Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
July 25 2009
Randy: Thank you for having me back. It’s always great to be here.
Alan: Randy, last time we were talking about the unhealthy attitude that the sky is falling, the sky is falling, as well not to be paranoid about every little thing that comes down on your computer system. But, what about the attitude that you hear from people that say, “I’ve been using my computer for years and I’ve never been hit by a virus or any kind of malware, so why should I bother running anti-threat, anti-virus software on my machine?”
There are also people out there that really think that malware and anti-threat software companies who just want to sell software. That’s far from the truth and that’s not the way to look at it, either, is it?
Randy: No, it isn’t. Although, things have changed over the past couple of years to where now there are actually “fake anti-virus products” that will infect your computer. But, the anti-virus industry does not write the viruses. That’s like thinking that the firemen do out to start fires so that they will have a job to do. There are enough arsonists and enough accidental fires, without the firemen going out and starting their own fires. Thinking that doctors go out and breaking legs so that they will have patients, is really ridiculous.
An anti-virus company that got caught and believe me, after all these years, an anti-virus company would get caught if they were making a virus. They would be out of business in no time and of their employees would end up in jail. There is no reason for an
anti-virus company to write the threats because there are many people doing it for free! Or, nowadays, there are people being paid by organized crime to write these threats and get them out there because they are making a lot of money.
If you think that you don’t need the anti-virus protection on your computer, you had better be an exceptionally skilled user. But, for most people, yes, you really need that. It’s like a seat belt. It doesn’t make sense to go out in the car and drive without your seatbelt.
Alan: I was blown away by one of the authors that we had on the air and he made the comment that, “I don’t worry about any kind of threats or malware. I haven’t run an anti-virus program or firewall in years and I’ve never been infected.” That’s like being out in a thunder storm saying that, “lightening is not going to hit me just because I’m out here playing golf!” Eventually, it’s going to get you!
Randy: It’s actually more naïve. How does he know he hasn’t been infected? The bots, nowadays aren’t trying to let you know they are there. They want to stay hidden. They want to stay on your computer. They are going to try not to let you know that they are there. Just because you didn’t see it, doesn’t mean that it doesn’t exist.
I’ve got friends all over the world and I was telling one of them that it had been snowing where I was and my friend said, “I’ve never seen snow!” My friend still believes that snow exists, even though they have never seen it. On your own computer with the prevalence of threats out there, if you have never encountered malicious software then the odds are you have actually encountered it and just didn’t realize it.
Alan: Yes, I’ve got a friend that says, “Well, the way I turn off my computer at night is I just flip the switch and everything turns off; the monitor; the operating system; the computer; everything turns off at one time. I don’t have to worry about shitting down the computer.” Eventually, that’s bit you big time, because Windows Operating System was not designed to do that.
Randy: Right. And neither was Unix. I mean, Unix you have to shut down commands, which Linux was a flavor of it. You’ve got to do things in the right order, sometimes. Having good defense in-depth on your computer is doing things in the right order. The threats out there are, actually real.
Alan: And then I hear that, “I only go to well-known websites and they cannot possibly be infected. They wouldn’t dare be infected.”
Randy: They certainly don’t want to be infected, but websites get compromised and from time to time, even well known ones get compromised. A couple of years ago the Miami Dolphin Super Bowl website was compromised and a Trojan was being downloaded from it.
And you know what? If you didn’t use anti-virus software, you would have gotten infected and not known it. This is a case where the Trojan that was downloaded, ESET had already been heuristically detecting it for at least six months before we ever knew it existed.
There have been several instances now where the bad guys are getting really crafty and they are buying advertising and using JavaScript in the ads to infect computers. Because it’s so convoluted how an ad gets from the person who created the advertisement to the website that sometimes they make it through all the steps and get onto well-known websites.
Alan: And this is where you almost have to have heuristics now in order to combat all these threats. Kind of give me an overview if you would, if you would, of what heuristics is and why it protects us so well?
Randy: Most people aren’t familiar with virus signatures; an old technology where the anti-virus company, after a virus comes out, gets a copy of it and this means somebody has generally been infected (maybe several people). They then analyze it and they write detection for that virus. It works okay for things we know about; but what about the stuff we don’t know about? Wouldn’t it be great if a brand new threat could come out and when it came out we already had protection for it?
That’s what heuristics is about. Rather than using a signature, we use rules. Heuristics is really a rules-based approach of problem solving. So, the problem that we need to solve is we have to identify malicious software that we have never seen before. So, we make rules about if a program does this activity and it does that activity and it does another activity, you can give weight to the different rules.
If it writes to the registry, maybe it just gets a value 1. But, if it’s writing to the “run key” in the registry, that might be a little more suspicious. Maybe you’ll give that a value of 2. Now, if it is also doing some other things, like writing to other files; if it’s trying to listen on the Internet for commands coming in – all these things add a little bit more suspicion that maybe this is malicious.
Each of them gets a weight. Once you identify what the file is going to do when it runs you add up all the weights. If it is a score of 100 or whatever your threshold is, then you say, “This is bad software,” and you block it, even though you have never seen it before.
Alan: That’s like an email that goes out and starts changing jpegs on the fly. You look it and say, “That’s not the correct behavior for an email.”
Randy: Correct. And some things are much more suspicious than other things and we can pretty much identify them by one action. In practice, we use a lot of different actions. That’s how we are able to really minimize the false-positives, too - because heuristics will result in some false-positives. But, heuristics is really emulating human behavior (human thinking); and we make mistakes in humans, too. So, of course a program written by a human is going to make mistakes, sometimes.
By making really smart rules and establishing really smart thresholds we are able to make very, very accurate guesses about what is bad and what is not and block a lot of that bad stuff that we’ve never seen before.
Alan: And I hear this all the time, as well, “There was an anti-threat, anti-malware program that came with my new computer, but I let the subscription lapse and I had never had a threat before, so I really don’t have to worry about it. The definitions that are on there are probably as good as I need and I don’t need a subscription.” That’s not good, either, is it?
Randy: No, it’s not. Because, it’s really a battle with the bad guys and so if you’re fighting today’s war with weapons from 200 years ago, which is what time scale is like, nowadays when you let something go for a few months without updating it – you’re going to lose. If you were to go into aerial combat today, you sure wouldn’t want to be in a World War II fighter plane. You’re going to get creamed! And with your anti-virus software, if you don’t keep those signatures and heuristics up to date and current, you’re going to get blind-sighted and get taken out faster than you can imagine.
Alan: And we’re looking at daily and worst case, weekly, because there are new viruses that are coming out on just a day-to-day basis, aren’t there?
Randy: We, typically update at least twice a day, sometimes more often, depending on what the threats are. It rarely would make sense to wait a whole week before an update. Most products are automatically updating at least daily, nowadays. It’s been a few years since weekly updates were sufficient.
And that’s why you also have to make sure that your operating system and your applications are patched, because there are vulnerabilities that can allow attacks against your computer. When the bad guys know about these vulnerabilities they are going to exploit them. So, that by keeping your computer patched, you reduce what we call “your attack surface,” there is less area that you can successfully be attacked from.
Alan: You have to make sure that you patch all the programs, not just the Microsoft Operating System programs; because you have these one-time viruses that try to get into your system and there is never the same one, twice. By the time you get a signature to come out to combat the one that you think just hit you, it has already migrated or changed into something else.
Randy: They are evolving very quickly. The Storm Worm is a great example that it didn’t need to use a vulnerability, but the authors kept changing how it looked every five minutes. So, that would break the signatures.
But, there have been a ton of threats out there that took advantage of vulnerabilities in programs and often times the very first one that came out was targeted. Some one wanted to get into a business or a government network and so they used the exploit and it was very targeted, but once it becomes know, the bad guys will build it into all kinds of threats.
They don’t stop using an exploit, just because a patch came out. If you are in-patch, you are still vulnerable to a lot of threats out there, even though some of them were one-shots (intended for one use). It will get incorporated into many other threats.
Alan: Yes, the education is so important, because I hear, “I only open email from people I know and trust and they would never send me anything that has a virus or any kind of malware in it.” That’s where education is a must, because that’s a fallacy, isn’t it?
Randy: Absolutely. People need to understand that pretty much anything that you can do on a computer can be spoofed on the computer. You need to understand that by the time the email gets into your inbox, it can have been changed. It could have been created with bad information, to begin with. So if it looks like came from someone you know, it looks exactly like that, because with good software - people can do most anything with software.
So, you have to pay attention to the context. Does it make sense that this person I know sent this? If they sent an attachment, it always makes sense to validate, to verify that the person actually did mean to send you an attachment.
Now, of course, there are some exceptions. When you talk to a friend on the phone and he says, “Oh, I’m going to send you this song and it’s called such-and-such,” and you get the email from this person you know and it’s got that song, well, yeah, there is a great chance they meant to.
But, just like sending around a joke in a PowerPoint, things like that – make sure the person knows whom they got it from and make sure that they actually meant to send it to you. Because we see a lot of emails that didn’t come from who it looks like it came from.
Alan: And even some of the jokes that get passed around with the bitmaps imbedded in it, you have no idea if there is like a time bomb sitting in that bitmap that’s going to go off a month from now.
Randy: Right. That’s a great example of why you need to stay patched. A lot of times if you’ve got the current security patches, it can have that time bomb in it, but it’s not going to get the chance to go off, because you patched and so you’re not vulnerable to the exploit. But, if you don’t have the security patch, you are going to get hit and it can result in a loss of data.
Alan: And then I hear this all the time, “I only download programs that come from sites that say they are “virus-free” and that they have absolutely no adware attached to it.” And of course, “This protects me.”
Randy: Of course, they are going to say that! A criminal is not going to say, “Hey, I’m here to steal your money.” They are going to say, “You can trust me.” On the website, everything is anonymous, really. You don’t know who’s behind the website that shows that this free program is virus-free unless you know from a lot of experience that you’re dealing with a reputable website. We have also seen even reputable ones that every once in a while make a mistake and something with a virus in it got in for a download. That doesn’t protect you.
If you’re dealing with a reputable website, it adds a lot of security to it, but if you haven’t seen that website, before and you don’t know people that are security savvy, security smart, and are willing to tell you, “Yes, this is a legitimate website.” The bad guys make up websites all the time and they say, “Our product is certified” - which it isn’t. They say, “We scan for viruses” – well, they might just to make sure the virus is really there, but they are going to tell you it’s clean. And, oh no, you can’t just trust what you read on the Web.
Alan: What are we looking as far as the price of your award-winning NOD32 and your ESET Smart Security software?
Randy: ESET NOD32 Anti-Virus and we’re up to Version 4 – so if you have Version 3, right now and you’re license is still valid you can go http://www.eset.com and for free, upgrade to the latest Version. We don’t charge you during your license term to upgrade.
But, if you don’t have that right now, then for ESET Smart Security, which includes the firewall and all that, one year is $59.99. If you just want the ESET NOD32 Anti-Virus, then that is $39.99 for one year or $58.99 for two years. And again, there are discounts for multiple user packs.
Alan: Randy, as always, it’s our pleasure to have you as our guest on Let’s Talk Computers, showing us how we really need to have the education to protect ourselves from all these nasties that are trying to infect our computer system. We look forward to having you back on the air, again real soon.
Randy: I look forward to coming back, Alan. Thanks, so much.
Visit ESET on Facebook
Follow ESET on Twitter