything is related. From there probably you want to explore yourself using such materials that you can find ( a few books, free trainings, online videos, etc) , see which areas are most interesting for you and how far you can get with what you have. But play around! Don´t stop just when reading something, you need to experiment by yourself. And at this point is where you really want to pay for professional trainings and courses, when you can appreciate why you are paying (let´s say) 5k for a 2 days training.

What's the worst Virus attack you have seen?

Costin here. It depends how one defines worst. Certain malware incidents remain in history as some of the worst in terms of effects and repercussions in the real world.

My top includes: The Blaster computer worm

The CIH virus

The Stuxnet worm

The Ukraine 2015 BlackEnergy power grid attack

Duqu 2.0 :)

Have you watched CSI:Cyber? :D

Brian here: Yes and it’s terrible. But I do enjoy laughing out loud at it.

This is a robbery. Give me your hacks or ill hack you.
̿̿ ̿̿ ̿̿ ̿'̿'\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿

I find this type of work interesting but I have literally no experience. Besides linda.com and khanacadamy, whats a good place to start?

Juan here: I’m a huge fan of Xeno Kovah and Corey Kalenberg’s courses on http://opensecuritytraining.info/. They do a great job explaining low-level material (for x86 particularly) that doesn’t usually get covered and is essential for good reversing and malware analysis. Learning C and python can’t hurt either ;)

If you could be stuck on an island with Jesus Christ or Barack Obama which one would it be?

Brian here: Jesus. Simply because he can make wine from water. And I would need to be really drunk to survive living on a deserted island with only Jesus and myself.

As Artificial Intelligence(AI) becomes more pervasive are we opening ourselves up to a threat that we may not be able to overcome? I might read too much speculative fiction but machines achieving consciousness and turning on humans looks like it might happen. Should AIs be rigged with a kill switch? What's your take on AIs and do you consider them a possible threat?

Vicente here: One of the main problems with AI is its name - a bit too excessive. Artificial Intelligence (so far) is a collection of methods and algorithms to help with various tasks, specially the ones involving tons of data, which is very interesting in the Internet era. Having the ability to “learn” based on this data, basically improving their results based on previous ones, makes those algorithms really good in a particular task with time.

Now, moving from there to self-consciousness is a different thing. In my opinion we are very far from there, but for an external observer it might look like the amount of services that we use constantly and appear to be incredibly smart, this might look like real intelligence. See the “Chinese box” experiment to get the idea, but at this point maybe this is more a philosophical question than a technical one.

Why comic sans?

Why not?

Most of us know basics around protection of our personal computers (anti-malware software, limiting permissions, sourcing applications from reputable sources, using tools like EMET, etc). What are some of the not so mainstream methods you use to protect your personal computers that may not be obvious or known to most people?

Juan here: Great question! To be honest, each person on the team has their own security quirks, ranging from things as simple to tape over the webcam to sniffing everything on your own home network. It’s hard to issue blanket advice because there’s a certain amount of threat modeling involved. What I mean is: what sort of attackers and attacker resources can you reasonably expect to be spent on you? Would I advice to my grandmother to have an out-of-band network tap? No. But if you’re handling sensitive IP, scientific research, gov secrets, etc., it may not be the most outlandish thing.

Vicente here: Just to highlight some of Juan's great advice, I think sniffing the network you are connected with an external device is one of the best methods to discover if you are compromised. Obviously needs some work when checking for any suspicious connection, but having this data logged somewhere makes wonders.

How would one go about doing this without spending years reading up? Is there some dummy's way of doing this or not really?

Costin here. ‘Fraid there is no free lunch mate. It takes years, sometimes tens of years to learn how to reverse engineer malware, write cleaning tools and create defense programs. Some of us have started couple of decades ago, others are still fresh. What it matters is having a positive attitude and desire to learn! :-)

How do I build a career in computer security (networks)? Is the military a good way?

Costin here. I guess it depends a lot on where you live. In Israel, the military, especially Unit 8200 is seen as the starting point of a successful career in computer security. In other places, formal education, such as MIT works well.

For me personally, experience worked best. I’d recommend you apply for an internship at a security company and start learning security from the real world. Unfortunately, too many of the formal education systems nowadays are well behind what is happening in the real world. I’ve seen people finish university with computer science degree, however, they didn’t know any practical security, only 5-10 years old theory.

Hey Kaspersky Team! So I've recently been infected with some malware, Adware, and atleast a couple Trojans. Ive done what I could and used a couple tools to fix the majority of this problem, but am still worried that there might be infected files still kicking around that my anti malware programs missed. So I was wondering if you guys have any tips or tricks that you'd like to share on some of the methods and tools you guys use when you run into these problems? Whether it's free or paid for, definitely open to ideas... Thanks in advance if you do respond!

Brian here: Have you tried running our AV on your system? Not to drop an obvious answer here, but that’s where I would start. Other than that, if you’re that paranoid, wipe and reinstall the OS. Or move to Mac. There’s no viruses on Mac :). OK, all joking aside, I would install a couple of different AV products to get the best coverage with respect to detecting known threats. Then I would look in all the normal places malware tends to hide; Registry keys for autorun, startup folder, temp folders, Windows directory, etc. Check for files modified / added around the time of when you suspected you got infected.

Check your running processes and look for things out of the ordinary. Again, if you’re still thinking there is something on your box, wipe it and reinstall. I can’t tell you how many times I did that growing up because of some stupid virus that I could figure out. Or, just move to Mac :)

I have to use your software on my work computer. I gotta be honest, it slows my computer down a ton. What is the reason for this, and do you guy have plans to fix it?

Juan here: Sorry for any inconvenience. Hard to tell what’s going on without knowing more about the specifics of the setup (like your OS version, computer specs, and what other software is on the machine as well) and how the administrators have setup the software. Of course any security software is going to involve some overhead in processing power but we do a lot to optimize this as much as we can. If it’s that palpable on your machine, I’d point at something wrong in the configuration as a likely culprit.

Can I get a Ferrari paddock pass for the USGP?

Juan here: Sure, as soon as I get one for my Ferrari-addicted uncle...

You guys go against what are presumably well-funded criminal organizations and nation-states. Have you ever felt personally threatened by the work you do?

Brian here: Every day. But what keeps me going is knowing we are doing good for the rest of the World by working these threats. Also, keeping a good state of awareness and not doing dumb stuff when on travel to other places helps as well. There are some researchers though that have it worse than me as they live in places where they aren’t afforded a certain level of protection from their governments. These are the folks that are generally more concerned with their safety.

Is that Jackie Chan behind the gentleman holding the G?

Costin here. Yes, that's me and that's a lifesize Jackie Chan print behind me. I’m a big fan of Jackie’s movies and Kung-Fu movies in general. Drunken Master ftw! :-)

Did hackivists try to recruit any of you and how would / did you react?

Vitaly here. Due to internal budget issues, hacktivists usually don't recruit, but get recruited. Guessing the follow-up question: no, we don't recruit hacktivists. Guessing the next follow-up question: hacktivists recruit hacktivists. And the next one: we don't know who was the first hacktivist. Vitaly, stop talking to yourself. OK. Over.

In your experience, how many instances can you recall where an exploit could truly be attributed to technical genius?

I keep feeling like every major "hack" that makes the news boils down to crap implementation/administration of solutions, click happy users, or a simple social con that should have been caught. Maybe I'm jaded or naive since I'm (sadly) on the audit and assessment side, but the "anywhere, anytime" style of hacking everyone talks about seems surprisingly rare. (or maybe since I can't hack for shit, I'm just in denial and jealous of you all haha)

Brian here: I’m guessing by “exploit” you’re really referring to attack. If so, there have been cases of true “technical genius” but rarely do these make the news :) The issue with revealing some of these is simply divulging your sources and methods to the really smart bad guys that we’re all afraid of losing visibility on. But I will challenge your question with my own...What makes an expert adversary? Technical genius or the uncanny MacGyver-like ability to get things done whenever they want with the tools they have available? I’ve seen some very difficult adversaries who refuse to use nothing more than open source malware and macros. I’ve also seen some VERY technically savvy adversaries make really dumb mistakes and blow an entire operation.

I can't believe it's been 22 years already. It's like almost yesterday I was cracking RAV's protection for fun :) To Costin: Do you remember "rav prodigy " ? :)

Costin here. Heh, good times. What have you been up to lately?

After turning down an employment offer from your employer at the time (which in retrospect was NOT a good ideea) been working into reverse engineering some other ... stuff. Let me know where I can reach you directly, will send you an update.

Costin here. Can you drop me a message on Twitter? DM @craiu

Do you guys have time to play pokemon :D or some other games? Do you like mmo rpgs?

Juan here: I’m sure there are people in GReAT playing pokemon go, particularly with some latent Ingress fans. I don’t get a lot of time to play but like SC2 and Destiny. Brian and I have been playing some Overwatch on Xbox. And I may be slowly trying to make my way through Zelda (A link between worlds) on 3DS in different airport lounges...

Brian here: I do play with the Pokemons from time to time :) My wife hates it and honestly, I’m kind of a closet player. I’ll walk around the grocery store and hide my phone while I’m shopping. As for other games, when I have time, right now it’s all Overwatch. Before that, Fallout 4 all the way! And yes, I am a console guy. There is no PC Master race IMO.

Costin here. I don’t play Pokemon Go, but I play EVE Online. Minmatar ftw. :-)

Vicente here: Big Street Fighter IV fan, disappointed with SFV, and occasional SC2 player. Waiting for the new Mass Effect.

Do you guys play "thematic" computer games like Uplink or Hacknet?

Vitaly here. My job is my video game. Very realistic, 3D open-world with unexpected turns and hard problems to solve.

Why does Kaspersky getting so many false positive finds? And how can a programer avoid to get a false positive find. Example: HEUR: Win32/Generic

Costin here. AV-Test, who is one of the most serious testing organizations out there, performed a ]very thorough analysis](https://www.av-test.org/en/news/news-single-view/endurance-test-do-security-packages-constantly-generate-false-alarms/) of 33 computer security suites over a period of 14 months. One of the statements from their test is the following: “Enterprise software: only Kaspersky did an error-free job”. In other words, we were the only ones without any false alarms.

In general, Kaspersky Lab's solutions have one of the lowest false detection rates in the industry. More proofs here and here.

However, we realize that any security solution can have false alarms from time to time. If you are concerned about the product falsing on your tools, you can probably get them whitelisted through our program.

There's a question that's been really nagging me since this DNC thing started: is it really possible to say with "fair" certainty if that attack was a state sponsored Russian attack?

Juan here: Since this seems like a question of the possibility of attributing an attack, let me tackle it on technical terms. Basically, ‘yes’ and ‘no’. The problem with attribution (and the reason we say it’s hard) is that a lot of technical indicators can be faked or manipulated to throw researchers off the tracks of the real attackers. We will be publishing a paper on cases where this has happened (at a conference called VirusBulletin).

That said, it’s not to say that it’s a completely anonymous action. What researchers have been pointing to is the fact that the malware used is already known and clustered to two specific groups (which we call CozyDuke and Sofacy) that are known to be russian-speaking and employ known command-and-control infrastructure for these two groups. I understand the skepticism and how loaded the discussion can be but from the technical perspective that is pretty sound.

For more details – CozyDuke: [https://securelist.com/blog/research/69731/the-cozyduke-apt/]

Sofacy: [https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/]

Hey just saw this and was wondering since you had to work against such Malware as Stuxnet, did you ever encounter a similar version called Iron Gate? If so what about it is different from stuxnet and where did it originate from?

Costin here. Yes, we looked into IronGate and came to the conclusion it’s not related to Stuxnet. Our analysis suggests it was done as a student project then abandoned. It does appear to have been used in any real attacks, probably just a proof of concept or university project.

Are DOS viruses still a concern?

Costin here. Oh, good ole 300 bytes long boot viruses... :) Concern no, perhaps only for historians. There is however an heightened interest into Solaris and SunOS malware.

Why isn't the AV Manager that distributes updates called the Dispersky?

Vitaly here. Indeed, excellent idea! Meanwhile, earlier today heard from my Asian colleagues about "spear pissing attacks" (no offense, just an accent).

Hello. Do you check new employee with lie detector? In order to make sure that he or she was not involved in illegal activities such as malware coding?

Kaspersky Internal Encyclopedia here. During the interviews we can ask the right questions and, depending on the answers, we can definitely say if this or that candidate has ever been a malware author.

Vitaly here. Btw, lie detector is too expensive to have and operate. We prefer good old $5 wrench technology. (see https://xkcd.com/538/.

Juan here: I got the wrench a couple of times…

Vitaly here: Juan, this is classified.

Juan again: :X. In all seriousness, there’s a lot of trust involved. You have to be able to handle sensitive information and be motivated by the right mission, protecting users and understanding new cool threats. The vetting for GReAT is pretty stringent.

Does the "e" stand for eSports?

Vitaly here. No, sorry, please ignore, that was just a typo. :-P

Do you think Stuxnet was really developed by a guy who wore a yellow hooded cape around the NSA offices like the documentary Zero Days portrays?

Vitaly here. That was the most terrible image of a hacker that I have ever seen. I assume it was reconstructed through a number of distortions on the way. It probably made the guy (if he exists) laugh to a heart attack. I think Stuxnet was most probably put together by work of several people. They could be strange, could be anti-social but very focused on final objective. It was most likely fun for them, not just an order.

Brian here: Absolutely not. Everyone knows we only wear black t-shirts and shorts.

Vitaly here. ... and horse-heads.

How did you guys end up in this field? It's something that has always intrigued me

what are the necessary skills one would need to approach such a career?

Vitaly here. Curiosity drives most of us. In another science, lets say in physics, curiosity makes people explain and state the laws of physics. Other people come and try to break the model, find where it is weak, where it doesn't work. Some people break things to exploit the weaknesses and get illegally rich on the cost of other people's suffering. We share the same skills but feel that what is going on is not right and we can't sit still, we act to stop them.

To approach a career in infosec, get hypnotized by the magic you can do when a law of physics (or technology design) is in your control. Soon, you will realize that you are reading new type of books and Google stopped recognizing your profile by your search habits.

Vicente here: I believe this has been already answered in a couple of questions, but if you want a final advice from me, don't educate yourself only in technical stuff!

Learn how to write, speak in public; learn about history and politics; be interested in music and arts. This at least will make you a more complete person, and open your possibilities. Technology comes and goes, deep knowledge stays forever.

1) If your system has been compromised, using an encrypted email service will not save you, right?

2) How can we use android devices safely, while retaining our privacy when we have to connect them to a gmail account? (And google collects data).

3) Is there any messaging app for android that you use and that you know does not collect data?

4) IT security fascinates me but I don't have the expertise. How can we, normal users, contribute to a safer and freer internet?

Juan here: wow there! :) Alright, let’s see. I really love your first question because it reaffirms why I think we are working in the most important side of the ‘infosec problem’. Short answer: No, if your endpoint is compromised, using an encrypted email service will not save you per se. The more nuanced answer is that it won’t save you from an attacker using malware to have a presence on your device, it wouldn’t affect the fact that encrypted email (PGP for example) will keep your emails from being read in transit or in a breach of your inbox or that of the recipient. I say that we are working on an important part of infosec because security solutions tend to be built on the assumption of an uncompromised endpoint so designing and supporting software meant to secure your devices is not a trivial thing.

1. Jumping through your other questions since there’s so much to cover here: Android is a difficult platform to secure. If you’re concerned about privacy, a lot of the time your issues will come from excessive third-party app permissions and ‘games’ taking the liberty to lift whatever information they see fit. Those concern me more (personally) than the gmail integration itself.

2. As for messengers, we tend to play around a lot with different ‘secure’ messengers. I’m in no position to audit the crypto or implementation on these but some of us are currently testing our Wire. SilentText, Signal, Threema, and Wickr have been old favorites. I don’t know that I can promise that they don’t collect data, you’d have to ask them.

3. Please secure your accounts!!! Use a password manager and 2factor authentication. Attackers do a lot with the accounts they pop.

What do you think of pronouncing it cash-purr-sky?

Juan here: Better than my mom’s ‘caperki’...

Vitaly here: Meanwhile, Japanese pronouce "ka-su-pe-su-ki", Chinese say "ka-ba-si-ji", but my favourite was a delivery service bringing us a parcel for "Carpexcia" in the Romanian office.

How many Ukrainian APT groups you are tracking?

Do you aware of such Ukrainian groups as FalconsFlame, Trinity and Рух8? What malware they are use?

Brian here: While we don’t do attribution with our APT groups, there is one well known APT group that we published about in 2014 called Cloud Atlas. Bluecoat also wrote an excellent report on this inception framework associated with this group , and the majority of the community believes this team is potentially operating out of Ukraine. I am personally not aware of the other three groups you mention, but this may be due in part to different naming schemas that the industry uses.

1.Do you think sophisticated malware like stuxnet can only be made by governments or does any private organisation have those capabilities ?

2.the SC magazine had an article that said "Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that “make us feel safe” but don't address real problems." (http://www.scmagazine.com/rsa-cyber-security-industry-is-fundamentally-broken-says-amit-yoran/article/451625/). do you agree with their statement ?

Juan here:

The real question here is what is considered ‘sophisticated’ and not. For the truly sophisticated and novel malware, particularly when it comes to specialized stuff like Stuxnet but also malware with special quirks and innovations like Flame breaking a crypto paradigm or Turla hijacking satellite connections for exfil for nearly a decade, it involves a level of research and investment that we consider beyond that of a normal merc team or script kiddies. I’m a big fan of Flame and I was particularly peeved by a semi-recent article by some professor claiming that the idea that Flame was state-sponsored is ridiculous because a talented grad student’s thesis showed similar innovation in cryptography and that person wasn’t a nation-state (Huge over-simplification of both our claim and his argument, but I think you get my point).

Now, that said, if you remove the term ‘sophisticated’, there are a lot of malware capabilities for hire (or download) that can and are being leveraged by private citizens and presumably organizations. They may not include Stuxnet’s PLC-altering magic but they are real threats and the entry threshold continues to get lower.

I haven’t read the SC magazine article but the sentiment isn’t a new one. There are legitimate complaints to be made of an industry drowning in marketing hype and I’m sure that some of it comes from the frustration of not having a clear and simple path to ‘solve’ the ‘security problem’. I like to think that it’s a confluence of forces that involves a huge talent gap, misplaced monetary incentives (low budgets, high ROI for attackers), and surely security products (the better of which are often misconfigured).

Good defense goes beyond blinky boxes to a more holistic security posture that includes security solutions for different levels of the organization but also talented analysts and dedicated administrators who aren’t asleep at the wheel. It should also include a heavy physical security component (people always forget about this –you should check out Deviant Ollam’s presentations where he opens a data center lock with a piece of discarded router packaging).

Have you guys already solved LabyREnth CTF challenges?

Brian here: OMG are they hard or what? Props to the Palo Alto folks for making my wife hate me for the last two weeks. Yes, I’ve been working on them and no, I haven’t finished them. It’s a slow burn for me in the evenings and I honestly don’t think I will get them all done by the deadline. After all, BlackHat is approaching and I need to get my liver in proper shape for next week. I would challenge everyone reading this to at least try level 1 for each track. You might surprise yourself.

What do you guys think about the Snowden movie trailer? :P

Costin here. I’ve seen the trailer and watched the movie development with interest. I’ve also watched Citizenfour and read the two books published around the story, “No Place to Hide” and “The Snowden Files” by Luke Harding. From these, I like Harding’s book the best. While Oliver Stone’s movie will probably be interesting and make the topic easier to understand for the general public, I don’t expect it to contain any major revelation.

Are there any new detection methods being developed or researched so that newer malwares can be detected and anti virus scanners are not dependent on malware signatures to detect them as it is not possible to obtain the signature of a newly coded malware. If so can you give us some insight on the new detection methods?

Juan here: All the time! This is why I love getting to sit down with our Anti-Malware Research guys and getting to discuss some of the results of our research, and getting to see that codified into new proactive technologies. Anti-virus as signature-based scanning has long been a thing of the past. Our products have a ton of different tech working together, a lot of it behavioral heuristics (the sort of thing that gets bandied about under new-age mathemagical terms like Machine Learning to great fanfare).

As for insights into new detection methods, I won’t give away the magic sauce but we’ve got something catching new 0-days used in-the-wild left and right ;) (before anyone snipes, these are all being reported to the vendors).

Hi guys,

Let's talk motivations. What's the thing that keeps you engaged day after day in malware research? I imagine each of you has a deeper or more individual reason than just "we keep APTs on their toes" -- is it being on the cutting edge of research, playing with the baddest viruses, or something else?

Psychoanalyze yourselves - Go!

Juan here: Oh man… you’ll get a different answer from each of us, I’m sure. And no one is dying to have a therapist session on an open forum but I’ll be as honest as I can hopefully without embarrassing myself. There’s a confluence of motivations. For one, I love working with brilliant people. Everyone in the team is smarter and more capable than I am in all kinds of areas. It’s a daily humbling learning exercise and a challenge that keeps me involved in my work. To that point, when you get stuck for some time and then make a major breakthrough, it becomes addictive and work life balance is a very hard thing to maintain (Hats off to the people doing this with kids and families).

Another thing worth mentioning is that I think the work GReAT is doing is of historical value. As a big fan of espionage literature and history, I don’t think there has ever been a time with private entities could inject themselves into a pocket of the espionage space and get to witness so much, understand so much, and shape that space to better defend a swath of targets. It feels significant and meaningful and that’s hard to let go of.

Vicente here: someone told me once “you will not have another job like this in your life” and I believe he was right. Not sure he meant all the implications that this phrase had on me during all those years, at least as I understood it, but for me doing interesting things in interesting times, and somehow be part of it, is what keeps me motivated everyday.

Should I install an antivirus on my Android smartphone? Are virus and malware a real threat on mobiles?

Costin here. I think mobile malware can be compared with an iceberg - there is probably a lot that we do not see yet. Even though the number of malicious programs for Android has been skyrocketing during the past years, most of them are adware and lockers. Our analysis of high end APTs such as Equation seems to suggest many threat actors have developed mobile implants, which means that sooner or later, they will be found - just like we found the HackingTeam mobile implants for instance. Running a security solution on your Android device will definitively help not just with protection against known threats but hopefully catching some new ones.

At the moment though, what are your predictions/instincts?

From what I gathered, the Android malware are mainly distributed from third-party stores and Google actually does a good job keeping the Play Store nice and clean.

However, tons of Android phones are out-of-date (thanks to all manufacturers, doing an awesome job at keeping us safe, e.g. Motorola): do you think we'll see massive infections one day because someone decides to abuse Stagefright and send a MMS to everyone on the planet?

You also mention APT (Equation): do these really represent a threat to a random Android user or just VIPs?

Costin here. What worries me the most is the uncontrollable usage of advertising libraries in Android “freeware”. Think that Flashlight app that requires internet connection, right? Nowadays, way too many applications are linked with standardized advertising libraries which allow the developer to make a quick buck. Many of the companies developing these libraries are getting sold left and right and what used to be a rather harmless advertising library can suddenly become the entry point of a sophisticated attack to tens of thousands of phones. In the future, I think threat actors will purchase companies that create advertising libraries and trojanize them with malicious code. This can be a much cheaper solution to compromising targets and it doesn’t require any sophisticated zero days.

On the other hand, massive attacks abusing something like Stagefright is not completely impossible, however, what we see nowadays seems to indicate the best attacks come from nation states, which prefer more focused approaches.

Hi!

I am a Sophomore in College studying Computer Science with a concentration in Cyber Security.

Do you have any advice on what you see as important fundamentals to know, in regards to the work you do?

What is the most helpful tip you could give a student?

Brian here: Focus heavily on learning C. Create code, compile it, then reverse it. You’ll learn quicker by seeing how things function when you have the source and assembly together.

Another piece to this job which often gets overlooked is the political situations in the World. A well rounded analyst should know about current events, conflicts, and overall motivations for major governments throughout the World. Watch the news every day. As for a tip, I’d say focus on school and not on working. That was my downfall. I wanted to make money and ignored the school work. That is a recipe for disaster. Oh, also, no means no. Seriously.

Hey guys, thanks for doing this.

I recently watched the documentary "Zero Days" about the Stuxnet virus, and some of the malware researchers who first discovered it said when they looked at it, they could tell it was developed by state actors, because that code must've required immense resources.

When we look at conventional weapons and militaries, measuring resources and power is more concrete. One can count the number of troops an enemy has, determine what percentage of their GDP is spent on defense, measure the power of their weapons and aircraft, and more.

How can security researchers look at the source code of a virus, worm, or any form of malware and say: "this would have required the resources of a nation state" ?

Brian here: Well in the case of Stuxnet, it was a bit easier as the malware was targeting specific equipment that really, only a nation state would have resources to test on at the time. In general, when looking at APT style attacks and determining if they’re possibly a nation state, there are many things that come into play. What information are they after? Who are their targets? How large is their C&C infrastucture? What does their ops team do when on a victim? Are they using malware that is only available to a nation state / intelligence organization? How many 0 days have they dropped lately? Are there signs in their code that lead to a massive development effort?

It’s a combination of MANY factors that lead one to make an educated guess on whether or not something is directly attributed to a nation state. An easier question to answer is typically “Is this nation state SPONSORED”. That is quite different from the first.

Have you found me yet? hahahaha

Vitaly here. We're just behind you. [ taps on shoulder with a horse-head ]

Is antivirus companies writing own viruses to have demand a thing or just a joke ?

Juan here: People who make this claim don’t understand just how much work we have on our hands. Kaspersky looks at around 320,000 unique malware samples a day. GReAT is tracking upwards of 100+ threat actors and campaigns at the same time. I don’t know when these people think we have time to code our own viruses.

Hi,

1) I would like to ask, if you are working on the prevention against Intel AMT rootkits that reside outside of the operating system, inside of the firmware of the hardware in a computer. Is there any prevention against such attacks?

An example of such rootkit was presented in this talk:

Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [30c3]

2) How much did polymorphic malware evolve since the early beginnings? Is it much harder to detect such malware today? What kind of techniques does such malware use?

3) Could you comment on the Project Zero findings of the problems with unpacking of the executables?

Thank you.

PS: I love reading your malware reports and your work in general <3

Costin here.

1. Oh, AMT / SMM rootkits, dayum. I’ve been looking around for a CPU without AMT/SMM but sadly, they are not easy to find. The problem is so deep at core that I’m afraid there is no good solution to defend against these; only to switch to a platform that is just one honest CPU, with predictable behavior. I for one, would be happy to pay more for an “honest, no AMT/SMM” CPU system, how about you?

2. Looking back, Polymorphic malware has become easier to detect. Some of the stuff from the golden years such as Zhengxi or most the malware created by the 29A group was infinitely more complex to detect than 99% of today’s trojans. But 29A disbanded and most of the people stopped writing malware (got married, have kids, got a job). At the same time, most polymorphic malware was self spreading viruses, which today are a minority compared to trojans. I remember an article quoting a discussion between two virus writers, talking about a colleague: “Q: Hey what happened to X, he hasn’t written a decent virus in months. A: Oh, you haven’t heard? He’s got a girlfriend now, soon to get married”. :)

3. All I can say is that we’re grateful to Tavis for his work and we’re also working harder trying to fix everything he finds. :-)

And thanks for the <3! :-)

Three of the most common things I hear about Kaspersky:
1) Some reports state they believe your detection rates are so high due to you writing new malware yourself, and release it into the wild.
2) Some reports state your detection rates are higher than competitors because you reverse engineer their code, and then write malware they can't detect, and release it into the wild.
3) Some reports state you have a very high detection rate for malware, yet rate low against malware based out of Russia.

What are your thoughts on this, and do you think the Cold-War way of thinking has impacted your scrutiny?

(Edited for numbering and formatting)

Brian here: OK, so I’m hoping this isn’t a troll, but either way, I’ll try and answer these:

1. We do not write malware and release to the wild. If we did, I’m fairly certain we would be in jail by now. In fact, we don’t even hire people who have written malware in a previous life.

2. Again, we don’t write malware. Also, I’m not aware of us “reversing” competitors’ code. In fact, we have a very good relationship with many of our competitors out there and work very closely with them when we have advanced attacks and malware we are analyzing.

3. I would challenge that by referring you to our detections and reports on groups such as Sofacy, Turla, and other traditional Russian speaking groups. We have published many reports about these groups and will continue to do so. An adversary is an adversary. We don’t differentiate based on origin. We’re here to protect everyone.

Kasper subreddit exists?

Vicente: At the moment it doesn’t, but we aim to give the people what they want :) If you want to get in touch with us, you are always welcome to contact us using Twitter or Facebook.

How do you feel about hitman pro? Personally I don't think there's a better tool for removal.

Costin here. According to their page, “HitmanPro leverages its "security from the Cloud" infrastructure which also contains malware databases from other virus labs, like [...] Kaspersky Lab.”

Personally, I’d just stick with the source and use Kaspersky Internet Security. :-)

Could the idea of quantum computing cause problems with encryption in the future ?

Vicente here: Definitely, quantum computing could be used to break the mathematical roots that encryption is based on, basically factorize prime numbers. When we have quantum computers able to do that on an efficient basis, we need to find a different way to do encryption. Encryption works now because you can't do that with current computers in an efficient way (less than the age of our universe and such).

Why do you think it's possible to publish unbiased threat research from Russia, which has been extremely tightening speech laws (especially lately)? I surely wouldn't think of you guys as able to give realistic insight into something like the DNC hack without being victim to scrutiny from the Russian government. Is this also why you don't ever try to do attribution of attackers? Are you afraid you'll point out that a hack is obviously done by the FSB or GRU and get harassed or arrested?

Juan here: Well, for one, I’m in Miami. The question of attribution is not a simple one and I’m not just saying that as a cop out. Brian and I will be releasing a paper later this year (at Virus Bulletin detailing a lot of the ways threat actors are already manipulating attribution indicators to mislead researchers. It’s an issue we’d prefer to sidestep entirely. The team is global, I’m sure we are ruffling some feathers worldwide but no one has interfered with the integrity of our research or our ability to do that.

Vitaly here: We are not afraid to call names if we find them, but we deal with professionals on the other side, the masters of deception. Here is an article for more details on how we do detailed APT research.

I run my home PC without any protection at all and have never had any issues. How crazy am I ?

Vitaly here: I drive my car without safety belts and I haven't died yet. How crazy am I?

Brian here: I would say you’re approaching Icarus crazy. Put some AV on there dude! Or just get a Mac and then install anti-malware protection :). I joke about Macs but you should know there are documented attacks on the Mac platform.

From your perspective, how much of a threat are malware crypters/packers today? Both to the average person and to a professional organization.

Brian here: I will say that packers and other obfuscation techniques are becoming more and more common in APT style attacks.

Traditionally, mainly the commodity malware would use this, but I think the APT actors are starting to realize that it’s a PITA for those of us who dig into this stuff on a daily basis. To combat this, most AV technologies are moving more towards heuristic based detections, as malware eventually needs to do a certain number of “things” to be successful. If you can write rules based on the behaviors and not as much on the static signatures, you will be more successful.

Combining this technique with sandboxing processes usually takes care of most of the stuff out there. That said, it is a full time job keeping up with every little packer released.

What do you think of the tv show Mr. Robot? Is such a hack possible in real life?

Hi! Already answered, please check top comments :)

Let's be honest, Americans wrote and deployed Stuxnet?

Costin here. Kim Zetter spent about 5 years researching Stuxnet and Duqu and trying to find a good answer to your question. I’d say her book “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon” is a good place to find an answer.

Do you foresee any technology that will have significantly decrease virus threat (beside antiviruses themself)? Maybe some changes in OS architecture, HW assistance like Intel SGX, Android style apps in VM etc

Brian here: Ah...The Holy Grail of malware research! While this would be an awesome technology to have, I don’t forsee any one thing taking care of this problem. I do think, however, that a combination of technologies working together can significantly hinder the problem. Things like Sandboxing processes, requiring certificates for binaries, heuristic detections, integration with threat intelligence, etc. would be a start. Thin clients / virtual infrastructures also help a lot.

I'll get straight to the point... When will you fix your drivers?

I have several KIS licenses and they've proven to be useless, just money down the drain each day I'm unable to use them despite my active subscription...

Soon after I installed KIS, I purchased and installed Sandboxie... guess what I found out...

For Windows 8/8.1 & Win 10 -KS 2015 and 2016 is not compatible with Sandboxie. Kaspersky must NOT be installed, otherwise Sandboxie will not work.

http://www.sandboxie.com/index.php?KnownConflicts#Antivirus Do you realize how it looks when your software isn't compatible with a major/popular security solution?

Furthermore, I've always installed and used AdGuard on all my computers, but soon after I installed KIS, I started getting freaking BSODs... and AG also pointed your way.

I'm starting to see a pattern here and it isn't pretty... For a famous company with a long history like yours, this is just very disappointing (to say the least)...

Brian here: Sorry to hear about this but honestly, this isn’t the right venue for that question. I’d rather talk about catching Pandas, Bears, and Eagles to be honest.

Juan here: Agree with Brian. That said, I’m unfamiliar with sandboxie but if the premise of that security solution is to isolate the software from the OS then perhaps it’s not surprising that it would interfere with software meant to monitor, detect, and remediate what malicious software does to your OS and files. I’m glad you’re so concerned for your security and won’t dissuade you from a good security posture, some things just aren’t meant to mix.

Advice for everyone heading to Rio for the Olympic, other than Zika virus? :)

Juan here: Use a condom. We have our own brand :)

Other than that, we have published already some useful tips for you if you want to stay protected for the upcoming Rio games here and here.

You should be extra careful when in crowded places and make sure your computer doesn’t connect to untrusted networks. Also, be extra careful when you use your Debit / Credit card to pay and make sure nobody sees your PIN. We expect there will be higher credit card cloning threats than usual, so our advice for you is:

Never have all your money in one bank account

Make sure your card you use to make daily payments has a small amount of money. Use a different account to keep keep your money in, without any cards attached to it.

When you want to make a large transaction, transfer the money into the card account using online banking

Check your the bank statements monthly.

Travel safe and stay safe!

Edit: formatting