14 DAY TRIAL // Last week we had the chance to sit down in Prague with Mr. Ondřej Vlček, chief technology officer at Avast Software, and ask him some questions about the company's new product line, avast! 6, as well as their plans for the future.
Fortunately, Mr. Vlček was generous with his answers and revealed quite a few products the AVAST team is currently working on. Some even managed to surprise us, but we'll let you discover them by reading the interview. We hope you'll enjoy it.
Softpedia: It's clear that the Web is a major attack vector and a lot of malware today is distributed via drive-by download attacks that exploit vulnerabilities in outdated software. Some antivirus programs have already begun warning users about outdated software. Are you considering a similar approach? Even up to the point of delivering updates for most attacked software yourself?
Ondřej Vlček: I think this is actually a requirement. I mean, we wouldn't include a solution that just warns users, because for many of them such a report wouldn't be that helpful.
Softpedia: But you could provide download links for the updated versions.
Ondřej Vlček: Yes, but the more software packages you support, the more complicated it gets to maintain the links. With no actual help from the software publishers it's a difficult thing to do. However, I agree that if we would have a solution able to download and install updates as soon as they are available, then it would be helpful for our users. So, that's something that we are considering for the next versions.
Softpedia: There's a lot of discussion right now about attacks on unsecured public wireless networks. This isn't something new, but recently things got a lot simpler for wannabe attackers with tools like Firesheep.
Nevertheless, it would be nice for anitivirus products to detect automatically when users connect over insecure networks and offer them 10 minutes or so of free time on an encrypted VPN. Those who want unlimited time can pay for a subscription. Are you considering a service like that?
Ondřej Vlček: Yes. Definitely. It's not probably going to be how you said, 10 minutes free and then paid, because I don't know if 10 minutes would help much, but we are coming with a personal VPN product that basically does exactly this. You can connect to a remote VPN server and tunnel all communications through an encrypted channel.
Softpedia: Would this be a commercial product?
Ondřej Vlček: This must be a commercial product. I mean, it's an expensive infrastructure. It's not only the bandwidth, but also the CPU. If you use strong encryption then you can't really have too many clients on the same server because it's very CPU intensive.
Softpedia: But, a lot of users connect from airports, parks or libraries and just want to check something quickly, send an email or update their Facebook status. I think 10 minutes free would be enough for that.
Ondřej Vlček: Either free or commercial, I agree that this technology is needed. There aren't many VPN services in the mainstream and I think it's useful for cases like this and also for people traveling to areas with Internet restrictions. You have thousands of businessmen traveling to China every day who need to get to their Gmail and websites and a VPN solution helps with that.
Softpedia: What about a password management service like LastPass? It works as an encrypted container controlled with a master password. There are extensions for all browsers and it can also be accessed online if you're not at your computer. Are you looking into this sort of thing?
Ondřej Vlček: Yes.
Softpedia: When we can expect this?
Ondřej Vlček: Probably sooner then you would think.
Softpedia: Last time we spoke you said Android malware will take off and it kind of did. There were trojans released in Russia, then China, and now it seems the problem has reached global proportions. Google recently pulled 50 infected applications from the Android Market. Are you preparing a product for this platform?
Ondřej Vlček: Yes. We are working on this. It will take slightly longer, because we want the product to provide more than just on-demand scanning. We're trying to come up with a product that provides proactive security, so it will prevent bad code from being installed or executed. We expect this to be ready later this year.
Softpedia: Will it be for Android only or are you looking into other mobile platforms as well?
Ondřej Vlček: So far we only focus on Android, because that's definitely the hottest mobile platform in terms of security.
Softpedia: There's been a lot of talk about threats like Stuxnet which are technically sophisticated, but also extremely targeted. Meanwhile, old techniques like spear phishing are being used to deliver advanced persistent threats (APTs), malware designed to steal information from government agencies and corporates. What solution do you see to this problem? Not only to APTs, but also all banking trojans that appeared after the crackdown on ZeuS last year.
Ondřej Vlček: For corporations I think it's meaningful to start thinking at whitelist approaches. I'm not saying that's something normal consumers could use, but corporations, definitely. For consumers I think the trend in the AV industry in the last few years has been towards reputation-type services.
The idea behind reputation is that things used by a lot of people are more trusted than things used by just a few. Those targeted threats are usually encountered by very few people, because don't have a sufficient distribution.
For example, Stuxnet was after centrifuges in Iran. Obviously, outside of those systems you won't see many instances of Stuxnet and that means its reputation will be pretty poor because no one knows what it is. Something like this can be very useful against targeted attacks.
Softpedia: So, companies should whitelist what is used on their systems and consumers should use something like your auto-sandboxing approach. If it's an installer no one has seen before then execute in the sandbox?
Ondřej Vlček: We have a bunch of initiatives for reputation-based detection. We rolled out WebRep, which is basically reputation for websites. The AutoSandbox is also connected to this data. As to file reputation, that is also something we have under development and basically categorizes files based on their prevalence.
These solutions are an alternative to the traditional way of finding malware. They take a more holistic approach, monitoring the whole community and trying to find stuff that is just different from the standard.
Softpedia: There have been several new versions of master boot record (MBR) rootkits discovered last year and in particular one that targets 64-bit Windows, TDL4. Some antivirus products still have trouble detecting these. How is avast! handling them?
Ondřej Vlček: I think we are doing very good. Our Anti-Rootkit engine is based on GMER. It's a product developed by someone also named Gmer (Przemyslaw Gmerek). He is a person that really spends his time analyzing rootkits and during the last year his research was mainly about MBR rootkits.
He is constantly improving the anti-rootkit engine in avast! and in version 6 we added even more proactivity for the MBR. As far as I know, we are doing a very good job at detecting and removing all TDL rootkit variants, including the 64-bit one.
We also have a stand-alone tool that is not part of avast! and is called aswMBR. It's a small tool, 300 KB-large, that anyone can download from our website. It scans for MBR rootkits and is able to remove them, so anyone can use it. It's completely free.
Softpedia: Mac malware is also starting to take off. Just recently there's been a Mac RAT trojan announced.
Ondřej Vlček: Yes, we see more of these. We definitely see more malware, more attacks, on the Mac platform and the Mac browser, Safari. And also malware distributed as .dmg installation packages. It is slowly taking off.
Obviously, it's nowhere as big as Windows malware, but the potential is there. Right now, worldwide, Mac OS is probably still on below 10% of home computers. On the other hand, I think, statistically richer people tend to buy more Macs.
I think I've seen a research somewhere based on family income showing that Macs are more prevalent in richer families. So, attackers might have a monetary interest, like going after people with more money so they can steal more from their credit cards, etc..
There is definitely a change and we will be releasing a new Mac product quite soon. The beta should go out in just a few weeks and it will be a free product that will provide like real-time protection.
Softpedia: What protection components will it have compared to your free Windows product?
Ondřej Vlček: Most importantly, it will have a full-featured Web Shield. It's an HTTP proxy independent of the browser. It scans all scripts, all iframes and all binaries that get downloaded and is able to stop all malicious sites, including the already blacklisted ones, of course.
Then it has a Mail Shield which is basically an SMTP/POP3/IMAP filter. It's a network filter. We configure the built-in Mac firewall so that it's transparent to the user. It works automatically by changing rules in the firewall.
We also changed our File System Shield that basically provides real-time on-access protection for local files. So, these are all sort of equivalent to those in the Windows product and should keep Mac OS users safe.
Softpedia: Does it also detect Windows malware?
Ondřej Vlček: Yes. The engine is shared. For the Android product this is not the case. We don't want to have a full engine or database. We don't want to detect Windows or old DOS viruses on Android. It's no point, because these devices are small.
Softpedia: Last time we spoke, before avast! 6 came out, you said there will be some cloud-based improvements in the product. Can you describe them?
Ondřej Vlček: Yes. WebRep, for example, is a completely in-the-cloud solution. It doesn't have any local data at all. This is the first attempt on our side to build a cloud-only solution.
Besides that, we have a cloud for the behavioral shield sensors. All data gathered by the behavioral shield is uploaded to it, where it is processed and then pushed back to the client. Even things like the AutoSandbox logic are able to make online lookups to this cloud.
This is actually just the beginning. We have a flexible architecture so we can update it by means of virus definition updates at any time. Now we are working on the server backend systems to implement file reputation services and things like that. But for now, in version 6 we don't do cloud file scanning yet.
Softpedia: Anything that is community-based can be abused. One prominent case was when members of 4chan gamed the 2009 TIME "Most Influential Person" vote. If a group like that would want to skew the WebRep results for a popular website, do you maintain a whitelist that would prevent them from doing it?
Ondřej Vlček: There are a few things here. One is that we have some stuff built into the system that will hopefully allows us to detect and prevent gaming of this type. But you can never assume it's completely safe even with these precautions.
Another thing is that WebRep isn't really blocking anything at this moment. It's really just a recommendation thing. We don't block sites that get bad ratings. It's a supplement to the scanning engine. So the impact is not so big. Although, I'm not saying that moving forward there won't be ways to disallow access to a website with poor reputation.
Third, we try to be quite clear about what WebRep is. We don't say the ratings are coming from us. It's a platform for our community members to communicate with each other. If the community decides this site is poor then it's the community's opinion. You, as an individual, can take this opinion as something you either agree or disagree with. It's a recommendation, nothing more.
Also, there are categories of sites that will always be controversial, like religious sites, political sites, fan clubs, etc.. Religion, for example, is not a topic where you can make everyone happy. There will always be a bunch of people who vote green and a bunch of people who vote red and in these cases WebRep is probably not going to be very useful.
Softpedia: Have you had any contact with Microsoft regarding Windows 8? Have you seen any technology preview?
Ondřej Vlček: Not yet. We have something scheduled for this spring. Hopefully we will get our hands on an early build and find out what changes break things, so we can modify the code to be ready when the product ships.
Softpedia: But do you know of any changes that would be beneficial for security?
Ondřej Vlček: No. We only have the public information. We haven't really been given any private details yet.
Softpedia: What do you think about the SmartScreen application reputation in Internet Explorer 9 and is IE9 more secure than IE8 overall?
Ondřej Vlček: It's a difficult question because it's not even shipping yet. The expectations are high, but I haven't really done any tests. There are some good reasons why IE9 should be more secure, but how will it work in practice I can't comment on right now. We will see. It has some neat features, but time will tell.
Softpedia: How about browsers in general? Do you have a preference, security-wise? Do you see one browser more secure than the others?
Ondřej Vlček: I recently started using Opera 11. I like it. Again, we haven't really done any low-level analysis that would show which browser is more secure.
I still believe that most of the browsers today are among the best pieces of software because they have been closely scrutinized already. I mean, there's been so much emphasis on their security that all of them are very secure already.
It's mostly the plug-ins and the PDF readers that are now more vulnerable than the browsers or the OS. I'd say the frequency of really critical vulnerabilities in browsers is going down, which is good.
Softpedia: Last year, the FTC called for a uniform behavioral tracking protection solution to be implemented in browsers, but every browser maker went ahead and did its own thing. Mozilla implemented a Do-Not-Track header, Google released a Chrome extension that adds anti-tracking cookies, while Microsoft's implementation relies on domain filter lists, which are supposed to be maintained by digital rights and privacy groups, etc..
Users can subscribe to those lists and IE9 will prevent the corresponding websites from setting tracking cookies. Do you think providing such lists is something that antivirus vendors might do?
Ondřej Vlček: Of course, but it all depends on the details. For example, we have a blocklist in avast! that's part of the Web Shield module, but it's not as trivial. It is a heavily wildcarded list. It's not domains only. It can be full URLs and we do some processing on them.
Softpedia: Can you make a forecast regarding attacks techniques that you think might shape the threat landscape this year?
Ondřej Vlček: Platform-wide I think we will see more mobile malware. That's what I said last year and I repeat it. I also see no end to the Adobe exploits. The number of new exploits isn't going down.
Softpedia: Even though Adobe reported very good adoption numbers for Adobe Reader X that should significantly reduce the attack potential?
Ondřej Vlček: The problem is that PDF is everywhere, from mobile phones to servers, to desktop PCs, and there are so many versions and so many runtimes. The PDF format is so complex that it's very very difficult to create a reader that isn't vulnerable. So, I see a problem there.
I hope script fragmentation won't take off too fast, because it's also a problem, especially for network-based filters since they can't really reconstruct the whole object.
Softpedia: Can you explain how that works exactly?
Ondřej Vlček: Basically you have a script that comes in parts from various sources and these parts are then pasted inside the browser as part of some other JavaScript. It's written so that each of the individual parts is not very suspicious.
If you take it into the extreme you could have every single character of the script on a different server. If you have 5,000 servers you get a 5 KB script. Then you paste it on the client and execute it locally. Network filters aren't very effective for this.
There might be some heuristics there, but they will never be perfect. It looks like some of the techniques will have to move from the network layer closer to the browser so we can hook into the script execution engine and see what it's doing. It's something we haven't really seen taking off yet and I hope this isn't going to be some kind of cookbook for the bad guys.
Softpedia: Some security experts claim that this will be a year of hacking, as in the compromising of corporate networks as it recently happened with HBGary Federal and Anonymous. There are also voices that criticize governments and companies for overspending on security solutions for complex threats, while remaining vulnerable to the basic social engineering attacks that have been around since forever. What do you think?
Ondřej Vlček: I'm not sure whether they are overspending, but I'm quite sure the good old tricks with social engineering are some of the most effective. There will always be weak links in the chain, but in many cases these are quite cheap to fix.
I think the case with HBGary and weak passwords is a good example. But how many people really use strong passwords for all services? How many people use different passwords for each account? I'd say it's a very small minority, even in the corporate environment. Of course, these things are relatively cheap to fix compared to the usual investments in security software and hardware.
I agree that we'll see more hacks this year. It's still one of the most effective ways for malware distribution, but not only. It's effective even for things that aren't related to malware at all like we have seen recently with hacktivism. The problem isn't going to go away.
Softpedia: Do you think that companies should spend more on training? Maybe on things like checking and understanding email headers before opening links or files in emails?
Ondřej Vlček: Yes, together with pen testing. I would say not many companies, especially smaller businesses, invest in penetration testing and that doesn't only cover real hacks, but can also include things like calling a secretary and asking for a password while pretending to be the new IT guy or whatever. Things like these can be tested quite cheaply and not a lot companies do it, so I definitely think there's some room for improvement.
(Transcribed from audio)