Roman Kovac, ESET Chief Research Officer
"This is tricky because on one side security experts say you need to update software. And on the other side it’s the update that injects malware into your organization."
What are ‘fully undetectable’ or FUD crypting services?
People are selling FUD services to create variations of malware, so that it’s not detectable by security companies. It’s not easy for the bad guys to do this, but they do have one advantage – they actually know our software. They can get our software or those of other security companies and modify malware until it’s undetectable.
But security products have layers of protection, not only one layer of detection. So if they test the malware locally it may not be detected. But if they send it out we may detect it inbetween or with some other method.
What is one ESET product feature that you’re especially proud of?
If I have to pick one I’d say network detections. This kind of protection is not detection on the file level, but it looks at the traffic coming to or going out of a user’s PC. So that adds another layer of security.
So, for example, attackers use FUD crypting services to obfuscate malware. And let’s say our product doesn’t detect it. The malware runs on the PC but it needs to communicate to a server. Network detection can detect this traffic and cut the connection.
This makes the malware unable to function. It is an important feature because you can obfuscate malware, but it’s more difficult to change server communications.
How worried should people be about drive-by malware?
With education we can prevent people from clicking on suspicious websites. But with drive-by malware you just go to the website and the infection happens automatically. Maybe because you have a vulnerable Flash player and the site contains infected Flash files. What you have to do as a user is to keep your system up to date, as well as all the software and services you’re using. And ideally to have a good security product in place.
What worries you the most right now as a security researcher?
In 2017 we saw a lot of supply chain attacks, where attackers target the most vulnerable element in an organization’s supply network. One of them, for example, was the Petya ransomware.
What was interesting about the attack wasn’t the malware, but how the attack was performed. The attackers breached a company that was creating software for tax accountants. Then they planted a backdoor malware into this software.
Companies that used this software received the malware in an update. This is tricky because on one side security experts say you need to update software. And on the other side it’s the update that injects malware into your organization.
But I’m not saying it’s easy to do supply chain attacks. They don’t just replace some version of the software on their victims’ servers. They plant themselves into the building process. There are ways to protect organizations like network segmentation, admin accounts. But there’s no simple solution because organizations need to trust their suppliers.
What is something that people commonly do on their PCs that they shouldn’t be doing?
Using an account with admin privileges. I’m not using an admin account on my computer because I don’t need it for normal work. So if something happens, at least it’s not getting admin privileges. I only use an admin account for when I want to install something. It’s much more secure.
By Alvin Soon Photography Orland Punzalan