*-zine (Asterix) [2]
December 1999
We are glad to present something really unusual - interview with a man from antivirus company who agreed to have a talk (many of them didn't) about viruses, life, universe and everything. But we agreed about his anonymity and we will respect it, of course. This interview is really good experience, so don't wait and go ahead!
hello, we are glad you said yes to our request for interview
sure, no prob, but i want to stay unknown - you surelly can guess the reasons why :) it is not usual one from antivirus side giving interview to other side
what is the reason you said yes? usually avers ignore our requests or say no
we have of course access to nearly all zines released on v-scene, because one have to watch for them - to keep track of new technologies and of course i've also seen your previous issue, that was pretty long time ago, and it was rather good. you are taking your job quite professionally
how long are you in the biz?
i started with viruses, let me think, some 11 years ago. my first XT played sometimes, usualy at 5 o'clock some mellody. of course, it was yankee doodle. after that, i discovered viruses and started to colect and analyze them, being amazed what they can do. i worked already in assembler on my previous computers, so i easily learned PC specific things - from tech-help, but i also found many incompatibilities in it... after that, i wrote some single-purpose antiviruses, and, of course, started to work on a real antivirus.
he-he, i think viruses started with you and not you with them
well, that's what it may look like. i've heard about viruses also before, but never could get one. only when some virus got directly to me :-O
okay, from the very beginning on the good and right side ...
well, there are many losers on av-side (i will not name them, but one knows them all) that think they are the only good side, and virus writers are the bad side which should be put into jail. they simply do not THINK. usually, good virus writers are better than many anti-virus writers. but there are too few good virus writers on the scene as well as there are too few really good antivirus writers. i don't like words that many avers pronounce in hate about every virus writer is an evil. some avers must say so because they can't say anything different (due to their policy and marketing) but they think differently - like I present it here but many avers, usualy the worse ones, hate you. because there is too much of work due to you.. they often forget they are making big money in many cases exactly due to you...
your got the point, averz are making money of the scene, wanna support our site with a bit of money?
:))) not at all.
noone wants, of course, just because there are too many viruses every day, and it costs lots of time and money to prepare scan-strings (and optionally cleaning routines) for all of them usualy we are a bit late to do so.
so we don't have any reason to support you.
let's be serious again. you were speaking of the av lamers. i agree there is a lot of av pussies around who are dumb asses. Any comments to the datafellows story last week?
{put a link to the news here}
well, i would not like to use such strong words.
i can tell you a situation which is usual, and of course similar is in our company: team of av programmers NEVER uses av programs. :at first they are too lazy, and they are also a well trained to work with viruses during the years. one can immediately notice nearly any virus activity. for example i've seen several thousands of viruses (in debugger, or in disassm) but of course, we use real samples - for example we have several ten-thousands of real infected programs to test our work. and sometimes accidents also happen: for example i remember a case one of programmers in our team accidentaly ran one virus. and he infected two computers this way and part of our virus collection.
and back to datafellows: i can see two reasons - they tested it (i don't think so), or someone like a secretary started this infection by running vbscript in mailer. you must understand this: in av companies not only av programmers are working. it is weird if they used their own virus protection on their exchange server why it happened: it was either disabled, or not fully functional. there are sometimes bugs in av technologies as well - like very common were bugs in OLE2 scanners with two-level fragmented macros.
you said you are about 11 years working with viruses. your first av were single purpose. What viruses the detected-removed?
don't remember exactly... some trivial ones, boot, com/exe - those what was hot. and a few years later i experienced the polymorphic as well - with world famouse MtE, of course... it is pretty old now, but still one of the best
MtE was imho big shock for AV industry, i know there were companies who were unable to reach 100% detection for couple of months...
MtE was new and different. it was real breaktrough that forced us to change lots of our routines. there weren't any similar breakthroughs ever since as i remember (no virus that changed principles and was followed by hundreds and thousands of others)
yes, good detection takes many months, even as it was pretty discussed on virus-l and others. everyone knows it, but many lame-like antiviruses weren't able to write detection routines. it filtered out the really bad antiviruses, or they have to adapt. it also causes a big reconstruction of all antivirus engines to nowadays state.
and any other major changes since the MtE? what about the number of viruses?
revolutionary changes? not exactly. OLE2 is a big change, but it is completely different filetarget. it was also difficult because microsoft has usual reaction for publishing ole2 structure: "you don't need to know it (ole2 document structure, or 'structured filesystem'), it is our internal format, use function available in our libs" - but it is of course not enough for scanning for macros.
also there were other viruses that changed the things, but didn't become trends - they can be detected by some other tricks so no need to rewrite scanning engines again completely.
well back to you. probably you joinned to some Av company or maybe you own one of them ...
:) ok, no comment about that. you can agree, i (and av company i'm from) wanted to stay anonymous. but yes, i work for a av company, on some rather high job position but sill in av-coders team, of course. i don't like managers :)
as aver you have to know the news from the virus scene. how you get on the news and new the viruses?
we, i think, are best virus traders all around the world. if a new virus appear in one av company, it can very soon reach others. but: many guys on av scene (exactly the types i don't like) are egoistics, etc and they don't want to trated with XY because of something in a past, and XY don't talk with ZW because of ... etc, etc. but if some of them have something interesting, something new, and another one has something good as well, they can make an xchange bussiness even if they hate each other. this way viruses travel all around the world.
there are many viruses that are only in those virus collections. many of them never appear in real life :) its a strange av-world of shadows, hate and bussiness.
this way we also have all virus zines, etc. and of course, we have access to the virus-oriented BBS' (but they disappeared already) and to the internet sites. but there aren't many good virus-oriented sites on the internet. the rare exception, and today's hottest is, of course, yours.
today's trend in AV world is the buy_them_all policy of some companies. Your opinion?
you are right. now i will name some, because all it is known, so there is nothing to hide. NAI (old McAffee) whose original scanner missed the train to the future and wasn't able to follow the changes that other antiviruses had to do, is now buying every good piece of code because NAI wants to be still in the bussiness. there's nothing just a money behind it. its rather pitty, but true. same as microsoft - Money is power.
maybe once there'll be only one total antivirus (or speaking more general a protective system), and all good programmers from the world who work on their own avirs now will be programming that.
it is good and not at the same: there is a monoppoly and might be no progress due to it. but if many av programmers can join their experiences and work together, they can do another breakthrough on the antivirus side. but the future waits for us, we'll see...
how is it to handle such a great number of viruses in a brief time. What is your opinion to the term "glut" introduced by bontchev?
it is often too difficult. and leads us not to do our work as good as we can. there are too many viruses, many of them are similar ones to another. we have a quite little team, and not enough time to check them all. usual situation is we get a package of new viruses, and there is need to process them: we run ours and other antiviruses to categorize them. there are offen viruses that we already have, or very much of damaged viruses, etc (like virus that differs from original (dos example) only by int3 immediately after writting command int21 - someone stupid traced it and debuger left there breakpoint at write command. it is pure shit, but you have to scan for it. so briefly check what is rubbish and what is not, and choose scan-strings for those needed to be caught. and the work is done. there is not usualy time for analyzis we do it only for some important viruses. even for cleaning it is enough to have a brief look on the virus - because most of them are very simmilar
little team? if i read the websites, there is always number of the employees on it, and every company claims they have at least 40 or 50 of them or NAI has hundreds of experts ....
they are kidding.
sure, there are many people employed, you need some secretaries, some managers, some bussinessmans/reseller, etc, some supporting guys but real programmers, that do real work - there are usualy too few of them.
moreover, you can't find let's say 40 people that really know their job (av). i think there are about 15-25 on the whole world! the rest are supporting programmers - they can do some easier disassemblies, some cleaning routines, or pick scanstrings, if you teach them how to do it. of course they need to know asm and system programming at suitable level. but real developers, there are usualy few of them in the teams. they are head of antivirus companies, in fact but not beeing seen (in most cases).
too little number of programmers, so why then not to hire some vx-writers to fill the vacancies?
it is not applicable
at first, vx programmers are usualy kids (or likely - studying on the highschool or university), and when they get into the real life, they have no more time to write viruses.. they need to have real jobs. moreover, it is not applicable to employ some vx-writer due to reputation. if some other company hears about it, they'll immediately publish it and destroy the company that employed such a programmer. thats the regular bussiness game so there is no way to employ some active or oneone who was a vx-writer even if you know him and you can trust him
AV programmers must be then poor exhausted individuals with no time. do they have a free time?
we are people too :) there is time to play quake or doom, time to go for a drink, and of course lots of time for programming. but i think situation is similar as for others programmers: they usualy live in some different computer world of screen, keyboard, quake, junk-food, pizza, and debugers. you surely know
most valuable in the AV side is the Virus Bulletin award. any specialities bound with deadlines?
well there is always big plus when a company can issue a press release with something like "hi customer, we are good, even virus bulletin was forced to acknowledge it ..." as for programmers it means nothing but feeling you do your work well (plus bonuses), the sales department is more extatic than we are. with deadlines it's always a problem - you can't do the work you planned in time - you know murphy was imho too optimistic you can do the work you had to but then it doesn't work okay or it could work okay but you never to it in time.
also, as i already mentioned, there are many shits in lots of virus collections. well, VB is rare exception where all samples are more-less functional, but many av companies do not throw away those corrupted files and judges antiviruses also on those non-functional samples. because there is no way to test them all if they work, even more, virus might not be operational on your current PC any more... this selection is very hard.
do you thing you'll earn your money from viruses all the live long?
progress in computers is really fast. noone can say if viruses will be here in 10 years. may be in global cyberspace will be as good protection as no viruses or worms ar whatever can live there, or we will have neural systems, or...
have you read neuromancer? ;)
i also can't asnwer if we can stand the AV vs V competition within next few years. but i believe we can, we are i think one of the best.... and even more - may be sometime all we will be in NAI... ;-)))
let's discuss the techonoly of the AV programs, can you give brief chacteristics of some products?
we watch also for others, that's right, but it is difficult to see inside the other programs. i would like not to point out good or bad ones. its kind of ethics and bussiness.
so let's be more general, kind of technological overview - technologies, strong and weak spots
there are several groups, lets start with dos (com/exe/boot) - usualy regular scanstrings are used, might be enhanced by crcs or so, with a specialized subroutines for non-trivial things (some hard poly, etc), of course some kind of generic decryption engine or emuler is also important.
for windows it is very simmilar, only loaders are different, and there are lotsa problems with emulation as well.
finally ole2 - one needs to know structure, then it is simple - most of macros are unencrypted, just a simple scanstrings are enough.
... that's just briefly. but you told me already you'll have also a dedicated article (or articles?) to these descriptions. don't know about their quality, but to explain all the things there is not enought space in one interview... but you can ask me some details, if you want. (may be i can/will answer, if it is not one of our secret things ;)
to the tool, what kind of tools you use debug-progs etc?
the best i'm familliar with is turbo-debugger. it is not the best, but i used it in a past and as well as now. another coder in our team is for example using afdpro :) (if you remember it)
of course, we have soft-ice and soft-ice/win for windows viruses. and we uses IDA (interactive disassembler) for analyzis. i think it is best one. plus of course hiew for brief look-around, and some our secret tools as well :))
now i'd like to put some personal question favorite movie, music, film, computer came etc
i like starwars. its fundamental sci-fi movie. i like science fiction, having hundreds of sci-fi books...
music: 80's, preferably, but not excluding house (right now i'm listening some Scooter's), as well as beethoven. must be good.
and i'm not playing a computer games. not enought time, usualy. i've freezed somewhere at quake time, now playing only to relax a networked quake :)
well thanx for your effort, was nice to talk you and send us some insider info we can do use of on the stock market :P
was nice to talk with you too, wish you will success. well, it might be a some more work for us, however, its always nice to see a good work. bye and keep not writing viruses :)
hehe i'll try it
[Back to index] [Comments (0)]