Antivirus Researcher & Disaster Recovery Expert Peter Szor

Truly one of the most insidious of the man-made disasters threatening a company’s data center are ever present, ever-evolving, computer viruses.

On the front lines helping to backup and protect data centers from these viruses is Peter Szor, the subject of today’s Data Center Leaders Interview.

Szor is a computer antivirus and security researcher with 20 years of experience building antivirus and security solutions. He is a distinguished engineer at Symantec Corporation, holds over 30 issued computer security patents and is the author of the best selling technical book The Art Of Computer Virus Research and Defense(1).

Below, we discuss the history and rapid evolution of computer viruses, answer why companies should think broader than antivirus protection when creating disaster recovery plans, and overlook the damage caused by a few of the most malicious viruses Szor has ever seen:

Evolving Solutions:
In your experience, how many companies understand the importance of creating disaster recovery plans that take cyber-threats, like computer viruses, into account?

Peter Szor:
Large companies with critical infrastructures always understood the risk of computer malware.

Yet, while antivirus solutions remains their number one security choice, relatively few companies are focusing on other important aspects of computer security that are also critical to them, such as making sure data is kept secure, yet available at all times.

Companies know that well maintained computer antivirus solutions from trusted, dedicated security vendors will vital for their security, but I strongly believe that in the very near future companies will move to the next stage of understanding and put more focus on disaster recovery plans.

Companies need to understand that mitigation of risks is increasingly important, especially in environments where services are provided to users where any interruptions can quickly lead to negative business impact.

It is amazing how much the data needs of companies have changed over the years.  Even in homes, people store far more data than ever before as everything is increasingly becoming digital. Both companies and home are at risk of losing information, which needs to be protected and kept secure from viruses and protected by data backups.

Having spent almost 20 years developing computer antivirus and security software, I strongly feel, that customers understand security risks much more today than ever before. Fast spreading computer worms such as CodeRed, Nimda, Blaster and Conflicker all point to the same underlying issues in our networks that we share. Computer networks, operating systems and applications will remain vulnerable and exploitable, and disaster recovery plans are more important than ever. Data backup and storage management are critical.

Evolving Solutions:
What tips would you offer businesses to protect against computer viruses that seem to evolve just as quickly as software designed to prevent infection?

Peter Szor:
We often see that companies do not manage their infrastructure enough. Vulnerabilities are not always managed by deploying security updates at all end points. Companies do not always follow closely enough what software their users run, what they can do, and what attacks they might bring to the corporate network when doing so.

Operating systems are often old, as are the applications on them, meaning they often have vulnerabilities unpatched. Most users run their system as Administrator. Today, what we find is that the majority of attacks are getting in via downloads when users browse the web. Securing the browser is critical. What the user can browse has a huge impact on the internal security of the network, especially so, when the code enjoys Administrator privilege to get installed right away.

Of course, I would also recommend user education. I do not give up my hopes in this regard. My family dedicated their life to education: math, physics, history and music, you name it. I tried to contribute to the field of computer security myself and hope that computer professionals understand attacks and defenses better from my work. I am happy to see that computer security is becoming a science and that people can graduate by receiving degrees in the subject.

I strongly recommend companies to hire security professionals with first-hand experience in security. The degree is one thing and the experience is the other. The more people understand computer security, the better it will get for the company. Yet, if there is no expertise in house, security consulting should be used.

Computer security is evolving all the time with the new attacks. It is exciting to see how much antivirus has evolved over the last few years as the threat space grow to over 4 million. To me, this is an amazing expansion of the threat space.

For the first 10 years, we have witnessed just about 10,000 distinct computer virus variants and we all believed it was already overwhelming. We got the rest of the malware space during the last decade which clearly shows an exponential curve. The malware universe expansion is clearly rapidly accelerating.

Keeping your version of Antivirus engines and products up to date is important beside the definition data provided. There are true inventions in AV software today, such as advanced heuristics, software behavior management and “cloud” based reputation systems, which will all shape client protection during the next decade. These inventions come with new products which need to be deployed time to time to be sure that computer security can evolve with the new threats.

Evolving Solutions:
Your book, The Art of Computer Virus Research and Defense, is a report from behind the scenes in anti-virus research.  Apart from what is published in your book, what is the one piece of data most important for businesses to know regarding how a virus could affect their data centers?

Peter Szor:
There are many attack types, which – fortunately – have not developed to their full potential.

During the last few years, exploitation was the main focus of attackers. What we see today is that web browsing brings more and more attacks to the end points, and so, we made our defense stronger against such malware attacks.

Computer viruses can cause devastation, especially the fast spreading worms that open up the network to the remote control of the attackers. When confidential information is leaked, there is always a problem, which goes way beyond the recovery of the attacks itself on the internal network because it affects the reputation of the company who leaked the data. Therefore the protection against information leakage is increasingly important aspect of security today.

I already mentioned that so called “cloud based” security solutions will shape the security landscape during the upcoming years. Targeted, unique attacks are exploiting end points every second. It is not unlikely that we will see more than 10 million malware variants during 2010.

People who are behind these attacks operate as businesses, and make a lot of money, which they can reinvest to improve attacks. Unfortunately, this process accelerates the evolution of malware a lot.

If you think about it, attackers already use cloud computing, when they harvest bot networks for their use, such as spam delivery. Next, I think, they will increasingly use real cloud computing systems, since they can effort to borrow as many virtual machines as they want relatively cheaply, and they can certainly effort to pay for them as needed.

Modern attacks require revolutionary security software to address them, and this is precisely what we are working on.

Evolving Solutions:
How has Symantec learned to anticipate computer virus evolutions and develop software to combat these viruses accordingly?

Peter Szor:
Symantec was the pioneer of fast antivirus updates.

We realized that instantaneous pulsing update processes were important and eventually we invented the idea of providing a service directly to clients querying a central database. This provides the most up to date security protection.

Software reputation services will be a strong pillar of our computer security. We built a large software reputation database for the last few years and are getting ready to use it. With this, Symantec will help users to avoid software, which is rarely used, as most Trojan programs are very rare with few victims each.

We fight back against server side polymorphism – the effect behind the quick millions of malware increases – by realizing that users typically want to run software that many people also use. When you choose a restaurant, you want to be sure that is grade A, and have good food, and you know that if you see that the place is always packed. When you see a grade B restaurant with a few people inside, you want to avoid it, because you risk that you get sick when eating there. Similarly, if you are among the first to run a program that nobody has ever ran, you better not to take the risk. Such a policy will help protection tremendously in the future, and possibly, it is the greatest extension of the art of computer protection since my book was published a few years ago.

We understand, that our protection against malware attacks such as self-replicating viruses and worms is very strong, and thus, traditional techniques help our customers to fight back against them. We made sure during the last decade that our software provides solid protection against even the most sophisticated polymorphic and metamorphic virus attacks. We demonstrated in leading antivirus tests that we are unmatched when doing so. We made our protection against malware attacks much stronger during the last 12 months, while improving the performance of our software at the same time.

Evolving Solutions:
What is the most despicable computer virus you have ever witnessed, and without naming company names, what level of damage did you see it cause?

Peter Szor:
During the years, I have seen successful attacks, which deleted data that could not be restored since data backups were typically not available. We have even witnessed PC’s being destroyed by overwriting the content of their Flash-BIOS, as the CIH virus did, that made the motherboard of the attacked system useless.

You could not possibly prevent using add on software- the Flash-BIOS- to be overwritten, since the “metal” could be directly accessed via PORT commands with no way of interruption, once the malicious code ran on the system. This is a basic design flaw of modern computer architectures.

Instead, the actual viruses and Trojans had to be detected at the first place before they could run. Antivirus software was key to detecting these attacks and will surely remain the wheel of computer security in the future.

Back in 1995, I was certain that Windows systems would be the new target of attackers and expected to see computer worms on the platform. First, I witnessed the Happy99 worm, released a decade ago, which demonstrated the main problem infecting systems world wild.  Then, attackers finally turned towards the use of exploits.

CodeRed and Nimda worms would show how quickly attacks could spread on the Internet when exploiting remote vulnerabilities.  When I traveled to Europe in September of 2001 to visit the Virus Bulletin conference in Prague. I recall, the cab driver asked me, what kind of business I did, and I proudly said:

“I am a computer antivirus researcher.”

He quickly went on to say:

“Have you heard of Nimda, Admin backwards? It is all over the radio!!”

When he noticed that I had no idea what he talked about – I just landed in Prague a few minutes earlier, and the worm was actually released while I was in the air – he went on saying laughingly:

“What kind of security researcher are you?”

At that very moment, we both realized that the security world had dramatically changed. Then all other researchers at the conference talked to me about Nimda one by one. They all knew I was painstakingly analyzing every single variant of Win32 malware, carefully cataloging them, and giving them their names.  Then, the sudden explosion of these threats just happened, seemingly one day to the next.

The Conflicker worm recently demonstrated that essentially the same vulnerabilities are still with us. As a matter of fact, Conflicker uses some modules that were built years ago by the 29A virus-writing group, which is no longer, but their legacy is still with us.

Certainly, there is more to do to improve protection at both sides of the spectrum: at security vendors as well as at the end points by the companies themselves. We are working very hard to improve security for our users who can be rest assured that we have never, ever been more focused on delivering the best protection in the industry.

(1) The Art Of Computer Virus Research and Defense, published by Addison Wesley 2005.