Jerome’s Interview on Malware Diaries
Well, I don’t know if this a bit odd but I thought I’d take the interview myself! 
Tough questions! lol Not really, but the point is to find out a little more about the person… So here it is:
Name: Jerome Segura
Site/blog: MalwareDiaries
Location: Canada
Organisation: Paretologic
Tell us a bit about your background and what you currently do?
I’m a Security Researcher at Paretologic and also lead of our SWAT team.
My duties include malware research, building automated processes, releasing DataBase updates for our security products, blogging etc.
Why did you decide to become a security researcher?
It was not exactly what I had meant to be. I graduated in 2003 with a Masters in Information Systems at the ‘Ecole Superieure des Affaires’ (France). This degree in itself can open many doors to all sorts of jobs.
However my first move was to set sails to Canada where I spent my first couple of years doing a lot of resting (sleeping in hammocs and pondering about life).
I finally started at Paretologic in Nov. 2005 as a Tech Support guy through a connection with my cousin-in-law.
Very soon I realized how much I like that stuff. There is so much to learn and it’s so fascinating!
What is your typical day like as a security researcher?
There is not really a typical day. This is part of what I like about the job… you never really know what’s going to happen.
First things I do in the morning is to say “hi!” to my teammates, check our Dashboard to get a quick idea of where we’re at, how the automation is doing…
Then I check the emails, Twitter, blogs etc…
The rest of the day is composed of researching / analyzing malware, blogging, twittering… the occasional meeting and the very passionate foosball games that prep me for the weekly rendez-vous at the local billiards / foose bar.
Anyway, in this job, things never stop; the bad guys don’t take the week end off lol!
It would be very easy to be working 24/7 but eventually your mental sanity would be at risk. Not to mention family life and the like…
Maintaining the right balance isn’t always easy. It’s not your typical 9 to 5… I tend to spend extra hours investigating things and I’m fine with that, it’s not just a job to earn a living, it’s a passion also.
On average, how many malware samples do you come across on a daily basis?
Tough to say… Why did I ask that question? lol
The machines take care of the bulk… I manually check those samples that are worthy of in-depth analysis.
How do you deal with the ever increasing number of malware threats in the wild?
Automation helps a lot. I feel bad for those machines… they get pwned 24/7.
What is your environment like (number of machines, OS, VMs, bandwith etc.)?
Some of it is kind of confidential but we run a mixture of real machines, VMs and use mainly Ubuntu for Linux development but of course Windows for all the malware stuff. We devised some clever processes that make real machine analysis seamless.
Some privacy screens here and there for the occasional disgusting porn pop-ups which have earned us reputations. Believe me, the kind of porn a malware researcher is subjected to has nothing to be envious of.
What do you think is going to be the next ‘big’ threat?
Anything related to social networking sites. Propagation is easy and fast, there are millions of potential victims… it sounds just too good for a bad guy.
What is your involvment in the security community?
I like to contribute my two cents and promote safe (computing) practices. I have a lot of respect for some of the security folks out there.
I reckon one of my strengths is in researching more so than analysing malware (I admire those who can reverse engineering like it’s nothing). I like finding the stuff by any means at my reach. I believe information is the key. Technology is nice and all, but data represents the actual value.
What is the achievement you are the most proud of (professionally)?
I’d like to say setting up a HoneyPot. It started as a small project with little knowledge about it all. It grew into something powerful that is giving us extremely valuable information about new malware threats.
Anything else you would like to add?
I believe there should be a license for using the Internet (just like a driver’s license). It’s rather foolish to give anyone access to something that could turn against them or other people.
People are the weakest link… no matter what software you run. As my friend JP would say, “Patch the end-user”.
If you were confronted to the daily malware nasties we see, there is a high chance you’d never want to use a computer again! As our lives include more and more online activities we have become very attractive targets for the bad guys. And it’s just the beginning…
Jerome Segura
|
IronGeek’s interview on MalwareDiaries
Hello,
As Jerome is away on vacation, he asked me to do some interviews of the people I think are up and coming “movers and shakers” in the security field. One such person, that immediately came to mind is Adrian Crenshaw. Adrian runs http://www.irongeek.com a website that covers various security topics ranging from infosec articles to tutorial videos, as well as almost anything in between. I had seen Adrian’s site in the past, but some lab testing where I got to use his ready made vulnerable web site, called “Mutillidae” (you can find it here http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) gave me the opportunity to get in contact with him. I was very pleasantly surprised to immediately get an answer to my questions.
I was also further vindicated in my efforts to see that I wasn’t alone in trying this: http://blog.tenablesecurity.com/2009/04/tips-for-using-nessus-in-web-application-testing.html
So without further ado, I give you IronGeek, aka Adrian Crenshaw!
Name: Adrian Crenshaw
Site/blog: http://irongeek.com
Location: Louisville, KY area
Tell us a bit about your background and what you currently do?
Currently, I’m a glorified help desk monkey in my day job. By night, I develop Irongeek.com which specializes in producing videos and articles for information security education. I have and AS in electronics, a BS in comp sci, a bunch of certs too old to matter and am working on an MBA since it’s the only degree I can get payed for where I work.
Why did you decide to become a security researcher?
I dig understanding how thing break, especially complex systems. I also like teaching others. Going into computer security education seemed like the thing to do to supplement my income, and get my tech toys paid for.
What is your typical day like as a security researcher?
Get up, read some articles on the web or parts of a book. Play with some tool I’m trying to learn. Once I think I have a basic understanding I try to make a video or article about how to use the tool or concept that strikes my interest. I have this theory that the best person to teach a noob is another noob that just learned the subject themselves. A noob teacher does not take as many things for granted about the students knowledge, and knows the sticking points in trying to learn about a new topic.
On average, how many malware samples do you come across on a daily basis?
0.01, maybe I should start writing my own? 
How do you deal with the ever increasing number of malware threats in the wild?
I run AV on critical systems, and am careful what I allow on my system. On most of my main boxes, I have no AV at all since so much of the software I work with is considered “hacking tools” by anti-virus vendors. That, and patch, patch, patch. Is all about lowering attack surface.
What is your environment like (number of machines, OS, VMs, bandwith etc.)
About 3 windows boxes, mostly XP, one Vista and am working on switching stuff over to Windows 7. Since I do mostly education, I’ve got to use what others use. For Linux, I’m an Ubuntu man and have it on my netbook, dual booted on my main laptop and use it in VMWare player. My VM environment is VMPlayer with VMXBuilder to make my VMs, but I need to look more into using Virtualbox. I’ve just got a cable modem connection to the world.
What do you think is going to be the next ‘big’ threat?
Stupid management that makes decisions without trying to understand the topic first. All computer problems are people problems when you get down to the bottom.
What is your involvment in the security community?
I’m a regular speaker at Phreaknic, Notacon and my local ISSA. The local ISSA is having a conference in Louisville shorty that I’ll be speaking at http://louisvilleinfosec.com/. I also give free classes in the Louisville area, and am a regular on the Pauldotcom mailing list.
What is the achievement you are the most proud of (professionally)?
Not being put up on charges or restraining orders. That, and maybe my printer hacking research.
Anything else you would like to add?
Come see us at the Louisville Infosec Conference and:
What is best in life Conan?
To crush your enemies, see them driven before you, and to hear the lamentations of the vvemon!
Thanks!
Jean
——————————–
|
Paperghost’s interview on MalwareDiaries
I was first introduced to Chris Boyd by my friend and colleague Jean-Philippe. I couldn’t quite figure out why he was bursting in laughs all by himself, staring at his screen. But then again, I did not know the nature of the man, Paperghost!
I followed (like many others) his gruelling take downs of online scumbags (that’s the kind of word you’d get to know very well) and other exploits. I could not believe that one guy would have the guts and the power to bring justice to this otherwise really cruel world.
We have a saying in French (’n'avoir pas froid aux yeux’) which literally means ‘to not have cold eyes’. Have I lost you? Well, just know that this man has no fear in his battle against either your stupid neighbour or powerful giants such as Zango.
If you’ve never heard of Chris Boyd, AKA Paperghost, here is your chance to get a glimpse of what he is all about…
Ladies and gentlemen, please welcome Paperghost!
—-
name: Chris Boyd
site: blog.spywareguide.com / vitalsecurity.org
Location: US / UK / India
Company: FaceTime Security Labs, FaceTime Communications
Tell us a bit about your background and what you currently do?
Hey! Thanks for letting me ramble. I’m Chris Boyd, Director of Research for FaceTime Security Labs and five time Microsoft MVP (is it just me that says “Five time” and thinks of Booker T?).
In a previous life I did a Fine Art degree, painted a lot of bad pictures and made a lot more bad films. I also dabbled with music a bit and did some acting with a theatre group (mostly random things and a little Shakespeare – nobody says “And hold their manhoods cheap” better than I do) – and somehow I ended up in security. I did intend to eventually draw comics, but there you go.
Nowadays, my primary duties are uncovering new and (hopefully) interesting types of scam, ad/spy/malware and anything else that stinks of dubiousness, then putting it on the blogs. Behind the scenes, I work with a bunch of people spread out across the globe including India, California and West Virginia. I love that the research team is in WV. They let me play with guns. Magnums, AK-47s, a bunch of sniper rifles – it’s freaking awesome.
Why did you decide to become a security researcher?
It’s too long a story, but in a nutshell – something extremely horrible happened to a good friend of mine due to something on her PC. The person who put it there would have had no idea at all how much of an impact on her life he / she had, which is unfortunate. That got me thinking about security, and got me thinking that I’d like to inflict a little bit of misery onto some of the unthinking, the careless and the clueless out there. We can dance around it all we want, but some words from a random book review I saw once says it all:
“In a present day society where the victimization of innocent people has seemingly reached a point of saturation, there is something undeniably attractive and compelling about seeing bad people come to equally bad endings.”
We love to do to them what they do to us. And we love to read about it on blogs. A side effect of that is that more often than not you end up in a big yelling match with the people you write about – and we especially love to see that. It’s an infosec car crash every day of the year!
What is your typical day like as a security researcher?
Oh man, typical day – I’m not sure there is one. It’s all a bit random and depends what I happen to be looking into at the time. I might start working on something at 5AM, work straight through for 8 hours then go for a four mile run and shoot zombies in the face on the xbox. Or there might be a day where I know someone is going to post a blink-and-you’ll-miss-it link to something baaaaad on a site at a certain time, and then you get into surreal “digital stakeouts” minus the donuts and witty banter with a sidekick who may or may not get himself killed in the pilot episode.
Aside from that, there’s the press requests that are always fun to do and the occasional conference talk or smaller event that pops up. And the good old “examine this file for nine hours because you’re convinced it’s the next big thing, only to find its 12 months old and does nothing interesting” scenarios that I’m sure every researcher has their fill of. I’m also thoroughly sick of saying “Twitter”. You know you are too.
But yeah, mostly just random. At any given time every security researcher is scrabbling round looking for something new or interesting and leaping from site to site trying to get a lock on whatever hot new idea the latest scumbag has come up with. When you’re constantly reacting to things other people are doing, it’s impossible to come up with a structured gameplan so I don’t even try. Stream of consciousness is where it’s at!
On average, how many malware samples do you come across on a daily basis?
That’s one of those “piece of string, meet length” questions! We have a lot of honeypots scattered across the globe, along with a couple of automated processes but like everybody, the drawback of automated jiggery pokery is that by and large
1) someone still has to go in, pull the file out of the vat and physically PLAY with the thing, to see if it does something of note. I’m reminded of the Safety Browser worm – that itself was a rather old worm that a lot of people probably saw and thought meh, not interesting, so what?
But then I had the urge to pluck it out, fiddle with it and sure enough – someone had tweaked it ever so slightly that it dropped an incredibly awful web browser on your system that played a horrendous guitar solo loop on your desktop every ten seconds.
If I hadn’t gone in and gimped around, we’d probably still be none the wiser. There’s gold in them thar hills – it’s just incredibly small and poorly coded.
2) Half the stuff in there is always never going to be as interesting as the things you see “pounding the beat” – that is, wandering through the leet hax neighbourhoods and SEEING people talking about their hot off the press creations, or knowing some of the drop off points where bad guys *think* they’re storing their files away from prying eyes – hahaha – or just witnessing something random and insane happen a million miles away from the security space. This Batman story kicked off because I was looking for information on a zombie comic on an infotainment portal.
I love how that works.
How do you deal with the ever increasing number of malware threats in the wild?
Well, I don’t think anyone does anymore – not really. We’re all just Gandalf on that bridge yelling “You shall not pass” in an increasingly hammy fashion while in reality the orcs have not only passed, they’ve cut off Bilbo’s legs and fed them to Sam.
Having said that, my primary area of interest has always been taking the time to learn about the people behind the file, find out the details of the scam and apply pressure in other places to see if I can cut them down in a different way. It might be attacking the revenue stream (Wayne Porter rocks), or a bit of shame and embarrassment on the blogs. It could be a surprise knock-knock at 4AM from big guys with buzzing nightsticks or a game of “chase the idiot” on a bunch of 2.0 websites. So maybe I’m not the best placed person to answer that one. The idiot chases are fun, though.
What is your environment like (number of machines, OS, VMs, bandwith etc.)
Well, I have a bunch of machines here ranging from a Dell Inspiron to a juggernaut that was shipped 5,000 miles across the Atlantic and was the machine I made most of my discoveries on. It all went a bit pear shaped when it caught fire and partially melted / exploded – most of my boxes do that – but I can still switch it on and use it as long as I keep the windows open should I need a quick exit.
My workspace is hidden away in a converted attic with a nice view of trees and other green things out the window. To the left of the main PC is this lot, and I usually have one or two consoles switched on. The benefit of this is I do a fair bit of console related security testing, and it’s cheaper than heating with gas. That xbox will melt a hole in the floor someday.
What do you think is going to be the next ‘big’ threat?
I wanted it to be something you see on your screen and after seven days you drop down dead but someone already did Lemonparty so that’s a no go. I honestly have no idea – it used to be everyone would do the “Top Ten Threats for next year” thing but that’s kind of dying off a little bit now as the NEXT BIG THING seems to roll by on a weekly basis, never mind coming up with random predictions for months and months down the line. I think it’s way beyond the stage where you’re now too busy just coping with the piles of crud hitting you from all sides 24/7 to whip out the Nostradamus cloak and talk about aliens or whatever.
That was a terrible film, by the way.
What is your involvement in the security community?
Well, I know most of the people who work on the forums, or do indie research or work for the various companies but having said that there’s still a boatload of people I have yet to interact with. Twitter – urgh, there’s that word again – introduced me to many, many cool security people I’d never have otherwise bumped into. So thanks for that, Twi – no, it’s no good. I can’t say it again.
What is the achievement you are the most proud of (professionally)?
Making a film called Gun Dude, about a guy who killed a whole lot of people with his guns (I don’t think you need spoiler tags for that). Wait, security related? Oh, okay. One of these:
1) applying so much pressure to a company distributing a rogue web browser involving illegal porn that they emailed me to say they “went bust” and the whole shady operation fell into a dark, dank pit. That was a feelgood factor nine.
2) The Batman / Zango thing. I’ve had “bigger” Zango stories, but that one crossed across security sites, gaming sites and comics sites and was an interesting example of spreading a security warning outside of our little community. Plus I loved that piecing together all the clues to the scam was in itself a bit Batman-ish. I didn’t get to punch anyone though.
3) Having some (small) role in helping Julie Amero to clear her name. When I finally got to meet both Julie and her husband, it was an extremely humbling moment and she was so happy to see everyone that had supported her. I did get to yell at a journalist who wrote bile about her on his blog till he pulled the whole thing offline which was pretty humorous too.
Anything else you would like to add?
Yes, the bonus runner up addition to the list above which would be the point where I annoyed an adware company so much they broke their brain and ranted about me on their blog. To exasperate people and companies that behave in a certain way to the point where they COMPLETELY FREAK OUT about you should be the goal of every security researcher. I have that printed out and it takes pride of place above the TFT as a reminder of why I do this.
Also, hahaha.
—
Wow, that was intense. I want more! lol
Thanks again for sharing this Paperghost!
Jerome Segura
|
Steven Burn’s interview on MalwareDiaries
Name: Steven Burn
I first ‘met’ Steven through his blog, hphosts, and it wasn’t in the best of ways
What caught my attention was the mention of my company’s name (Paretologic) and at the time a dispute with malwareurl.com.
Since then, we’ve had a few conversations and expressed some of our feelings. Steven had a lot of valuable input that has made it through the corporate barriers for the benefit of the end user.
One thing about Steven that impressed me is his integrity and how ‘pure’ and ethical he can be. I did find a flaw in his ‘purity’ though, as the man smokes
Ladies and gentlemen, please welcome Steven Burn!
—-
Name: Steven Burn
Site/blog: http://it-mate.co.uk, http://hosts-file.net, http://hphosts.blogspot.com
Location: Tyne & Wear, UK
Organisation: MysteryFCM Research
Tell us a bit about your background and what you currently do?
Never been very good at talking about myself so not sure what to put here. Been online for years, released a few programs, been an admin/moderator of one description or another, at various places (e.g. server and forum admin for Avant Browser).
I spent the vast majority of my time online hunting out malicious sites, and the rest of my time either working on my other projects (e.g. Spambot Search Tool), hpHosts, Ur I.T. Mate Group, checking the forums I’m an admin/moderator for.
What deciced you to become a security researcher?
I just liked helping prevent people getting infected, removing infections when they did, and taking down the malicious sites.
What is your typical day like as a security researcher?
Depends on how often the other half interrupts me ;o). Spend upto 24-48 hours awake (depends how tired I am) researching and analyzing malicious sites/software. Typically;
1. Wake up
2. Grab smoke and coffee
3. Straight onto the laptop to start work
On average, how many malware samples do you come across on a daily basis?
I’ve never kept track.
How do you deal with the ever increasing number of malware threats in the wild?
With help from fellow researchers ;o)
What is your environment like (number of machines, OS, VMs, bandwith etc.)
Currently got 4 servers, my laptop, backup server (which as of my first pay cheque, now includes an external 1TB LaCie so I’ve got offsite backup too), several spare machines, all running either Linux or Windows (2000, XP, Vista and one Linux machine). I don’t do VM’s, never have done. Got a business class internet connection for the network, using at last check, upward of 170-180GB p/m.
What do you think is going to be the next ‘big’ threat?
Same as always – the malicious idiots of the interwebs (if the upstreams started blackholing the likes of NetDirekt, SoftLayer, Netelligent, China and the Ukraine, the vast majority of this stuff would likely disappear (until it found a new home anyway)). As far as malware itself, it’s changing all the time. Botnets are the most popular at present obviously, and due to the amount of cash they bring in for the criminals and the fact they don’t actually require the bad guys do that much work themselves, I can’t see that changing any time soon.
What is your involvment in the security community?
Researching, hpHosts, various forums (Malware Domain List, Malwarebytes, TeMerc, etc etc), writing for the blog ….
What is the achievement you are the most proud of (professionally)?
Starting my own company, which I have been running since July 1st.
Anything else you would like to add?
Just a thank you for wanting to interview me, especially given there’s far more important people on the internet.
—
You are too humble Steven…
Thanks for the interview
Jerome Segura
|
S!Ri’s interview on MalwareDiaries
It is my pleasure to start this series of interviews with a well known and respected guy, namely S!Ri. He has spent countless hours in forums to help every day users and is famous for SmitfraudFix (a free tool to remove spyware infections).
Ladies and gentlemen, please welcome S!Ri!
Name: S!Ri
Site/blog: http://siri-urz.blogspot.com/
Location: France
Organisation: URZ, Malwarebytes, MAD and EvilFingers recently
Tell us a bit about your background and what you currently do?
I’m currently taking breakfast listening metal. I own a computer repair shop and work for Malwarebytes as malware analyst. 24h a day are not sufficient for working, having fun and sleeping.
Why did you decide to become a security researcher?
I was helper on a French forum, helping people repairing computers and removing infections. I start coding a tool to help the team removing an infection and its undesirable effect (you know the one with desktophijack). This tool was just a fast fix for an infection we saw too many times a day. With the popularity of the tool, I had to stop helping and analyze malware samples to improve the fix. SmitfraudFix was born (thanks to balltrap34 and moe31).
What is your typical day like as a security researcher?
It start like any geeks day: wake up, switching computers on before anything else. The big part is collecting samples and analyzing them. This mean debugging the samples. Feeding databases with information and signatures. Coding tools.
On average, how many malware samples do you come across on a daily basis?
As I have another activity, analysis time can varies. This can be from 10 to 100 samples a day. Some are new, some are the same like the previous days (but can look different because of packing/crypting methods used).
How do you deal with the ever increasing number of malware threats in the wild?
There is a lot of articles about this.
Most of the time, I’m working in a part of the malware big family: rogues. This malwares have been ignored by lots of antivirus company (like spywares and adwares). This also explain why some cleaning tools like SmitfraudFix, VundoFix, MSNFix, SmitRem (…) have gained popularity. Classic AV are now dealing with them trying to detect and protect (but still not removing all the undesirables effects). This increase the number of malwares.
There is another point: methods used by malware creators to hide the code. Lots of infections are the same. I mean doing the same dirty payload (sending spam, dropping rogue, stealing password) for the same gang. As the code is a bit different, malwares count number is increased +1 each time a different version is released.
There is more real new malwares, but I don’t see malware numbers increasing exponentially (there’s many graphics presenting it like this). This is about marketing.
What is your environment like (number of machines, OS, VMs, bandwidth etc.)
7 computers around me in the office, 8 in the lab, 1 MameCab, 2 atari, 5 commodore, 2 MSX, 1 Thomson, 3 8bits Apple, various video game console.
Computers are running Windows 2000 to Windows 7, Mac OS 9 to OSX 10.5, Linux (Slackware, Ubuntu).
Bandwidth is ADSL 8Mo.
What do you think is going to be the next ‘big’ threat?
My crystal ball is broken.
Some malware will always be undetected. I mean the ones specially coded for a single use. Corrupting or stealing a concurrent data.
What is your involvement in the security community?
Really don’t know. Posting on blogs, forums, IRC, Working for free tools…
What is the achievement you are the most proud of (professionally)?
My Computer repair shop.
Anything else you would like to add?
Many thanks. Keep the good work on your blog.
*****************
Well, thank you S!Ri!
Jerome Segura
|
