Interview Mikko H. Hypponen Chief Research Officer
Can you introduce yourself to security kaizen magazine readers?
I’m the Chief Research Officer for F-Secure. I’ve worked at F-Secure since 1991. During those years I’ve fought all the major virus outbreaks, including Loveletter, Blaster, Conficker and Stuxnet. I’ve tracked down multiple cyber criminal gangs and worked with the law enforcement for convictions. I also write. I’ve written on my work for Scientific American, The New York Times and Wired. Personally, I rank my TED Talk as one of my biggest accomplishments. I was really honored to be invited to talk at TED, and about a million people have now seen my talk.
Tell us about your latest visit to Pakistan and your documentary about the authors of the first PC virus in history, Brain. What made you take this step? And what was most interesting in this adventure?
We started thinking how we could mark the fact that it was going to be 25 years since the first PC virus. Different ideas were thrown across the table. Mine was to go looking for the writers of that very first virus, especially since they had left us a clue where it might be possible to find them: Pakistan.
When I finally found them and spoke with them, it felt really special. Listening to their story, I feel like we have recorded some real IT history.
Can you give us more details on how you and your team were able to take down the world-wide network used by the Sobig.F worm?
Let me quote what Vanity Fair wrote about this case:
F-Secure’s lab is a windowless room of honeypot computers, its dreariness relieved only by a growing collection of raunchy postcards of European bathing beauties. On one of the honeypots was a screen of virus code. Hypponen scanned it and nodded. The code looked all too familiar. “Oh boy,” Hypponen said with a sigh. “SoBig is back.”
Throughout the year, a strange series of viruses had hit the Internet, the first one only moderately threatening, the following ones more complex and cunning. Hypponen dryly called the series a “development cycle.” Now the cycle had turned again. On January 9, 2003, Hypponen and his team became the first to debug an infected e-mail sent from the fictitious address email@example.com. SoBig was a standard email virus: it came in an attachment that had to be clicked on for a computer to become infected with it. Like most e-mail viruses, SoBig then sent itself to every email address in a user’s computer, always appearing to come from firstname.lastname@example.org. But, as Hypponen and his industry colleagues soon saw, the virus had a second stage: every infected computer was scheduled to download files from a single Web site at a later time.
To stop this first SoBig, the virus hunters had only to warn Internet-service providers (I.S.P.’s) like America Online to block e-mails from email@example.com, and then persuade a Web-site host called GeoCities to shut down the page from which the second stage would be launched.
Somewhere, the virus writers were watching what the virus hunters did. Watching and learning.
On May 19, a new SoBig hit the Internet-SoBig.B, to follow the renamed SoBig.A. Instead of coming from firstname.lastname@example.org, the variant purported to be from “Microsoft Support”; it came with an attachment, and users were instructed, “All information is in the attached file.” That made it like a “Trojan”: an e-mail appearing to be helpful or benign, but containing nasty stuff. “Microsoft Support never sends files with attachments,” Hypponen observes. But hundreds of thousands of users, especially in the U.S. and Britain, were duped. As with its predecessor, SoBig.B led infected computers to a single
Web site. Strangely, SoBig.B was coded to terminate in two weeks, as if the writers viewed it as a dry run. The day after its demise came the new and
improved SoBig.C, and then, two weeks later, SoBig.D. With each iteration, the game grew nastier. The writers were figuring out how to send e-mails
from many addresses, not just one, and how to give them various subject headings.
Now service providers had a much harder time blocking them. When the virus got through, it downloaded “keyboard sniffers,” which reacted to words typed on a keyboard, such as “password,” “bank,” “account access,” “My eBay,” and “credit card,” and copied the words or numbers that immediately followed them. The virus installed “backdoor” programs, too. With them, the virus writer could enter the computer at any time, like a thief with a house key, and fish out the passwords, credit-card numbers, and other files and documents at his leisure.
No line in the virus’s code identified each new variant as SoBig: that was the hunters’ name for it, not the writers’. Nor was there any encoded message. “I hate to go to school,” the writers of the infamous I Love You bug had declared in May 2000. “I want a good job,” pleaded the writer of the Klez virus of March 2002. “Can you help me?” The classic profile of the virus writer, as those messages attested, was a disaffected teenager. The writers of SoBig were almost certainly adults and deadly serious. The only signature of every SoBig incarnation-the twist that suggested each iteration was the work of the same virus writers-was the increasingly sophisticated second-stage hookup of infected computers to a Web site for downloading files.
When SoBig.E expired on July 14 without a follow-on the next week, Hypponen allowed himself to think he’d seen the last of the virus. Perhaps the writers had given up on the second-stage approach. Perhaps they’d feared they would be caught. But now here was SoBig.F. And after just minutes of scrolling through its code in the airless lab, Hypponen could see it would be a lot worse than SoBig.E.
As a first step, Hypponen had to post a virus alert, one that would not only appear online for F-Secure’s anti-virus subscribers but also be sent as a message to subscribers’ phones and pagers. He spent a few more minutes studying the code: he wanted to be sure before he woke up subscribers in North and South America. But there it was, the signature second stage, rendered in code with a whole new degree of efficiency.
With the alert posted, Hypponen’s team started combing the worm’s replication code for a search trick. They wanted a few bits that were both unique and essential to the virus-bits that would help a computer identify and kill it. In that, they were like microbiologists looking for parts of a human virus or bacterium that a drug could target. A good antibiotic takes about 10 years of research and development. Hypponen posted his team’s search tool for SoBig.F in two hours and 33 minutes.
Virus hunters from New York to Tokyo were posting search tools and anti-virus updates as well, and for anyone who downloaded one, SoBig.F was no longer a threat. But that still left most of the world exposed. At 12:45 p.m., Hypponen started getting SoBig.F e-mails on his own honeypot computer, the one with the e-mail address he’d kept unchanged for the more than 10 years he’d been chasing viruses. By two p.m. he’d received a hundred of them. The headers were from all over the world: that was how fast the virus was spreading. Before the virus ran its course, Hypponen’s honeypot would get 19,000 e-mails-an indication of what tens of thousands of other computer users were experiencing, too.
The next day-Wednesday, August 20-the virus rampaged through cyberspace like a tsunami. America Online stopped 11 million SoBig e-mails at its firewall; on Thursday, that number would double. Companies around the world staggered under the e-mail load; many systems crashed for hours at a time, costing the companies business. Yet home users were more affected. “It was relatively easy for corporations to block it with filters,” says Vincent Weafer, a senior director of Symantec Security Response. “Home users got so many of these messages, with different subject headings, that they were apt to click on one or another of them.” Trend Micro, reported Joe Hartmann, director of North American anti-virus research, received 3.1 million reports of infection from users downloading a free online scanner for SoBig.F.
The sheer volume of virus-spreading e-mails was alarming, but Hypponen was starting to think it might be a flaw. “It was actually bad for them,” he says of the virus writers. “It made too much news.” In fact, the virus writers had directed their worm to send out not just one email at a time to each name in every user’s files, but seven. “They thought they would infect more computers by sending more e-mail,” Hypponen says. Instead, they infected fewer, as many users started deleting all the e-mails they were getting from unknown senders.
Still, hundreds of thousands of computers might now be vulnerable to manipulation by the second stage of the virus. By Thursday morning, Hypponen had learned that all infected computers were to start downloading a program of some kind at 10 p.m. Friday, Finnish time. Computers in different time zones would be synchronized precisely, to the tenth of a second, by connecting to atomic clocks-a first for the virus. “These guys are serious,” Hypponen muttered. But what program? From where? And how?
The key lay in a short stretch of the virus heavily encrypted with algorithms, like a secret wartime code. “In most cases, we can crack the algorithms in a few minutes,” explains Gergely Erdelyi, a 35-year-old Hungarian team member who took on the task. But these algorithms were multi-layered-designed to confound the world’s 200 or so virus hunters until the second stage launched. With only 36 hours to go, Erdelyi took a chance. “If the virus wants to use the data at some point, it has to decrypt it itself,” he says. “So what I did basically was run the virus and let it decrypt the data, and stop it at the critical point.”
At about two p.m. Thursday, Erdelyi succeeded. What lay revealed was a list of 20 computers, all continuously connected to the Internet by cable modems. Most were in the U.S. and Canada, the balance in South Korea, nearly all of whose computers have broadband Internet hookups. Now the scheme came clear, not just to Hypponen’s team but also to all the other virus hunters who were working together, their competition put aside, for the
common goal of beating SoBig.F. The 20 computers were being used as servers to a sinister end.
On Friday, every computer in the world infected with SoBig.F would start trying to contact one of the 20 servers, like callers attempting to get through to a company switchboard. Twenty were needed for the sheer volume of traffic the infected computers would cause. When contact was made, the servers would direct the infected computers to a Web site from which they’d download a program. Twice a week until September 10-an intriguing date-all those infected computers would try to contact the 20 servers again at synchronized times. It was like the 1962 movie The Manchurian Candidate, but with computers, rather than people, programmed to wait for instructions. “Bots,” the virus hunters call these hijacked computers-for robots.
Erdelyi used his infected honeypot to contact one of the 20 servers. He laughed as he read the result: the server directed him to www.sex.com, a collection of links to pornographic Web sites. It was being used unwittingly as a placeholder-a decoy. Anticipating that someone might break the encryption before 10 p.m. Friday, the virus writers had connected their 20 servers to the decoy Web site. Just seconds in advance of the appointed hour, they would substitute their Web site of choice. That way the virus hunters couldn’t end the game by bringing down the Web site, as they had with earlier SoBigs. “We’d seen second stages before,” says Sal Viveros, director of the McAfee anti-virus division at Network Associates. “But
to put the Web site on at the last moment-that was new.”
So the hunters had no choice but to shut down the 20 servers. Chances were the servers belonged to home users who had no idea what was going on; their computers had been infected with earlier versions of SoBig, and the virus writers were manipulating them through the clandestine back doors they’d installed. The home users would surely turn off their cable connections if asked. But how to contact them? The hunters had no names, just computer addresses in numbers. They could tell which Internet-service providers were linked to which computers, but there was no point in calling the I.S.P.’s. “We had done it many times before, and it was a waste of time,” Hypponen says with a sigh. “They’re not going to disconnect a
paying customer just because some company in Finland calls them and asks them.”
The virus writers had chosen their 20 servers well: they were from nearly as many different I.S.P.’s, making it that much more difficult for the hunters to get them all shut off. If even just one remained on at the stroke of 10 p.m. Friday, enough of the infected computers might connect with it to launch the mysterious second stage. Grimly, Hypponen put in a call to Finland’s Computer Emergency Response Team (cert), a government-sponsored group. By early Friday afternoon, the cert had helped get 11 of the 20 machines closed down. But the balance were in the U.S. and Canada, beyond the cert’s reach. That was when Hypponen called the F.B.I. He was able to report that in the interim five more machines had gone down. But that left four still on, with the deadline less than four hours away.
At 7:28, Microsoft joined the search. The hunters were down to three servers. With the F.B.I.’s help, another was brought down. The remaining two were somewhere in the U.S. One of those had been turned off. Hypponen knew this because his team had written a tool that could make the servers react as if the virus were contacting them, and the 19th server kept failing to respond. Unfortunately, the 20th server did respond, so it was still online. Some press reports would speculate that the F.B.I. left the 20th machine on deliberately, hoping the virus writers would contact it seconds before the deadline, and so be traced. Hypponen thinks some I.S.P.’s were simply harder to contact than others. “It’s not trivial to find who actually
operates the system in that part of the world, then find the correct person in that company and persuade them to pull the plug.”
Would one be enough? At precisely 10 p.m., hundreds of thousands of infected computers began trying to connect to the one last operating server. To the hunters’ relief, they swamped it completely. When one of F-Secure’s own computers finally got through, the server merely directed it to www.sex.com. Clearly, the virus writers had been monitoring the situation, watching one after another of their servers go down. With only one still working, they’d chosen not to replace www.sex.com with the Web site that held the program they wanted to send out. So the hunters would never know what the writers planned to download that night. How one could deduce identifying characteristic about the author from code segments?
Most malware authors are not traced via characteristics in the code. They are found via their access history or IP addresses leading to the command and control server they are using to control the infected machines.
The usage of smart phones is increasing with a very high rate especially in Middle East. Can you tell us more about the latest mobile security issues and threats?
As our latest Mobile Threat Report shows, Android has made malware for Linux a reality. See http://www.f-secure.com/weblog/archives/MobileThreatReport_Q1_2012.pdf Old Symbian malware is going away. Nobody is targeting Windows Phone. Nobody is targeting iPhone. And Android is getting targeted more and more. iOS, the operating system in iPhone (and iPad and iPod) was released with the iPhone in the summer of 2007 – five years ago. The system has been targeted by attacker for five years, with no success. We still haven’t seen a single real-world malware attack against the iPhone. This is a great accomplishment and we really have to give credit to Apple for a job well
done. Out of all Linux variants, Android is the clear leader in malware.
After the revealing of the Flame Virus and before that Duqu and Stuxnet, It was reported by all researchers that this attacks are targeting Middle East and Iran. Is there any statistics or official reports announcing the countries that really got affected by these viruses or It is just a guess? Second does that mean Cyber weapons are only created by Israel and USA and nothing from the other side Iran and Middle East countries? And why it is not announced too.
The infected areas are based on automated infection reports coming from Middle East. They can be considered accurate. We have not seen any kind of cyber retaliation from the affected countries towards the west.
In 28th of Jan 2011, you tweeted:”Last night, Egypt ISPs went down one by one over a 15 minute period”. How do you see the action of Internet Cut in Egypt, and do you think countries can use this way in their cyber wars later by isolating a certain country from the internet by cutting the Cables that routed traffic to a certain Country?
Isolation is rarely the solution. You are likely too loose more by cutting yourself off than you would have otherwise.
After the Arabic Spring in Egypt and Tunisia, Do you think governments have the right to monitor their Citizens’ activities on the Internet and how do you see the balance between privacy issues and preventing cyber crimes?
Privacy’s importance is paramount. Privacy should not even be up for discussion. Governments should not be monitoring their citizens. Police can monitor suspected criminals, with a court order. But that’s it.