Habrainterview with Igor Danilov (Dr.Web)

Igor Danilov, technical director and owner of Doctor Web, answered the questions of the habraauditorium.

Which of the latest viruses did you like (hooked on methods of work, distribution scheme, counteracting the work of antiviruses) most of all and why?

One of the last viruses I liked was PM.Wanderer, which was written a long time ago, in 1996-97. It was interesting because it used protected mode of the processor. In those days, virus writers (and not only virus writers, but also anti-virus writers) could not master the protected mode. I kept waiting, waiting for at least one “normal sample” to appear. And waited - here you can read about this virus.
')
There are "interesting" samples now. But they do not "cling" me. Yes, the implementation is more complex, yes, technologically more advanced. But there are no ideas. Everything has been created before them. Of the last remembered - Win32.Polipos and Trojan.Skimer . The latter showed us how monstrously easy it is to “knock out” other people's money from ATMs. The study of infected ATMs was a very interesting event for our analysts.

Igor! How would you comment on the last major false positives of Dr.Web anti-virus, as a result of which hundreds of thousands of ctfmon.exe files were deleted and hundreds of system administrators were ruined?

Yes, I confess, a very unpleasant event for us. And not only for us, but also for our users. I apologize to all the victims. I will only correct you a little - after all, the number of victims was significantly less than the hundreds of thousands you speak of. But this does not change the matter. In fact, there was a very curious case when, as a result of the error, the virus analyst manually disconnected all the automata blocking the release of an add-on with false positives after the test scan. Currently, additional control is established over all kinds of protection failures.

What antivirus (except Dr.Web), paid and free, you consider the best and why? Honestly.

The best antivirus I personally can not highlight. And what does the best mean? The best can not be by definition. If only for a set of any given parameters. But who will classify these parameters? It is simply excellent if any antivirus has at least one kind of its own technological property that distinguishes it from the crowd of competitors. But, as a rule, all are similar to each other, like twin brothers. Especially today, when almost all anti-virus companies steal from each other technology and virus detection. I hope I honestly answered your question.

Do you know Yevgeny Kaspersky? If so, what is your relationship?

Are familiar. Probably we can get to know each other on the street. There is no relationship between us.

What is your opinion about Microsoft Security Essentials as antivirus?

Same as everyone. I can say, perhaps, a good processor emulator, which allows you to unpack packed objects. But because of this, MSE's scanning speed suffers significantly - it is one of the slowest antiviruses when we scan virus collections. Nothing more outstanding for him can not highlight.

How can you comment on the recent message about the launch by Yandex of its own system of checking websites for malicious code?

Here in this case, I can not comment on this recent event. Something they may have done. But how and how good, I do not know. And, frankly, I was not particularly worried. If done well - well done. If bad, then not very well done.

When do you think the era of SMS ransomware viruses will end? And why is this era so protracted in the expanses of Runet?

From the position of a technical specialist in the field of IT-security, I can only state that in our country there is a complete mess and a mess in the field of computer crimes and fraud. And not only in it. When the mess is over, when the operators are taught to control content providers, when the law enforcement agencies are finally engaged in the search for criminals, when ... And there are many more “when”. Unfortunately, with the current situation in the country, I think that it will not happen very soon. If ever it happens. Therefore, this "era" was so prolonged.

Databases with signatures continue to grow, being updated several times a day. One has only to pack the same virus differently - and the signature changes. Are there any successful (reliable / fast) solutions to this problem (such as heuristic analysis), or should new viruses first do harm and get into the databases for the antivirus to start fighting with them?

Of course, such solutions exist. And they are used by various antiviruses. For example, Avira or BitDefender considers all packed executable files, the checksums which are not in their “white list” of the database, immediately as malicious and containing virus or trojan code. But this often does not prevent viruses or Trojans from getting into computers protected by these antiviruses. Somehow I got into the hands of a computer in which dozens of modifications of all kinds of Trojans lived and felt great. One of the above antiviruses behaved very tolerantly towards them. Therefore, I would not speak at this stage about quick and reliable solutions. The problem exists.

Literally, we have just received a letter from a user who packed one of the antiviruses with the help of the RAR archiver and created a self-extracting distribution kit. The results you can see here . Here is the detection of respected antivirus. Including antivirus, which checked its own copy.

You said in other interviews that the imagination of the current virus writers is completely scanty, which is why it is boring to write antivirus for stamping. What are you currently interested in working in? What software projects do you personally promote in the company?

I said this at a time when, by the nature of my activity, I myself was directly involved in analyzing and analyzing the virus code. At the present time, unfortunately or to my delight, I am not already in touch with viruses so closely. I have to answer for all the technical solutions of the company. I also personally participate in the development of a new anti-virus search module (engine or engine in common). And I find interest in the generation of ideas. In the creation of technological solutions, which have no analogues of competitors. We (and myself) have much to be proud of. Few companies can boast the presence or quality of products, such as Dr.Web for Novell NetWare, Dr.Web for Unix / Linux, Dr.Web ES or Dr.Web AV-Desk. A product like Dr.Web CureNet! no one at all. If anyone can boast of it, these companies come from the “Big Three”. Can you tell me at least one company of lower rank, which has similar technological solutions? I cant. This is my interest - to do things that not everyone can create. This is actually still a pleasure for me.

Do you think antiviruses are not losing the war? The spread of high-speed Internet, the availability of computers, the craze for Windows make virus outbreaks predictable. Antivirus is always one step behind the virus according to the principles of its work, and this step is enough to infect millions of machines. What is the way your company sees from this impasse?

I think that they are losing. But antiviruses a priori should lose. This is the law of the genre - the attacker always has some advantage and a head start. And it's not even in Windows and high-speed Internet, although these factors are important. Viruses won in DOS. Just then the scale of the destruction of computers were not as great as they are now. And viruses were written for the sake of self-indulgence or vanity. Now, for self-indulgence, no one creates viruses and Trojans. The goal is different, more mercantile. This is the mafia. And the mafia is much more difficult to fight. Especially if, in fact, in some “developing” countries (Russia, Ukraine, China ...) nobody fights against it at all and is not going to fight it.

If we talk about us - of course, we are constantly thinking about improving our own detection technology. And the situation is gradually improving. Significantly modernized or new methods appear: heuristics, “similarity”, FLY-CODE, firewall ... Soon our new technology SpIDer Netting will appear. I hope she will like our users. And virus writers. We can not stand still, however, like other anti-virus companies. But you yourself can note that now the situation is much better than 3-4 years ago, when all anti-virus solutions were significantly lost to viruses.

What happened to the viruses over the last year that the curing utility of CureIt has doubled in volume?

Nothing significant. Just their viruses, it is becoming more and more. In addition, we have implemented some additional features for self-masking, protecting and countering malicious programs.

What is the most interesting / promising next step in the development of antiviruses?

Improved detection and recognition of viral code in the early stages of penetration into the system. Any affordable way.

In general, what is now interesting is happening "at dusk", behind the screen that is shown to end users? Did anything interesting happen in connection with the release of Windows 7?

I did not understand anything about the "twilight." If you are talking about the antivirus industry, then I do not know what interests you. Someone makes money, someone - technology. But everyone seems to be fighting with "evil." If you're talking about a viral mafia, then I don't know what they are doing “interesting” at the moment. They are going to steal money from computer users with the help of the code they wrote, apparently.

And what could happen with the release of Windows 7? The world was supposed to roll over with delight? I did not notice anything fundamentally new. Maybe it looked bad? Mark Zbikowski told me during a red wine that for two hours Windows 7 was the best thing that was done by Microsoft. I believe him. Such a person can not be trusted.

Your opinion about the Russian "Silicon Valley"?

Enthusiastic. But I do not know where this “valley” is located in the Russian Federation.

Why Dr. Does the Web use distribution schemes that resemble network marketing? A couple of times, annoying people turned to me with suggestions like: “We have an offer for you, your company and your customers - Dr. antivirus. Web at a price lower than the official. Polite refusal ignored, you have to send. Some providers impose their subscribers again Dr. Web, because conclude contracts with similar distributors.

You open my eyes to our distribution patterns. And I still believed that we sell our product through partners and directly through online stores. And it turns out, we use some kind of network marketing. Next time you bring these people to us. Maybe they are ordinary pirates or scammers?

I remember that I used to read one file with a description of viruses that came with DrWeb, it contained a lot of pearls like “In drive A: two floppy disks !!”, “Write-protected fan”, etc. Is there such a thing now? It seems that it was a tradition started by Dmitry Lozinsky and a similar file was bundled with its Aidstest polyphage?

Exactly. We started all this with Dmitry Nikolaevich Lozinsky. I just continued his tradition. Although earlier almost all anti-virus vendors kept such more or less detailed descriptions of viruses. Fortunately, there were not so many malicious programs, and it was possible to create your own form for each copy. Today it is impossible. Too much of all sorts of viral trash. And the "functional" of all is similar to each other to disgrace. We make descriptions only of the most interesting, in our opinion, samples or most widely used - that caused serious viral epidemics.

Interestingly, such 1997 Dr.Web brochures were created with your participation?

No, I did not participate in the creation of these brochures. He acted only as a critic.
These unique images were created by Alexey Abramkin (artist) and Sergey Ostrovsky (generator of ideas).

Thanks for the questions. Thanks for attention. If you think that I didn’t give a detailed answer or in bad faith to any question, if you have new questions, welcome to our forum in the section “ Questions to Igor Danilov ”. There we can continue the discussion.