Dec 11, 2010 11:30 GMT  ·  By

Kaspersky Lab is one of the anti-virus companies that helped pioneer many of the malware detection methods and protection technologies now used by the entire security industry.

The vendor's security researchers are always on top of the latest threats, helping the company stay ahead of the game. So we saw fitting to take our questions about malware trends and antivirus technologies up with Mr. Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, who was kind enough to answer them.

Softpedia: For a while now, several vendors, including Kaspersky Lab, offer vulnerability scanning in their products. These components check if there are unpatched flaws in the operating system and installed applications. Do you gather and organize vulnerability data on your own or have you partnered up with an established vulnerability intelligence/management vendor?

Costin Raiu: We have a partnership with Secunia, the Danish computer security service provider, best known for tracking vulnerabilities in software and operating systems.

Softpedia: A lot of malware is distributed today by exploiting vulnerabilities in outdated installations of popular software like Java, Adobe Reader and Flash Player. Since most users have shown an inability to keep their programs up to date on their own, have you considered offering opt-in automatic or silent updates for the most attacked applications through your security products?

Costin Raiu: Kaspersky Lab’ security solutions can scan for vulnerabilities inside installed software and also notify the user if updates are required. A silent update feature would be much difficult to implement because it requires a partnership with the application vendor and not all vendors are open to such cooperation.

Additionally, this could interfere with the program’s own update function. At the moment, we are thinking about the issues of implementing this, but due to various reasons, probably not in an automated or silent way.

Softpedia: We noticed that Kaspersky Anti-Virus 2011 has a Proactive Defense option enabled by default, which defines digitally signed applications as trusted. Since malware signed with stolen certificates does exist, can you explain your reasoning behind this setting? Does the program have its own whitelist of trusted digital certificates which you can modify if any becomes compromised?

Costin Raiu: Yes, Kaspersky Anti-Virus 2011 includes a whitelist of trusted programs, based on their digital signature and vendor. But, this doesn’t mean that certain initially trusted software is being allowed to conduct suspicious activity without being “questioned” or blocked by the security solution.

Additionally, Kaspersky Lab 2011 generation products include a feature called System Watcher which monitors all system events in full – creation and modification of files, system calls and changes to the system registry.

Thanks to constant monitoring of a program’s behavior, Kaspersky Lab’s protection solutions detect any type of malicious programs, both known and new. The majority of unwanted changes to the system made by malicious programs can be rolled back with just a few mouse clicks.

Softpedia: One of the most prominent pieces of malware with digitally signed components is the Stuxnet industrial espionage/sabotage worm. We know Kaspersky Lab played an active role in its analysis. Do you believe it to be a cornerstone in the evolution of malware and do you think similar threats are to be expected from now on?

Costin Raiu: For sure, Stuxnet marks the beginning of a cyber-war era, a milestone in malware evolution and not only because of its complexity (exploiting 4 zero-day Windows vulnerabilities), but also because of the logistics behind it.

For example, Stuxnet couldn’t have been created without massive support, both financial and technological – a zero-day vulnerability in Windows, such as the ones exploited by Stuxnet, has a cost of about $250.000 on the black market. So, 4 vulnerabilities result a virus worth at least $1.000.000.

It is highly probable to see similar cyber-attacks in the future and companies, institutions and other organizations must be prepared for such critical situation and know how to defend. Romanian readers who want to read an article written by me about this topic can click here.

Softpedia: There's been a recent example of malware targeting both Windows and Mac users. Do you think cybercriminals looking to expand their reach will drive the number of cross-platform threats up in the near future? How about on mobile operating systems, like Android?

Costin Raiu: Cybercriminals tend to target operating platforms that are becoming very popular among users – Mac OS increased its market share in the last years and also Android mobile operating platform is more and more popular. Thus, wherever there is a chance to exploit and extract money from users, cybercriminals will not be afraid to explore. Cross-platform threats will become even more popular in the future and also mobile operating platforms will have to deal with cyber-attacks.

In August this year, Kaspersky Lab identified the first Trojan targeting Android-based mobile phones. The malicious program penetrates smartphones running Android in the guise of a harmless media player application. Users are prompted to install a file of just over 13 KB with the standard Android extension .APK. Once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

This is clear evidence that cybercriminals begin to explore new possibilities given by operating platforms with potential of becoming very popular in the near future, such as Android.

Softpedia: Users tend to trust antivirus vendors, which puts them in a unique position to offer a range of complementary services. Some AV companies already provide things like secure online storage, but in a world where people increasingly use the Internet on-the-go through public wireless networks, we think that secure VPN services would benefit users a lot more.

We can imagine a day when your antivirus product automatically detects if an insecure connection is being used and offers to enable the secure VPN service offered by the AV vendor. Have you considered anything like that for the future?

Costin Raiu: Yes, we are also preparing some new services for our users, but we cannot give any further details, as the new features have not been yet released for testing.

Softpedia: A lot of attacks are launched from compromised websites, but instead of just blocking them, AV companies could be more pro-active and help webmasters react faster. They could allow website owners to be notified whenever AV installations detect something on their site, especially since most vendors already collect such events from their user base.

There's also a commercial potential in website integrity monitoring services, where paying sites would get scanned for infections every few hours or daily. Are you considering any such services?

Costin Raiu: Actually, we implemented a similar service in Romania. It’s a partnership we signed with trafic.ro, engaging to alert webmasters of websites subscribed on www.trafic.ro if, by any chance, their page is being infected or is distributing malware.

Our scanning system is called PatroKLes and gives us the possibility to verify web pages in search for malware or unwanted content. The partnership was established in January 2010 and it is the first partnership of its kind ever signed in Romania.

PatroKLes scans over 1000 of the most popular websites subscribed on www.trafic.ro at least once a day and the rest of the websites are also scanned regularly.

Softpedia: The free antivirus market appears to be growing rapidly. According to estimations, the three biggest players, Avira, AVG and Avast, have between 300 and 350 million users combined and some of their free products are already on par or even better than some commercial solutions.

It's fair to assume that part of this growth is done at the expense of traditional commercial-only vendors, who are increasingly losing subscriptions. Does this affect your company in any way? What are your thoughts on the freemium business model?

Costin Raiu: No, this doesn’t affect Kaspersky Lab’s business and we do not intend to distribute freeware in the future, because this is not our policy when it comes to IT security.

But, let me tell you a few things about free security solutions. There are two types of such security suites: freeware that provide “essential” security (Microsoft Security Essentials, for example), not full protection, and limited versions of commercial products (AVG Free, Avira Free, Bitdefender Free Edition).

The differences between free security solutions and commercial ones are multiple – freeware that offer only “essential” IT security are designed to offer protection only against the most widespread malware, databases are being updated only once a day, not hourly, the protection offered does not cover multiple levels (heuristic, behavioral etc.) besides signature-based protection. Some of them don’t even offer real time protection, but only the possibility to manually scan for malware.

Free versions of commercial security software come with limitations, such as not cleaning the entire system or giving only the possibility to scan for malware. They don’t have a local component or invade the user’s desktop with adware to make them buy the full version. For any type of solution, the user pays, one way or another, and in most situations the price may be much higher compared to buying a commercial license. An infection can even cost up to the sum of 10 security solutions.

Generally, antivirus companies invest a considerable amount of money in research and development, continuously improving the technologies used inside their products. The same is for Kaspersky Lab, which has over 50 patents pending in the United States, China, Russia and Europe, patents that cover a large area of new technologies developed by the company’s specialists.

Thus, you can easily tell that companies that deliver free antivirus products do not possess the same expertise and the technologies they use do not provide the same advanced protection as in the case of commercial antivirus products.

For a free antivirus product, users do not get technical support and some protection modules that are very useful when browsing the net do not exist (anti-phishing, anti-spam, parental control, Safe Run, vulnerability scan and so on).

Softpedia: On the same note, not only do free antivirus vendors dominate the consumer market, but some even threaten to expand into the small office/home office (SOHO) sector.

Since the beginning of October, Microsoft Security Essentials (MSE) is available for free to small businesses with ten computers or less. What do you think was Microsoft's reason for this move? Do you see any impact for antivirus sales in this market segment if others also adopt the same idea?

Costin Raiu: As I said, “essential” security does not mean advanced security and this is compulsory when you are a business, even a small one. Because the losses can be much bigger in the case of a company compared to a home user – we are speaking about confidential information, data and financial transactions. So, it is very risky for a company to just secure its IT infrastructure with a free security suite.

In 2009, a report from FBI showed some real figures regarding cyber-fraud. Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud. The article is available here.

So, it is not a question of me, as a business, to save some money and install a free security suite, because I might lose 100 times more money if I’m a victim of cybercrime. Targeted attacks are very popular nowadays (see the Google case from the beginning of the year – Aurora operation), so companies must be aware that anything is possible when it comes to IT security.

Softpedia: Adobe Reader recently released sandboxed versions of its Adobe Reader and Acrobat products, which promise to make vulnerability exploitation a lot harder. A native sandboxed PDF viewer will also be introduced in Google Chrome 8 and a sandboxed Flash Player is scheduled to land in version 9 of the browser.

Do you think such initiatives will drive sandbox adoption by other vendors in upcoming years? Is this technology a practical way of dealing with critical vulnerabilities?

Costin Raiu: Indeed, it is a very good initiative. During 2010, vulnerabilities in Adobe products have topped the charts and still remain some of the most used methods for criminals to get access to users’ computers.

The sandbox in Adobe Reader and Chrome will no doubt help decreasing the number of successful attacks, at least until cybercriminals develop ways to bypass them as well.

Softpedia: This year there's been a lot of attention towards cloud-based (server-assisted) malware scanning technologies, with several new products that leverage this technology being released. What is your opinion about this relatively new concept?

Costin Raiu: Yes, the buzzword of this year has been “cloud technology,” users and IT specialists seeing the real benefits behind it. Cloud computing can be an effective method of increasing the performance of a number of IT security tasks closely associated with protecting users.

First of all, cloud computing allows parallel data processing, i.e. it is ideal for tasks which can be divided into several parts and processed simultaneously, thus getting quicker results. This is crucial for current antivirus products.

In order to analyze a suspicious program, it must be checked against lists of malicious and security software as quickly as possible. If this does not yield results, it must be compared to the signatures of known threats, its code must be scanned for dangerous instructions and its behavior must be examined in an emulator.

All of this research can be performed in parallel. Some processes can even be divided into smaller parts, for example, database searches. Cloud analysis has a great advantage over local analysis as it allows all of the required detection technologies to be used, having first distributed them between several computers, thus providing faster and more qualitative research.

Softpedia: Can cloud computing improve antivirus performance and detection considerably? Do Kaspersky's products currently make use of the technology? If not, are you considering it?

Costin Raiu: Kaspersky Lab implemented cloud-based technology in its products since 2008 – our service being called Kaspersky Security Network (KSN). Cloud data processing is ideal for reducing the load on a local machine. This task – reduction of resource usage – is important for antivirus developers.

Data processing using cloud services also contributes to the accumulation of extremely valuable information. This feature is very important in combating IT threats. The harvested information is necessary for the immediate neutralization of known threats, as well as for the detailed analysis of new malicious programs and the development of antivirus solutions.

There must be a continuous exchange of data between the cloud and the numerous local machines running security products. Local computers provide information about current threats which are analyzed and neutralized using the cloud’s enhanced computing power, providing a continuous stream of information.

Should a new threat appear on just one local machine, protection could be developed immediately and delivered to the other computers connected to the cloud. The bigger the cloud in terms of the number of local machines connected to it, the higher the security level.

Kaspersky Lab’s antivirus products incorporate all of the above-mentioned advantages of cloud computing: rapid, deep, parallel data processing, reduction of load on local computers and constant accumulation of valuable information about IT threats.

The company uses its own reliably protected cloud containing distributed resources connected by fast communication channels. The cloud includes several reputational database services that are accessed by Kaspersky Lab’s protection solutions, the Kaspersky Security Network being one of them.

The information about malicious programs, spam, phishing resources and other threats, as well as about safe programs, is processed and accumulated in the cloud. This information allows Kaspersky Lab’s solutions to provide full control over suspicious programs on users’ computers without impeding the operation of a user’ safe software.

Suspicious programs are checked against a list of malicious and trusted software. This scanning system is based on digital imprints, a much faster method than signature-based scanning, not to mention more complex behavioral analysis methods, with information about an application’s hazard rating being delivered to a user’s computer via the Internet almost instantaneously.

The use of information from the cloud, in addition to detection results from local machines, minimizes the number of false positives. The response time to new threats also decreases because the cloud service immediately receives information about any newly emerging threats, analyzes them quickly, develops the necessary protection tools and delivers them to users’ computers.

Kaspersky Lab is a pioneer in cloud security, with the company’s cloud having the capability to perform threat monitoring on a global scale. For example, as of August 2010, the number of Kaspersky Security Network participants exceeds 50 million.

If you want to read more about how cloud technology is being used inside an IT security solution, you can access this link.