We are glad to present something really unusual - interview with a man from antivirus company who agreed to have a talk (many of them didn't) about viruses, life, universe and everything. But we agreed about his anonymity and we will respect it, of course. This interview is really good experience, so don't wait and go ahead!
hello, we are glad you said yes to our request for interview
sure, no prob, but i want to stay unknown - you surelly can guess the
reasons why :) it is not usual one from antivirus side giving interview
to other side
what is the reason you said yes? usually avers ignore our requests
or say no
we have of course access to nearly all zines released on v-scene,
because one have to watch for them - to keep track of new technologies
and of course i've also seen your previous issue, that was pretty
long time ago, and it was rather good. you are taking your job quite
professionally
how long are you in the biz?
i started with viruses, let me think, some 11 years ago. my first XT
played sometimes, usualy at 5 o'clock some mellody. of course, it was
yankee doodle. after that, i discovered viruses and started to colect
and analyze them, being amazed what they can do. i worked already
in assembler on my previous computers, so i easily learned
PC specific things - from tech-help, but i also found many
incompatibilities in it... after that, i wrote some single-purpose
antiviruses, and, of course, started to work on a real antivirus.
he-he, i think viruses started with you and not you with them
well, that's what it may look like. i've heard about viruses also before,
but never could get one. only when some virus got directly to me :-O
okay, from the very beginning on the good and right side ...
well, there are many losers on av-side (i will not name them, but one
knows them all) that think they are the only good side, and virus
writers are the bad side which should be put into jail.
they simply do not THINK. usually, good virus writers are better than
many anti-virus writers. but there are too few good virus writers on
the scene as well as there are too few really good antivirus writers.
i don't like words that many avers pronounce in hate about every virus
writer is an evil. some avers must say so because they can't say
anything different (due to their policy and marketing) but they think
differently - like I present it here but many avers, usualy the worse
ones, hate you. because there is too much of work due to you..
they often forget they are making big money in many cases exactly due
to you...
your got the point, averz are making money of the scene, wanna support
our site with a bit of money?
:))) not at all.
noone wants, of course, just because there are too many viruses every
day, and it costs lots of time and money to prepare scan-strings (and
optionally cleaning routines) for all of them usualy we are a bit late
to do so.
so we don't have any reason to support you.
let's be serious again. you were speaking of the av lamers. i agree there
is a lot of av pussies around who are dumb asses. Any comments to the
datafellows story last week?
{put a link to the news here}
well, i would not like to use such strong words.
i can tell you a situation which is usual, and of course similar is in
our company: team of av programmers NEVER uses av programs.
:at first they are too lazy, and they are also a well trained to work
with viruses during the years. one can immediately notice nearly any
virus activity. for example i've seen several thousands of viruses
(in debugger, or in disassm)
but of course, we use real samples - for example we have several
ten-thousands of real infected programs to test our work. and sometimes
accidents also happen: for example i remember a case one of programmers
in our team accidentaly ran one virus. and he infected two computers
this way and part of our virus collection.
and back to datafellows: i can see two reasons - they tested it (i don't
think so), or someone like a secretary started this infection by running
vbscript in mailer. you must understand this: in av companies not only
av programmers are working. it is weird if they used their own virus
protection on their exchange server why it happened: it was either
disabled, or not fully functional. there are sometimes bugs in av
technologies as well - like very common were bugs in OLE2 scanners with
two-level fragmented macros.
you said you are about 11 years working with viruses. your first av were
single purpose. What viruses the detected-removed?
don't remember exactly... some trivial ones, boot, com/exe - those what
was hot. and a few years later i experienced the polymorphic as
well - with world famouse MtE, of course... it is pretty old now, but
still one of the best
MtE was imho big shock for AV industry, i know there were companies who
were unable to reach 100% detection for couple of months...
MtE was new and different. it was real breaktrough that forced us
to change lots of our routines. there weren't any similar breakthroughs
ever since as i remember (no virus that changed principles and was
followed by hundreds and thousands of others)
yes, good detection takes many months, even as it was pretty discussed
on virus-l and others. everyone knows it, but many lame-like antiviruses
weren't able to write detection routines. it filtered out the really
bad antiviruses, or they have to adapt. it also causes a big
reconstruction of all antivirus engines to nowadays state.
and any other major changes since the MtE? what about the number of
viruses?
revolutionary changes? not exactly. OLE2 is a big change, but it is
completely different filetarget. it was also difficult because microsoft
has usual reaction for publishing ole2 structure: "you don't need to
know it (ole2 document structure, or 'structured filesystem'), it is
our internal format, use function available in our libs" - but it is
of course not enough for scanning for macros.
also there were other viruses that changed the things, but didn't become
trends - they can be detected by some other tricks so no need to
rewrite scanning engines again completely.
well back to you. probably you joinned to some Av company or maybe
you own one of them ...
:) ok, no comment about that. you can agree, i (and av company i'm
from) wanted to stay anonymous. but yes, i work for a av company,
on some rather high job position but sill in av-coders team, of course.
i don't like managers :)
as aver you have to know the news from the virus scene. how you get on
the news and new the viruses?
we, i think, are best virus traders all around the world. if a new virus
appear in one av company, it can very soon reach others. but: many guys
on av scene (exactly the types i don't like) are egoistics, etc and they
don't want to trated with XY because of something in a past, and XY don't
talk with ZW because of ... etc, etc. but if some of them have something
interesting, something new, and another one has something good as well,
they can make an xchange bussiness even if they hate each other. this way
viruses travel all around the world.
there are many viruses that are only in those virus collections. many of
them never appear in real life :) its a strange av-world of shadows,
hate and bussiness.
this way we also have all virus zines, etc. and of course, we have access
to the virus-oriented BBS' (but they disappeared already) and to the
internet sites. but there aren't many good virus-oriented sites on the
internet. the rare exception, and today's hottest is, of course, yours.
today's trend in AV world is the buy_them_all policy of some companies.
Your opinion?
you are right. now i will name some, because all it is known, so there
is nothing to hide. NAI (old McAffee) whose original scanner missed
the train to the future and wasn't able to follow the changes that
other antiviruses had to do, is now buying every good piece of code
because NAI wants to be still in the bussiness. there's nothing just a
money behind it. its rather pitty, but true. same as microsoft -
Money is power.
maybe once there'll be only one total antivirus (or speaking more general
a protective system), and all good programmers from the world who work
on their own avirs now will be programming that.
it is good and not at the same: there is a monoppoly and might be no
progress due to it. but if many av programmers can join their experiences
and work together, they can do another breakthrough on the antivirus side.
but the future waits for us, we'll see...
how is it to handle such a great number of viruses in a brief time.
What is your opinion to the term "glut" introduced by bontchev?
it is often too difficult. and leads us not to do our work as good as
we can. there are too many viruses, many of them are similar ones to
another. we have a quite little team, and not enough time to check
them all. usual situation is we get a package of new viruses, and there
is need to process them: we run ours and other antiviruses to categorize
them. there are offen viruses that we already have, or very much of
damaged viruses, etc (like virus that differs from original (dos example)
only by int3 immediately after writting command int21 - someone stupid
traced it and debuger left there breakpoint at write command. it is
pure shit, but you have to scan for it. so briefly check what is
rubbish and what is not, and choose scan-strings for those needed to
be caught. and the work is done. there is not usualy time for analyzis
we do it only for some important viruses. even for cleaning it is enough
to have a brief look on the virus - because most of them are very simmilar
little team? if i read the websites, there is always number of the
employees on it, and every company claims they have at least 40 or 50
of them or NAI has hundreds of experts ....
they are kidding.
sure, there are many people employed, you need some secretaries,
some managers, some bussinessmans/reseller, etc, some supporting guys
but real programmers, that do real work - there are usualy too few
of them.
moreover, you can't find let's say 40 people that really know their
job (av). i think there are about 15-25 on the whole world! the rest are
supporting programmers - they can do some easier disassemblies, some
cleaning routines, or pick scanstrings, if you teach them how to do it.
of course they need to know asm and system programming at suitable level.
but real developers, there are usualy few of them in the teams. they are
head of antivirus companies, in fact but not beeing seen (in most cases).
too little number of programmers, so why then not to hire some vx-writers
to fill the vacancies?
it is not applicable
at first, vx programmers are usualy kids (or likely - studying on the
highschool or university), and when they get into the real life, they
have no more time to write viruses.. they need to have real jobs.
moreover, it is not applicable to employ some vx-writer due to reputation.
if some other company hears about it, they'll immediately publish
it and destroy the company that employed such a programmer. thats the
regular bussiness game so there is no way to employ some active or oneone
who was a vx-writer even if you know him and you can trust him
AV programmers must be then poor exhausted individuals with no time.
do they have a free time?
we are people too :) there is time to play quake or doom, time to go
for a drink, and of course lots of time for programming. but i think
situation is similar as for others programmers: they usualy live in
some different computer world of screen, keyboard, quake, junk-food,
pizza, and debugers. you surely know
most valuable in the AV side is the Virus Bulletin award. any specialities
bound with deadlines?
well there is always big plus when a company can issue a press release
with something like "hi customer, we are good, even virus bulletin was
forced to acknowledge it ..." as for programmers it means nothing but
feeling you do your work well (plus bonuses), the sales department is
more extatic than we are. with deadlines it's always a problem - you can't
do the work you planned in time - you know murphy was imho too optimistic
you can do the work you had to but then it doesn't work okay or it could
work okay but you never to it in time.
also, as i already mentioned, there are many shits in lots of virus
collections. well, VB is rare exception where all samples are more-less
functional, but many av companies do not throw away those corrupted
files and judges antiviruses also on those non-functional samples.
because there is no way to test them all if they work, even more, virus
might not be operational on your current PC any more... this selection
is very hard.
do you thing you'll earn your money from viruses all the live long?
progress in computers is really fast. noone can say if viruses will be
here in 10 years. may be in global cyberspace will be as good protection
as no viruses or worms ar whatever can live there, or we will have neural
systems, or...
have you read neuromancer? ;)
i also can't asnwer if we can stand the AV vs V competition within next
few years. but i believe we can, we are i think one of the best....
and even more - may be sometime all we will be in NAI... ;-)))
let's discuss the techonoly of the AV programs, can you give brief
chacteristics of some products?
we watch also for others, that's right, but it is difficult to see inside
the other programs. i would like not to point out good or bad ones. its
kind of ethics and bussiness.
so let's be more general, kind of technological overview - technologies,
strong and weak spots
there are several groups, lets start with dos (com/exe/boot) - usualy
regular scanstrings are used, might be enhanced by crcs or so, with
a specialized subroutines for non-trivial things (some hard poly, etc),
of course some kind of generic decryption engine or emuler is also
important.
for windows it is very simmilar, only loaders are different, and there
are lotsa problems with emulation as well.
finally ole2 - one needs to know structure, then it is simple - most
of macros are unencrypted, just a simple scanstrings are enough.
... that's just briefly. but you told me already you'll have also
a dedicated article (or articles?) to these descriptions. don't know
about their quality, but to explain all the things there is not
enought space in one interview... but you can ask me some details, if
you want. (may be i can/will answer, if it is not one of our secret
things ;)
to the tool, what kind of tools you use debug-progs etc?
the best i'm familliar with is turbo-debugger. it is not the best, but
i used it in a past and as well as now. another coder in our team is for
example using afdpro :) (if you remember it)
of course, we have soft-ice and soft-ice/win for windows viruses. and we
uses IDA (interactive disassembler) for analyzis. i think it is best one.
plus of course hiew for brief look-around, and some our secret tools as
well :))
now i'd like to put some personal question
favorite movie, music, film, computer came etc
i like starwars. its fundamental sci-fi movie. i like science fiction,
having hundreds of sci-fi books...
music: 80's, preferably, but not excluding house (right now i'm listening
some Scooter's), as well as beethoven. must be good.
and i'm not playing a computer games. not enought time, usualy. i've
freezed somewhere at quake time, now playing only to relax a networked
quake :)
well thanx for your effort, was nice to talk you and send us some insider
info we can do use of on the stock market :P
was nice to talk with you too, wish you will success. well, it might be
a some more work for us, however, its always nice to see a good work.
bye and keep not writing viruses :)
hehe i'll try it