At the end of October, Avast held a CyberSec & AI event, in honor of which journalists from different countries were invited to the company's headquarters in Prague. I also attended this event and looked at how the world-famous antivirus products do. And one of the most interesting conversations was the story of Michael Salat, the head of the threat detection group, about how Avast works with malware.
A lively illustration of this conversation was a panel of one and a half dozen monitors that hangs on the wall in Michael’s department and shows various indicators related to Malware detection and anti-virus database updates. We went through the most interesting graphs and discussed the realities associated with them.
– Tell us what your department does every day?
– Our daily work is to go online and look for new types of malvari, new techniques that are exploited by attackers, and protect our users through detection and other active measures. We must keep up, and even better, be a little ahead of the attackers and know exactly how they use (or break) the technology.
– How exactly is the process of collecting samples?
– First of all, it's file analysis. If we detected a malware and we don’t have any tags for it, my guys load it into a debugger and begin to parse what it does, which API it calls.
– What debuggers do you use?
– Mostly IDA Pro, we purchased licenses for it. Some people prefer x64dbg or WinDbg, but it all depends on what you need to work with and who knows what better.
– Have you tried Hydra yet?
– Some guys watched it, and were very pleased that it can be adapted for unusual processor architectures. In particular, one of our researchers used this opportunity to solve CTF. In general, I am for everyone to use the tools and methods that are convenient for him. Some, for example, can almost always get by with static analysis, while others prefer dynamic analysis. I try not to insist on anything specific in such cases.
– After you received the file and found out what it does and how it works, what is the next step?
“The next step is to find the characteristic features that will allow this malware to be detected.” It can be addresses of C&C servers, keys, some other signs characteristic of the used methods of communication. We have two types of rules – one for the backend, they help mark the malware, the other – detection rules for endpoints, they already work on users' computers. The reason for this separation is that virus writers always check their malware with all available antiviruses to reduce the likelihood of a detection. Behavioral analysis, which works in our cloud and is not available upon request, also gives an additional small advantage.
– While I was standing here, I looked at your scoreboard. At first I decided that it was mostly decorative, but the more I looked, the more interesting it became. Could you arrange a short tour and tell which graphics are most useful in reality?
– I still have to admit that the scoreboard is really more decorative, because alerts have been set up for all this information. If something goes wrong, then the person who is responsible for this thing will quickly find out what happened. For example, you can see that there were problems with the release of the update, and it took 10 minutes to fix them.
In general, streaming updates are actual small data packets that we receive when we detect malvari. We test each detector and check whether it will work on the files it should be on, and if something that we consider clean hurts. Each column with a plus sign here means added triggers, and with a minus sign – deleted ones. We remove them when we find out about a false positive or that the rules overlap. UR columns are, for example, URL detection. If we make sure that the server no longer distributes the malware, we remove its address from the database.
Charts above – talk about supporting older versions. We support many versions of Windows that are already deprecated or will soon add to this list. Old versions of Avast work there. Of course, we do not expect everyone to always be updated to the new version with its release. Therefore, we monitor their work as well.
Next we see the size of the VPS (as we call the anti-virus database) for different versions. We try to reduce it as much as possible.
“How do you achieve this?”
– If the new rule is wider or more effective, we exclude the old, narrower rules. Twice a day there is a complete update of the database. For example, if someone went on vacation and then returned, he will receive an update in the most compact form.
– What happened here at 8:20, StatsSubmits connections schedule?
– We have released an update to the database with heuristic rules that are aimed at finding something specific. Accordingly, the number of connections from customers who inform us about the finds has increased.
– But what do these three multi-colored panels mean?
– This is the thing that we call Cyber Capture, this is the scanner that works on our backend. We use it for the latest files. If the user is the first person in the whole world to run this file, we suggest that he send this file for analysis. If he agrees, then we can test the behavior in a controlled environment and understand what it is. Often, new files are either software updates that other users will soon see, or malware. In this case, you can be the only one who sees this particular version, or it has begun a new campaign.
– And the number is ..
– This is a hash. Numbers here come from OdinBox. This is a machine learning tool that clusters files to find patterns. The number here is the clustering version. For example, here is version number 83. The second number is the cluster number, that is, a group of files. The third number is the type of clustering we used to create the model. We have several models, and we change them from time to time. Color separation here means different solutions for detection. Green – "clean" files, red – malvar. This big red square is clearly a malvar of one group, since it is united in one cluster. By the way, obviously something unusual, because clusters of viral families most often have approximately the same size.
“Isn't that the Brontok worm from that schedule?”
– No, it will be something new, because clusters are only for new types of files. As for the yellow square, these are suspicious files. Either some installers who are trying to smuggle something into the system, or utilities from the "gray zone" that can be considered or not considered malware, depending on the point of view. The user in such cases, he decides what to do.
– Since we’ve started talking about these charts of Malvari (Top detections and Top malware files), tell us what the difference is between them.
– They are based on two different metrics. Top detections are the signs by which the malware was identified. For example, CVE-2017-0144 is an Eternal Blue vulnerability, and it is often found despite the fact that many computers are already patched. And still we see many vulnerable machines and infections. As we can see, right now there are more than two million attempts. Popularity in the column next to it is our metric, which allows us to understand how often statistically incidents with the same name of the detection occur. And we see lines with the same names (for example, Mandang), because technically detects based on different signs are considered different.
The second top, Top malware files, is file-based. One detection can cover several files and vice versa – one file can cause several detections. So this is just a slightly different way of looking at the same thing.
The colored squares here are a visual representation of the hash of the file, it is easier to work with them. The same graphs, by the way, are accessible from a computer, and there you can click on the hash and see the details: how often we see this file, how many users encounter it when we first saw it and other statistics and links to useful things like dynamic results analysis.
The Prevalence column is just the number of users who had this file. For example, this adware RelevantKnowledge tried to run 903 thousand users. But sometimes these are very small numbers. For example, here we see a unit in the Prevalence column and 262 in the Popularity column, which means that some user unsuccessfully tried to open this file 262 times. Often people just keep clicking on the file because they don’t understand why the antivirus does not let it run (although it, of course, shows a threat message). But it happens that the user does not believe or thinks that he downloaded the file from a trusted source and everything should be fine.
– We pass to the main window dressing. Here is a scoreboard with a map showing who and whom is attacking in real time. How significant is this in reality?
– Well, yes, the map and this globe, of course, look the coolest. In reality, this is the data of only one engine, the very first level of protection. That is, what we block before it even penetrates the computer. These are Web Shield triggers that occur when we know in advance that the file is malicious. By the color of the lines, it is noticeable that most of them are blocked URLs. For us, this is the most effective approach: if we see that the file comes from the same link, we block it. By the way, if we showed all the threats on this screen, then it would simply be densely covered with lines.
Still here other types of information are visible. For example, circles – this Wi-Fi Inspector finds vulnerabilities in users' wireless networks. This, by the way, does not include weak passwords, which are now the number one problem in the IoT world. And squares are malicious Android apps that we detected thanks to Avast Mobile Security.
– Is it possible to say that all this does not allow you to relax ever? After all, something always happens, it is unlikely that these tables and these maps will suddenly become empty and you will be engaged in improvements and optimization.
– Of course, one cannot dream of peace. But there are more quiet moments – for example, during the New Year holidays – from Christmas to about the end of January, viral campaigns are less than usual.
Avast Office Tour
Walking around such an office and not taking a picture was decidedly impossible, therefore, they invite you on a short excursion.
This is how the building looks from the outside (official Avast shot).
And here is the reception on the floor. The picture is hard to see, but an animation with Pakman is projected onto its front side.
Sitting area with a sofa and tables.
And the view from the window on Prague is the envy of many office workers.
Zone for those who like a more active holiday.
A buffet is the heart of any office.
Museum exhibit – a computer on which the first antivirus program of the founders of Avast was once created. On the glass printed its source code in assembler.
By coincidence, I was never caught in the frame of people sitting at computers and working hard. Partly – because it was closer to evening, but even at this time, work in reality was still ongoing.
And here is a snapshot from the IoT lab recently opened at Avast.
But this, as they say, is a completely different story.