«
»

Paperghost’s interview on MalwareDiaries

August 14th, 2009

I was first introduced to Chris Boyd by my friend and colleague Jean-Philippe. I couldn’t quite figure out why he was bursting in laughs all by himself, staring at his screen. But then again, I did not know the nature of the man, Paperghost!

I followed (like many others) his gruelling take downs of online scumbags (that’s the kind of word you’d get to know very well) and other exploits. I could not believe that one guy would have the guts and the power to bring  justice to this otherwise really cruel world.

We have a saying in French (‘n’avoir pas froid aux yeux’) which literally means ‘to not have cold eyes’. Have I lost you? Well, just know that this man has no fear in his battle against either your stupid neighbour or powerful giants such as Zango.

If you’ve never heard of Chris Boyd, AKA Paperghost, here is your chance to get a glimpse of what he is all about…

Ladies and gentlemen, please welcome Paperghost!

—-

name: Chris Boyd
siteblog.spywareguide.comvitalsecurity.org
Location: US / UK / India
Company: FaceTime Security Labs, FaceTime Communications

pic0

Tell us a bit about your background and what you currently do?

Hey! Thanks for letting me ramble. I’m Chris Boyd, Director of Research for FaceTime Security Labs and five time Microsoft MVP (is it just me that says “Five time” and thinks of Booker T?).

In a previous life I did a Fine Art degree, painted a lot of bad pictures and made a lot more bad films. I also dabbled with music a bit and did some acting with a theatre group (mostly random things and a little Shakespeare – nobody says “And hold their manhoods cheap” better than I do) – and somehow I ended up in security. I did intend to eventually draw comics, but there you go.

Nowadays, my primary duties are uncovering new and (hopefully) interesting types of scam, ad/spy/malware and anything else that stinks of dubiousness, then putting it on the blogs. Behind the scenes, I work with a bunch of people spread out across the globe including India, California and West Virginia. I love that the research team is in WV. They let me play with guns. Magnums, AK-47s, a bunch of sniper rifles – it’s freaking awesome.

Why did you decide to become a security researcher?

It’s too long a story, but in a nutshell – something extremely horrible happened to a good friend of mine due to something on her PC. The person who put it there would have had no idea at all how much of an impact on her life he / she had, which is unfortunate. That got me thinking about security, and got me thinking that I’d like to inflict a little bit of misery onto some of the unthinking, the careless and the clueless out there. We can dance around it all we want, but some words from a random book review I saw once says it all:

“In a present day society where the victimization of innocent people has seemingly reached a point of saturation, there is something undeniably attractive and compelling about seeing bad people come to equally bad endings.”

We love to do to them what they do to us. And we love to read about it on blogs. A side effect of that is that more often than not you end up in a big yelling match with the people you write about – and we especially love to see that. It’s an infosec car crash every day of the year!

What is your typical day like as a security researcher?

Oh man, typical day – I’m not sure there is one. It’s all a bit random and depends what I happen to be looking into at the time. I might start working on something at 5AM, work straight through for 8 hours then go for a four mile run and shoot zombies in the face on the xbox. Or there might be a day where I know someone is going to post a blink-and-you’ll-miss-it link to something baaaaad on a site at a certain time, and then you get into surreal “digital stakeouts” minus the donuts and witty banter with a sidekick who may or may not get himself killed in the pilot episode.

Aside from that, there’s the press requests that are always fun to do and the occasional conference talk or smaller event that pops up. And the good old “examine this file for nine hours because you’re convinced it’s the next big thing, only to find its 12 months old and does nothing interesting” scenarios that I’m sure every researcher has their fill of. I’m also thoroughly sick of saying “Twitter”. You know you are too.

But yeah, mostly just random. At any given time every security researcher is scrabbling round looking for something new or interesting and leaping from site to site trying to get a lock on whatever hot new idea the latest scumbag has come up with. When you’re constantly reacting to things other people are doing, it’s impossible to come up with a structured gameplan so I don’t even try. Stream of consciousness is where it’s at!

On average, how many malware samples do you come across on a daily basis?

That’s one of those “piece of string, meet length” questions! We have a lot of honeypots scattered across the globe, along with a couple of automated processes but like everybody, the drawback of automated jiggery pokery is that by and large

1) someone still has to go in, pull the file out of the vat and physically PLAY with the thing, to see if it does something of note. I’m reminded of the Safety Browser worm – that itself was a rather old worm that a lot of people probably saw and thought meh, not interesting, so what?

But then I had the urge to pluck it out, fiddle with it and sure enough – someone had tweaked it ever so slightly that it dropped an incredibly awful web browser on your system that played a horrendous guitar solo loop on your desktop every ten seconds.

If I hadn’t gone in and gimped around, we’d probably still be none the wiser. There’s gold in them thar hills – it’s just incredibly small and poorly coded.

2) Half the stuff in there is always never going to be as interesting as the things you see “pounding the beat” – that is, wandering through the leet hax neighbourhoods and SEEING people talking about their hot off the press creations, or knowing some of the drop off points where bad guys *think* they’re storing their files away from prying eyes – hahaha – or just witnessing something random and insane happen a million miles away from the security space. This Batman story kicked off because I was looking for information on a zombie comic on an infotainment portal.

I love how that works.

How do you deal with the ever increasing number of malware threats in the wild?

Well, I don’t think anyone does anymore – not really. We’re all just Gandalf on that bridge yelling “You shall not pass” in an increasingly hammy fashion while in reality the orcs have not only passed, they’ve cut off Bilbo’s legs and fed them to Sam.

Having said that, my primary area of interest has always been taking the time to learn about the people behind the file, find out the details of the scam and apply pressure in other places to see if I can cut them down in a different way. It might be attacking the revenue stream (Wayne Porter rocks), or a bit of shame and embarrassment on the blogs. It could be a surprise knock-knock at 4AM from big guys with buzzing nightsticks or a game of “chase the idiot” on a bunch of 2.0 websites. So maybe I’m not the best placed person to answer that one. The idiot chases are fun, though.

What is your environment like (number of machines, OS, VMs, bandwith etc.)

Well, I have a bunch of machines here ranging from a Dell Inspiron to a juggernaut that was shipped 5,000 miles across the Atlantic and was the machine I made most of my discoveries on. It all went a bit pear shaped when it caught fire and partially melted / exploded – most of my boxes do that – but I can still switch it on and use it as long as I keep the windows open should I need a quick exit.

My workspace is hidden away in a converted attic with a nice view of trees and other green things out the window. To the left of the main PC is this lot, and I usually have one or two consoles switched on. The benefit of this is I do a fair bit of console related security testing, and it’s cheaper than heating with gas. That xbox will melt a hole in the floor someday.

What do you think is going to be the next ‘big’ threat?

I wanted it to be something you see on your screen and after seven days you drop down dead but someone already did Lemonparty so that’s a no go. I honestly have no idea – it used to be everyone would do the “Top Ten Threats for next year” thing but that’s kind of dying off a little bit now as the NEXT BIG THING seems to roll by on a weekly basis, never mind coming up with random predictions for months and months down the line. I think it’s way beyond the stage where you’re now too busy just coping with the piles of crud hitting you from all sides 24/7 to whip out the Nostradamus cloak and talk about aliens or whatever.

That was a terrible film, by the way.

What is your involvement in the security community?

Well, I know most of the people who work on the forums, or do indie research or work for the various companies but having said that there’s still a boatload of people I have yet to interact with. Twitter – urgh, there’s that word again – introduced me to many, many cool security people I’d never have otherwise bumped into. So thanks for that, Twi – no, it’s no good. I can’t say it again.

What is the achievement you are the most proud of (professionally)?

Making a film called Gun Dude, about a guy who killed a whole lot of people with his guns (I don’t think you need spoiler tags for that). Wait, security related? Oh, okay. One of these:

1) applying so much pressure to a company distributing a rogue web browser involving illegal porn that they emailed me to say they “went bust” and the whole shady operation fell into a dark, dank pit. That was a feelgood factor nine.

2) The Batman / Zango thing. I’ve had “bigger” Zango stories, but that one crossed across security sites, gaming sites and comics sites and was an interesting example of spreading a security warning outside of our little community. Plus I loved that piecing together all the clues to the scam was in itself a bit Batman-ish. I didn’t get to punch anyone though.

3) Having some (small) role in helping Julie Amero to clear her name. When I finally got to meet both Julie and her husband, it was an extremely humbling moment and she was so happy to see everyone that had supported her. I did get to yell at a journalist who wrote bile about her on his blog till he pulled the whole thing offline which was pretty humorous too.

Anything else you would like to add?

Yes, the bonus runner up addition to the list above which would be the point where I annoyed an adware company so much they broke their brain and ranted about me on their blog. To exasperate people and companies that behave in a certain way to the point where they COMPLETELY FREAK OUT about you should be the goal of every security researcher. I have that printed out and it takes pride of place above the TFT as a reminder of why I do this.

Also, hahaha.

Wow, that was intense. I want more! lol

Thanks again for sharing this Paperghost! :-)

Jerome Segura

ParetoLogic, a Microsoft Certified Partner

 

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site
Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 
Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.

© 2010 ParetoLogic Inc.