I first started fighting computer malware back in 1987. Back then, it was a lot easier. We didn’t have the Internet (in widespread use). Viruses and Trojans were limited to an even dozen on the PC DOS platform, with four times that on the Mac and other nubile personal computer platforms.
I read Ross Greenberg’s book on Flushot over and over and talked to many anti-virus leaders and coders, including John McAfee, on a fairly regular basis. We even had an early version of the Internet using BBSes (bulletin board systems) and store-and-forward e-mail lists on the FIDONet. We couldn’t believe how our e-mails went around the world — in less than a day! It was pretty heady stuff.
I learned assembly language from Peter Norton’s programming guides to learn how to disassemble viruses, which were sent to me to analyze and write up. I was 19, sopping up knowledge like a new sponge, and looking for a place where I could learn more. That place ended being the PC Antivirus Research Foundation. One of its leaders, Paul Ferguson, seemed piped into an inside channel. He never seemed to sleep — the type of guy who always responded to a 3 a.m. e-mail so fast that you knew he was awake, too.
He got the viruses from around the world first and assigned nightly disassembly duties. We worked together for many years until the rush of viruses (now coming in at dozens per week instead of one or two a day) overwhelmed our serious hobby. But I never forgot how he took me under his wing and challenged me to do better. A decade later, I dedicated one of my first books on computer security to him.
Imagine my surprise when I ran into him on a private anti-malware mailing list this year. The other members rallied to defeat my nomination for group membership because I was a journalist and the group’s discussions should never be discussed publicly. Paul Ferguson vouched for me.
Since then, I’ve been privy to a very active group of anti-malware fighters, made up of law enforcement, ISPs, researchers, and anti-malware companies. When something malicious is pushed to the Internet, the reports, samples, and full details are available within the hour.
I’ve found my FIDONet again. Paul has been a fixture in the malware the whole time, and I decided to conduct a short interview.
IW: Paul do you still work all those hours?
Paul: Yes, I still probably work 80-100 hours a week.
IW: Are you married or do you have kids?
Paul: Last child is in college, so now all I have are the dogs.
IW: Paul, what is your official title these days?
Paul: I’m a senior threat researcher for TrendMicro. After our early anti-virus days, I went big into networking. I worked for Cisco, flying around the world. I filled up two passports working with large telecoms on large-scale routing. But no matter what my day job was, my heart was always in anti-malware, so I’ve been back full-time in the industry for a while.
IW: What is your primary job?
Paul: I do a lot of work in malware data collaboration, tracking and linking historical data points for anti-malware analysis, but my primary goal is cybercrime investigations. I like trying to find the bastards behind this stuff and throw them into jail. Some people call them virus writers or miscreants. I call them what they are — criminals!
IW: Explain a bit more about the data collaboration.
Paul: The sheer volume of malware is incredible. The real challenges is in collecting the data from as many points as you can and putting together facts in such a way that law enforcement sees them immediately as usable evidence. The better job we can do collecting and normalizing the data up front, the easier it is to help law enforcement to get subpoenas and arrest warrants.
IW: Is the malware world made up a few large organizations, like the Russian Business Network (RBN) and Rockphish, or is it every man for himself?
Paul: It’s both, and it depends on the motivation. In Russia, Ukraine, and Eastern Europe, it’s run by a few large organizations, even if they are pretending to be many small groups. That’s part of my job. By correlating the data, we can identify the players by their data fingerprints. They tend to stick to a few tried and true techniques. Their bots and worms are similar. What they do is similar. They often come from the same IP addresses and hosts and use the same DNS services.
But even the big groups have a bunch of freelance, low-level operators answering ads for specific skill sets, doing the coding, collecting their money, and then going on their way to the next big group. I’ve tracked them down to who they really are — I know their names, what they look like, where they live — but they aren’t the guys who are really pulling the strings.
IW: Do you know any of the big guys’ names?
Paul: Not really. We have lots of strong, reliable information, but not what I consider factual information we can present to law enforcement. The problem is that many of these guys, like Flyman, the code name for the leader of the Russian Business Network, uses the policy holes in the system to operate out in the open.
They operate freely in Russia, and we aren’t going to touch him there. But worse than that, they [large cybercrime organizations] are working out in the open here, in the United States. They have co-located computers and lots of bandwidth.
IW: What about China?
Paul: That’s a good question. Chinese hackers aren’t doing the same thing as the Eastern Europeans and Russia. China is composed of hundreds of thousands of small hacking groups. They aren’t pushing huge botnets, bank-stealing Trojans, and child pornography like the other guys. China is more hackivist, more of a social thing. Sure, there are some professional criminal groups involved with corporate espionage and certainly some state sponsored hacking against other governments, but it isn’t the same thing.
Of course with China you have to be worried about the fake Cisco routers and things like that. But a lot of the criminal hacking that comes out of China isn’t done by the Chinese. It’s done by other countries, like Russia. That’s part of the value that we’re seeing from the digital fingerprints I was talking about before. China has millions of unpatched PCs, and the world takes advantage of that to set up base and to attack other countries with impunity.
IW: What are you trying to do to defeat cybercrime?
Paul: I’m continuing the work on building huge anti-malware data correlation systems. Correlating historical data points with IP addresses and domain names, and building relationships with law enforcement, ISPs, registars, everyone possible. I’m on five private operational lists for real-time information trying to make sure the right people are in the loop. Malware isn’t going away. It’s too profitable, and there isn’t a single magic solution.
There is no single hammer. Even if we perfect international law enforcement of cybercrime, it won’t stop it. Even if the ICANN brings the registars under control it won’t stop it. No single entity can do it alone. It will take us all, working together in concert, to stop malware. We are all stakeholders, and we all need to come together. I’m working hard to do my part.
IW: That’s the Paul I’ve always known. Continue fighting the good fight!