We live in a world filled with computer viruses, and antivirus software is almost as old as the Internet itself: The first version of what would become McAfee antivirus came out in 1987—just four years after the Internet booted up. For many of us, antivirus software is an annoyance, taking up computer resources and generating opaque pop-ups.
But they are also necessary: Almost every computer today is protected by some kind of antivirus software, either built into the operating system or provided by a third party. Despite their ubiquity, however, not many people know how these antivirus tools are built.
Paul A. Gagniuc set out to fix this apparent oversight. A professor of bioinformatics and programming languages at the University Politehnica of Bucharest, he has been interested in viruses and antivirus software since he was a child. In his book Antivirus Engines: From Methods to Innovations, Design, and Applications, published last October, he dives deep into the technical details of malware and how to fight it, all motivated by his own experience of designing an antivirus engine—a piece of software that protects a computer from malware—from scratch in the mid-2000s.
IEEE Spectrum spoke with Gagniuc about his experience as a life-long computer native, antivirus basics and best practices, his view of how the world of malware and anti-virus software has changed over the last decades, the effects of cryptocurrencies, and his opinion on what the issues with fighting malware will be going forward.
How did you become interested in antivirus software?
Paul Gagniuc: Individuals of my age grew up with the Internet. When I was growing up, it was the wild wild West, and there were a lot of security problems. And the security field was at its very beginning, because nothing was controlled at the time. Even small children had access to very sophisticated pieces of software in open source. Knowing about malware provided a lot of power for a young man at that time, so I started to understand the codes that were available starting at the age of 12 or so. And a lot of codes were available.
I wrote a lot of versions of different viruses, and I did manage to make some of my own, but not with the intent of doing harm, but for self-defense. Around 2002 I started to think of different strategies to detect malware. And between 2006 and 2008 I started to develop an antivirus engine, called Scut Antivirus.
I tried to make a business based on this antivirus, however, the business side and programming side are two separate things. I was the programmer. I was the guy that made the software framework, but the business side wasn’t that great, because I didn’t know anything about business.
What was different about Scut Antivirus than the existing solution from a technical perspective?
Gagniuc: The speed, and the amount of resources it consumed. It was almost invisible to the user, unlike the antiviruses of the time. Many users at time started to avoid antiviruses for this reason, because at one point, the antivirus consumed so many resources that the user could not do their work.
How does antivirus software work?
Gagniuc: How can we detect a particular virus? Well, we take a little piece of the code from that virus, and we put that code inside an antivirus database.
But what do we do when we have 1 million, 2 million different malware files, which are all different? So what happens is that malware from two years, three years ago, for instance, is removed from the database, because that those files are not a danger to the community anymore, and what is kept in the database are just the new threats.
And, there’s an algorithm that’s described in my book called the Aho-Corasick algorithm. It’s a very special algorithm that allows one to check millions of viruses’ signatures against one suspected file. It was made in the 70s, and it is extremely fast.
“Once Bitcoin appeared, every type of malware out there transformed itself into ransomware.” —Paul Gagniuc, University Polytehnica of Bucharest
This is the basis of classical antivirus software. Now, people are using artificial intelligence to see how useful it can be, and I’m sure it can be, because at root the problem is pattern recognition.
But there are also malware files that can change their own code, called polymorphic malware, which are very hard to detect.
Where do you get a database of viruses to check for?
Gagniuc: When I was working on Scut Antivirus, I had some help from some hackers from Ukraine, who allowed me to have a big database, a big malware bank. It’s an archive which has several millions of infected files with different types of malware.
At that time, VirusTotal was becoming more and more known in in the security world. Before it was bought by Google [in 2012], VirusTotal was the place where all the security companies started to verify files. So if we had a suspected file, we uploaded to VirusTotal.
“I’m scared of a loss of know-how, and not only for antivirus, but for technology in general.” —Paul Gagniuc, University Polytehnica of Bucharest
This was a very interesting system, because it allowed for quick verification of a suspicious file. But this also had some consequences. What happened was that every security company started to believe what they see in the results of VirusTotal. So that did lead to a loss of diversity in the in different laboratories, from Kaspersky to Norton.
How has malware changed during the time you’ve been involved in the field?
Gagniuc: There are two different periods, namely the period up to 2009, and the period after that. The security world splits when Bitcoin appears.
Before Bitcoin, we had viruses, we had the Trojan horses, we had worms, we had different types of spiral key logs. We had everything. The diversity was high. Each of these types of malware had a specific purpose, but nothing was linked to the real life. Ransomware existed, but at the time it was mainly playful. Why? Because in order to have ransomware, you have to be able to oblige the user to pay you, and in order to pay, you have to make contact with a bank. And when you make the contact with a bank, you have to have an ID.
Once Bitcoin appeared, every type of malware out there transformed itself into ransomware. Once a user can pay by using Bitcoin or other cryptocurrency, then you don’t have any control over the identity of the hacker.
Where do you see the future of antiviruses going?
Gagniuc: It’s hard to say what the future will bring, but it’s indispensable. You cannot live without a security system. Antiviruses are here to stay. Of course, a lot of trials will be made by using artificial intelligence.
But I’m scared of a loss of know-how, and not only for antivirus, but for technology in general. In my view, something happened in the education of young people about 2008, where they became less apt in working with the assembler. Today, at my university in Bucharest, I see that every engineering student knows one thing and only one thing: Python. And Python uses a virtual machine, like Java, it’s a combination between what in the past was called a scripting language and a programming language. You cannot do with it what you could do with C++, for instance.
So at the worldwide level, there was a de-professionalization of young people, whereas in the past, in my time, everyone was advanced. You couldn’t work with a computer without being very advanced. Big leaders of our companies in this globalized system must take into consideration the possibility of loss of knowledge.
Did you write the book partially an effort to fix this lack of know-how?
Gagniuc: Yes. Basically, this loss of knowledge can be avoided if everybody brings their own experience into the publishing world. Because even if I don’t write that book for humans, although I’m sure that many humans are interested in the book, at least it will be known by artificial intelligence. That’s the reality.
Reference: https://ift.tt/AVmM1Sc
No comments:
Post a Comment