Welcome | Sign In
LinuxInsider.com
ECT News Exclusives

TWO-PART EXCLUSIVE INTERVIEW
In the Trenches with Antivirus Guru Mikko Hypponen

Print Version
E-Mail Article
Reprints
In the Trenches with Antivirus Guru Mikko Hypponen

By Elizabeth Millard
E-Commerce Times
Part of the ECT News Network
04/07/04 3:44 AM PT

"All reverse engineers and virus crackers are here in my team, which works from our headquarters in Helsinki," F-Secure's Mikko Hypponen told the E-Commerce Times. "Right now we have people from Finland, Hungary, Spain, Bulgaria and Russia. Everybody has their own area of expertise, such as Windows binary analysis, scripts and macro code, Linux stuff, mobile phone and PDA expertise, et cetera."


Amid this year's ongoing plague of viruses and worms, there has been much discussion about virus creators, antivirus software developers and frequent virus targets like Microsoft (Nasdaq: MSFT) and The SCO Group. But one important group still toils in near obscurity: the virus hunters. One of the field's most avid and skilled researchers is Mikko Hypponen, director of antivirus research at F-Secure in Helsinki, Finland.

For the past 13 years, Hypponen has been working in the computer security field, and his weblog on F-Secure's site is required reading for anyone who wants the latest information on which viruses are snaking around the Internet. Hypponen spoke to the E-Commerce Times about security, viruses and why malware is here to stay.

E-Commerce Times: When did you first become interested in computer and network security?

Mikko Hypponen: Around 1991. At the time, I was a low-level programmer with skills in assembly language, which came in handy for reverse engineering viruses. In fact, the biggest problem in recruiting new researchers is the fact that very few people nowadays have assembler skills. Most universities stopped teaching it years ago.

ECT: Why have universities stopped teaching these skills?

Hypponen: Because it's so hard, and because very few people need such low-level skills anymore. It's all C and C++ nowadays.

ECT: Do you think that, in general, universities should take a larger role in training students to be able to detect and examine viruses, in order to minimize the threat?

Hypponen: Indeed, computer science universities are putting quite a lot of effort in teaching things like cryptography, but fairly little emphasis is put on research of malicious code and how to analyze it. I'm pretty confident this is about to change, though.

ECT: How did you know you wanted to take on computer security as a career?

Hypponen: After decompiling and analyzing my first virus -- which was, by the way, the "Omega" virus, which I named. It felt really rewarding to be able to decode and crack the evil program written by someone else, and to help end users while doing it. So I kept at it.

ECT: How did your path lead you to F-Secure?

Hypponen: By chance, really. I was hired to do programming for random projects and just ended up focusing on the data security world, which was one of the things F-Secure was doing at the time. Now that's all we do.

ECT: What is your working environment like? How many people are on your team, and do they have specialized roles, or does everyone pitch in on everything?

Hypponen: F-Secure has 12 offices around the world, with over 300 people in them. All reverse engineers and virus crackers are here in my team, which works from our headquarters in Helsinki. We don't do anything else but crack viruses, the 10 of us. The team has been collected from around the world, and right now we have people from Finland, Hungary, Spain, Bulgaria and Russia in it. Everybody has their own area of expertise, such as Windows binary analysis, scripts and macro code, Linux stuff, mobile phone and PDA expertise, et cetera.

You should be able to get some kind of "feel" on the team members by browsing our public weblog, which is maintained by all team members.

ECT: What are the most significant changes you've seen since starting in computer security?

Hypponen: Well, we have clear virus eras: Boot viruses ruled the Earth from 1986 to 1995; macro viruses ruled the Earth from 1995 to 1999; e-mail worms ruled the Earth from 1999 to 2004; and my best guess is that network worms will rule the Earth from 2005 onward.

Also, the people behind the viruses have changed. We used to be fighting the teenage kids who wrote viruses because it was cool. Now we have more and more "professional" operations, where viruses are being used to generate money for the people behind them by stealing data or installing spam proxies. We've even seen cases where viruses install fake Web shops to infected PCs, and then start to send spam out advertising those shops. These are used to collect credit card numbers from the clueless customers.

ECT: Even though the people creating the viruses have changed, recently it was discovered that some of today's most prevalent virus code has taunts written into it against other virus writers. Does that mean we still have those teenage kids to fear as well?

Hypponen: The majority of new viruses are still generated by kids or by "hobbyists." Examples include Slammer, Blaster, Netsky. But many of the largest recent outbreaks are done by what we believe to be more organized groups. Examples include Sobig, Mimail, Mydoom, Bagle.

ECT: What is the toughest worm or virus you have fought so far?

Hypponen: From a technical point of view, it would probably be the SMEG or the Zmist virus, both of which are pretty old by now. From an outbreak point of view, the biggest challenges have been Slammer, Blaster.A, Sobig.F and Mydoom.A.

From an exhaustion point of view, the multitude of new Bagle/Mydoom/Netsky variants that we've seen since February 2004 is bad. So far we've seen over 60 variants, and they still keep coming -- days and nights, through the weekends -- and this is really wearing us out.

ECT: Why were the SMEG and Zmist viruses so hard to fight? What made them especially tough?

Hypponen: They weren't big outbreaks, but they were technically very, very difficult. Both of these viruses modify themselves on the fly to create billions of different-looking versions of themselves. Creating a 100 percent detection rate of something like that can be very hard. On the bright side, complex viruses like these often fail to work in the real world.

ECT: What do you think is the prime difference between the mindset of malware creators and the mindset of malware fighters?

Hypponen: Black and white. Good and bad. Most antivirus researchers would have the skills needed to write viruses, but won't. Most virus writers wouldn't have the skills to write an antivirus program and maintain it.

ECT: In your opinion, can black hats who have turned legit be trusted?

Hypponen: Well, let's just say that we here don't hire criminals. And that's what virus writers are. I do know that some security companies hire ex-hackers and the like but like to keep the difference distinct.

ECT: What do you think underlies this transformation?

Hypponen: Maybe growing up. Or finding a girlfriend.

In part 2 of this interview, Hypponen talks about what it might take to capture those black-hat hackers.

Print Version E-Mail Article Reprints More by Elizabeth Millard

Talkback: Be the first to comment on this story.

Related News Alerts

Microsoft Activate Alert | Search Archives

More by Elizabeth Millard

Ken Xie of Fortinet on Fighting Content Threats
November 25, 2004
"Integrating independent security systems together and keeping them all up-to-date and able to coordinate their actions in the face of a fast-moving attack is a daunting if not intractable task," Fortinet CEO Ken Xie told ECT News. "To deal with today's and tomorrow's blended threats requires a more integrated, holistic approach to security." 		Microsoft Files More Lawsuits over Spam
September 24, 2004
Going after spammers rather than focusing merely on developing antispam technology is an important step, John Movina, spokesperson for the Coalition Against Unsolicited Commercial Email, said. He told The E-Commerce Times that the United States has weaker criminal laws against spam than other countries, so it's vital to find other means to stop spammers. 		French Firms Aim To Beef Up Linux Security
September 24, 2004
The consortium plans to make bringing Linux up to the Evaluation Assurance Level 5 (EAL5), which is part of an internationally recognized security certification called Common Criteria, its first effort. EAL5 satisfies major security requirements in commercial as well as defense and government applications.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
LinuxInsider
E-Commerce Times
TechNewsWorld
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.