Woodpecker's working day
Good time of day, dear Habr. My name is Sergey Golovanov, I am the leading virus analyst at Kaspersky Lab. Our editors have been trying to persuade me to write here "well, at least something." And on the one hand, I would love to, but time is still not enough. Therefore, in order for me not to think out and search for a topic for a long time, let me just describe my usual working day and projects in which I participate. To continue, press ALT + F4 8)
Morning
')
Every day when I get to work, I look at the information about the fastest growing threats that our statistical services collect. It looks like this:
This tablet shows the families of malicious programs that, in the previous seven days, “shot” for detection by our users. What is "shot", and how it happened, and I have to find out for the next couple of hours.
Well-deserved first place in this statistics is occupied by web threats. Trojan-Downloader.JS.Iframe are packaged / obfuscated scripts that insert IFRames on hacked sites in order to redirect the user to the site that distributes exploits. Now we look at the statistics on the sites where these scripts are detected.
We see "ITN TV - Independent Television Network - Sri Lanka", we see that referrers point to the same site. If the referrer were different, it would mean that the script is on the intermediate server between the hacked site and the site with the exploit (you can ban it for this). We check the site at the specified URL with the referrer.
We see that the IFRAME will point to a free level 3 domain from cydots.com. We check that the domain is already banned by the robot and proceed to the next infection from the list. Trojan.Java.Agent.aw - photo JAVA applet that installs TDSS. We already wrote about it more than once , so we check that everything is detected / banned, and continue to go through the list in search of interesting things. Well, if there is no interesting, otherwise you have to kill for half a day ...
Almost a day
Somehow, it turns out that in many publications the editorial boards are held in the morning and evening, respectively, at 11-12 hours, requests from journalists on "topics of the day" begin to pour. Usually there are 3-5 of them by this time. We look through them and answer the ones we like the most, the rest we hang on our colleagues. Fortunately, that the leading analyst, is above the senior analysts ^ _ ^ (Too bad that Gostev is above me ...)
It is necessary to answer simply and tasty, otherwise they will not publish. Spending on this hour and a half time and comes ...
Day
Meetings ... Ugly. Nasty. Boring. Not interesting. You sit, even play the phone. The picture accurately describes the whole process.
Project status, reports, discussion of ideas, etc. You try to hide in a corner so that you will not be noticed, otherwise Khan. People at these meetings are mostly managers who, by definition, cannot do anything with their hands, so if you have to do something, you will do it! I am a lazy person, I don’t want to do something just for this reason, so you have to be silent, hide and pretend that you are not here. But ... Sometimes it is necessary.
Almost no day
Some regular “mini-surveying” is hung on me, for example, for future products. The goal is to find out, for example, which separate banking tools exist for remote access to accounts for making transactions. We start to look at the Trojans. We make a sample of the most common banking Trojans: Zeus, SHIZ, SpyEye, Carberp, FIBIT, etc. We look, that in them where, and we collect the information on tulz.
Here is an example of lines from a dump trojan for a white and blue payment system, not PayPal. As a result of a quick analysis of the collection (yes, straight down the lines - this is a mini-test), we make a list of 200 tools with which banking software works. Everything. Analysts otmazatsya, then the case of managers.
Evening
The evening begins immediately after the end of the official working day, when all the managers at exactly 18:30 sit in their cars and go home. After this, the most fruitful time for work begins. Only robots write to the mail, and you can not be distracted by 8 parallel correspondence on one topic. At this time, it is best to first read the news and ... and do, for example, DUQU, or similarly complex Malware a la Stuxnet. If such a Malvari is not at hand, then you can do the programming of the next robot, crawler or autosun, which can one day take over the world and invent a time machine. At 9-10 o'clock home to family and children.
TOTAL
I think that there are many similar stories on Habré, but this one is mine. Look like that's it. I hope it was interesting. Thank. Goodbye.
Ps . I am often asked the same question. “Do antivirus companies write viruses?” I answer. In the coffin, I saw these viruses, and those who write them!
Pps . If you have personal questions - you can write to me in PM on Habré. User k1k . Good luck.
Morning
')
Every day when I get to work, I look at the information about the fastest growing threats that our statistical services collect. It looks like this:
This tablet shows the families of malicious programs that, in the previous seven days, “shot” for detection by our users. What is "shot", and how it happened, and I have to find out for the next couple of hours.
Well-deserved first place in this statistics is occupied by web threats. Trojan-Downloader.JS.Iframe are packaged / obfuscated scripts that insert IFRames on hacked sites in order to redirect the user to the site that distributes exploits. Now we look at the statistics on the sites where these scripts are detected.
We see "ITN TV - Independent Television Network - Sri Lanka", we see that referrers point to the same site. If the referrer were different, it would mean that the script is on the intermediate server between the hacked site and the site with the exploit (you can ban it for this). We check the site at the specified URL with the referrer.
We see that the IFRAME will point to a free level 3 domain from cydots.com. We check that the domain is already banned by the robot and proceed to the next infection from the list. Trojan.Java.Agent.aw - photo JAVA applet that installs TDSS. We already wrote about it more than once , so we check that everything is detected / banned, and continue to go through the list in search of interesting things. Well, if there is no interesting, otherwise you have to kill for half a day ...
Almost a day
Somehow, it turns out that in many publications the editorial boards are held in the morning and evening, respectively, at 11-12 hours, requests from journalists on "topics of the day" begin to pour. Usually there are 3-5 of them by this time. We look through them and answer the ones we like the most, the rest we hang on our colleagues. Fortunately, that the leading analyst, is above the senior analysts ^ _ ^ (Too bad that Gostev is above me ...)
It is necessary to answer simply and tasty, otherwise they will not publish. Spending on this hour and a half time and comes ...
Day
Meetings ... Ugly. Nasty. Boring. Not interesting. You sit, even play the phone. The picture accurately describes the whole process.
Project status, reports, discussion of ideas, etc. You try to hide in a corner so that you will not be noticed, otherwise Khan. People at these meetings are mostly managers who, by definition, cannot do anything with their hands, so if you have to do something, you will do it! I am a lazy person, I don’t want to do something just for this reason, so you have to be silent, hide and pretend that you are not here. But ... Sometimes it is necessary.
Almost no day
Some regular “mini-surveying” is hung on me, for example, for future products. The goal is to find out, for example, which separate banking tools exist for remote access to accounts for making transactions. We start to look at the Trojans. We make a sample of the most common banking Trojans: Zeus, SHIZ, SpyEye, Carberp, FIBIT, etc. We look, that in them where, and we collect the information on tulz.
Here is an example of lines from a dump trojan for a white and blue payment system, not PayPal. As a result of a quick analysis of the collection (yes, straight down the lines - this is a mini-test), we make a list of 200 tools with which banking software works. Everything. Analysts otmazatsya, then the case of managers.
Evening
The evening begins immediately after the end of the official working day, when all the managers at exactly 18:30 sit in their cars and go home. After this, the most fruitful time for work begins. Only robots write to the mail, and you can not be distracted by 8 parallel correspondence on one topic. At this time, it is best to first read the news and ... and do, for example, DUQU, or similarly complex Malware a la Stuxnet. If such a Malvari is not at hand, then you can do the programming of the next robot, crawler or autosun, which can one day take over the world and invent a time machine. At 9-10 o'clock home to family and children.
TOTAL
I think that there are many similar stories on Habré, but this one is mine. Look like that's it. I hope it was interesting. Thank. Goodbye.
Ps . I am often asked the same question. “Do antivirus companies write viruses?” I answer. In the coffin, I saw these viruses, and those who write them!
Pps . If you have personal questions - you can write to me in PM on Habré. User k1k . Good luck.
Source: https://habr.com/ru/post/134076/
All Articles