PRAGUE--The city of Brno in the Czech Republic is a place people go to learn. Situated some 130 miles southeast of Prague, its 11 universities host approximately 80,000 students, many of whom are computer engineers. So it's no surprise that while AVG's corporate offices are headquartered back in Prague, Brno hosts the lifeblood of the company: the virus lab.
Although consumer computer security has grown tremendously in the past five years--with nearly all the major security suite makers including some form of community-based protection, URL verification, or phishing prevention to accompany more traditional tools like firewalls and antispam measures--antivirus detection remains the quintessential PC security feature.
AVG's Brno office is located in an complex that also hosts computer security vendorTrustPort, as well as a home appliance manufacturer. In most ways, the AVG offices on the sixth floor could be the offices of any software company. There's a game room with foosball and table hockey; a small library with muted lighting; a playroom for the children of AVG employees; and relaxation spaces designed to resemble places not often seen in the heart of central Europe, like beaches festooned with hammocks. The walls of one of the eating areas has been painted to resemble a Starbucks, complete with a massive Starbucks logo.
Two floors down, the only indications that you've arrived at the virus lab are the raft of warnings plastered to the door. Yellow caution tape and printed flyers emblazoned with the biohazard icon make the lab stand out from the rest of the conference rooms and offices. Of course, computer viruses have yet to actually pose a threat to your biological health, but the point is clear: The lab is restricted. Omezený, in Czech.
Inside, security analysts sit in high-backed chairs at Dell computers running Windows 7, and except for what's being displayed on their screens, the scene again returns to one of abject normality. The work that they're doing, however, is of paramount importance to your computer's security.
Karel Obluk, AVG's Chief Scientist, said that people tend to underestimate the speed at which threats appear and disappear. "There's more to do than calculate checksums," he said. Also known as a hash sum, a checksum is a number generated by running a file through a tool designed to create checksums. The number is fixed, and changes if any of the data inside the file changes. A virus that alters a file will alter its checksum, so many antivirus programs today will generate checksums for every file on your hard drive, and then whitelist them unless it detects a change.
Obluk added that there are more than 40,000 new viruses a day. "We do keep up, but not by processing each and individual sample." AVG's automation takes over here, leaving about 50 samples per day per researcher. The company employs 25 analysts in Brno, and has five in China dedicated specifically to malware originating from there.
And make no mistake, the threat to your computer isn't really about disrupting you or your life. The bad guys just want your CPU and bandwidth to make money. "A typical botnet can generate $11,000 per day, on less than 10,000 computers," said Obluk. The business of being a bad guy is so lucrative, he added, that malware writers have taken out ads in online forums not just for engineers, but for user interface designers, office managers, and accountants.
How the good guys stop the malware
The short version of how malware gets stopped from infecting your computer is quite simple, according to Pavel Krcma, the head of AVG's virus lab. First, the virus sample gets collected. It comes either via a user submission, is picked up by AVG's protection algorithm, or is shared from another virus labs. Whereas on the business and marketing side the security software industry can be brutal, the analysts and other members of the research and protection side communicate regularly, Krcma said.
Once the sample is in the lab, the next step is create a checksum signature for the sample. This then gets checked against the existing database of checksums to ensure that its not actually a legitimate file, known as a false positive.
Assuming it is malicious, the next step is a bit "like undressing the virus," said Jirí Bracek, AVG's director of Security Engineering. The easiest way to see whether a file contains malicious code is to create an entropy map of it, he said, but because the files are almost always encrypted they have to rely on an emulator.
"We put it in a 64-bit Windows emulator, and we have a script emulator. Mostly malware scripts are obfuscated, and it's the obfuscation that prevents us from using hashes or regular expressions, so we use the emulator to reveal it," he explained. Citing proprietary information, however, Bracek wouldn't reveal precisely how the emulator works.
Inside the file's binary code there are three sections: A .text section for executable code, the part that sends instructions to the processor; the .data contains file data; and the .rsrc, which contains icons and other resources. "We can see healthy code in the binary because healthy code has uniform lengths of jumps, they are organized," said Bracek. "Malware code sometimes has code in different sections, such as .reloc or .rsrc. Malware also has code with chaotic jumps."
Once a file has been positively identified as a threat, the researcher generates a checksum for it and updates the database. The update then goes out to AVG's more than 110 million active users.
All told, from the point that AVG receives a suspected new threat to the point where the malware is blocked and that data is pushed out to AVG users around the world, the process takes about five minutes, said Krcma. The analysts are quite adept at what they do, he added. "It takes about one minute per piece of malware."
Not all threats can be detected using entropy maps. For example, rogue antivirus programs, also known as fake antiviruses, can't be detected using entropy maps, because those kinds of threats behave normally. The recent MacDefender attack was a rogue antivirus. Bracek explained that for rogue antiviruses, AVG instead looks at other characteristics that might be more likely to stand out.
Where the threats come from
"About 10 percent of attacks are coming from USB sticks," said Obluk, which leaves the Internet for the lion's share. But what does that mean? AVG's researchers are seeing a mixed bag of social engineering, rogue antiviruses, and traditional viruses and botnets.
Premium SMS is also a problem, and Obluk cited an AVG study that found that 8 percent of about 2,200 sampled U.S.-based smartphone users said premium SMS scams had happened to them. A premium SMS scam is where a rogue process gets your phone to send a text message to a number that charges for the receipt of the message. Premium SMS has been used to help donate money to victims of natural disasters and to relief organizations, but instead of a $10 donation, the premium SMS scammers use smaller denominations to avoid detection, Obluk said, because a $1 variance in your phone bill tends not to stand out to people the way a larger charge would.
Another big problem on smartphones, he said, is URL spoofing, because a phone's smaller browser makes it harder to read the location bar.
But Obluk cautioned that socially engineered threats--the threats that con people into giving up sensitive data--are the hardest to prevent and the hardest to inculcate against. "Mac and Linux and Windows are generally secure. It's usually the user that's the weakest link."