Ask the Expert: Roel Schouwenberg Explains the State of Malware Threats

The cyber threat landscape is constantly evolving and keeping up with those changes is an intense project. Kaspersky Lab has a team of research experts who are relentless in sniffing out the threats before they get to you. Roel Schouwenberg, senior anti-virus researcher, Kaspersky Lab, Americas, is part of Kaspersky’s Global Research and Analysis Team, where on a daily basis he is monitoring the state of malware and the threats that exist. We sent along your malware and cyberthreat questions to Roel to have him answer.

expert_title

If a piece of malware can be identified by antivirus or through the signature, then why does a creator need to use the “signature?” How does the antivirus actually classify the signature as threatening or not? What is actually being manipulated by malware?

A signature is something which will uniquely describe a piece of malware, malware family, or type of malicious action. Signatures come in many shapes. Perhaps the detection is made on the code which is responsible for using a specific algorithm. The signature can also be created to detect certain behavior on the system. Most of today’s signatures are smart. We can detect tens of thousands of different malicious files using just one smart signature.

We, either the automation system or a human analyst, simply choose how to detect a given file. If a particular piece of malware does particular things to complicate analysis, then creating a signature based on that code or behavior may be a very good way of detecting such malicious files. That means the malware author will have to move on to a new trick to try and evade detection. It’s an endless cat and mouse game.

We use both a smart blacklist and a whitelist. By having a huge and ever expanding whitelisting database we can speed up scanning, prevent false positives and be more suspicious of files we don’t know.

How do you find malware?

With up to 200,000 new malware samples per day it’s all about automation. We have different types of crawlers which browse the internet looking for new malware. These systems visit websites to see if they’re infected and capture the exploits and malware. We also have various types of honey pots, such as for email and network traffic. When processing malware that’s been discovered we often find URLs leading to more malware, which then automatically get processed. The anti-malware industry also shares the malware it finds, so we get samples from other vendors as well. Last but not least are manual submissions from ‘anti-malware enthusiasts’, professionals and customers.

How can I better protect myself from DDoS attacks?

The DDoS problem is a difficult one. There’s no easy fix. DDoS attacks differ greatly in type and magnitude. If an attacker is trying to flood your service with network traffic than most often you’ll have to work with – or move to – a service provider which has experience with DDoS mitigation. For types of scenario IDS/IPS should be able to do a lot of the heavy lifting.

Are having open ports a vulnerability?

Programs are responsible for opening ports. This means the core question is if you can trust the program which opened the port. If the port is opened by malware then that constitutes a vulnerability. Such open port will generally be used as a backdoor into the system. When a legitimate program opens up a port it becomes a question of what type of program it is and if it (potentially) needs a port that’s open to the internet. Most often the answer to that question is no, which is why it’s important to run a firewall, ideally together with a router, which supports NAT.

What can consumers do to maximize protection against Trojan Horses disguised in PDF files and other attachments?

The most effective method is to simply uninstall any PDF reader. Using the latest version of Adobe Reader and Microsoft Office is paramount. They come with sandboxes which are extremely hard to break. Running the latest version of Windows, which comes with more and improved exploitation mitigations helps as well. Some people recommend using less popular programs as a way of avoiding exploits for more popular office readers. This approach can work for ‘mass malware’ type of attacks. However, it won’t be effective when it comes to targeted attacks.

  • Share
  • Pin It

Comments

  1. tim waterworth says:

    I’m desperate.

    I’m currently on Kaspersky Pure I bought a commercial 3 PC license activation date 11/9/2011. Not sure why this is expiring now?

    I use PURE to encrypt data on sensitive drives, password manager and internet security.
    I renewed my license online. I clicked the links, paid price, followed instructions, and got a fail that “Activation code is not compatible with this application…”

    Tried troubleshooting and called for assistance. I was told by your support rep that I can’t renew my version of PURE and that it must be uninstalled and download PURE 3.0. I tried to do uninstall and it failed as well.

    Your software is mission critical to my small business and all your support people have done is send convoluted e-mails that don’t address the issue.

    Incident 315058030

    1. Kaspersky Team says:

      Hi Tim,

      We’ve looked into your incident and the expiration date on your license is correct, with an activation date of June, 12 2011. You can find instructions for renewal using this link http://support.kaspersky.ru/common/service.aspx?el=1464. Please let us know if you have any further questions.

      Best,
      Kaspersky Team

  2. Borhan says:

    How can I make sure that am not a part of a BOTNET?

  3. pavithra devi says:

    hi i have kaspersky internet security installed….i surf my net via proxy connection…thus since i have to enter proxy username and password under the ADVANCED setting for the update of it …my password is quite long that there is no enough space for it…i have two proxies so if i enter another proxy s password …it adds some more behind the password by itself…when i click enter it adds by itself…ultimately it has the wrong password…what should i do????how can i correct this password problem….it is updating halfway till around 30% then it is cancelling by itself..its not been updated for a long time and im worried for this as it is very much neccesary for a functional antivirus…hope your team will provide me proper solution as soon as possible

    THANK YOU

    1. Kaspersky Team says:

      Hi Pavithra,

      We recommend setting up your proxy settings in Internet Explorer and choosing ‘Automatically detect proxy server settings’ within your anti-virus settings. Please let us know if this does not work for you.