Security

Eugene Kaspersky once told a competitor to his face: "I will eat you."

Eugene Kaspersky

(Credit: Kaspersky Lab)

The co-founder and CEO of Kaspersky Lab was certainly not into cannibalism, but was hell-bent on winning over the majority market share his competitor had in the company's base in Russia.

That was in 1995, the year Windows 95 was launched. Contrary to Kaspersky's strategy to develop new software optimized for the Microsoft operating system, its domestic rival saw no need to do so. Today, Kaspersky has the pleasure of saying he had the last laugh since his company is now the market leader in Russia while its competitor has less than 1 percent share.

In Singapore this week for an Interpol conference and customer and media meetings, the 44-year-old Russian spoke candidly in an interview with ZDNet Asia about the security strategy of Microsoft, how cybercrime should be combated, and why an Internet "passport" would be a good idea.

Read more in a Q&A with Kaspersky at "Microsoft OneCare was 'good enough'" on ZDNet Asia.

UPDATED: Benchmarks provided by CNET Labs were added on Monday, August 24.

A new season of security suites is upon us, and Kaspersky has made improvements to its Kaspersky Internet Security and Kaspersky Anti-Virus programs that include changes indicative of where security software as an industry is leaning. Three new features along with expected upgrades to its antivirus engine keep Kaspersky competitive.

The main window of Kaspersky Internet Security 2010.

(Credit: Screenshot by Seth Rosenblatt/CNET)

The full-feature suite Kaspersky Internet Security offers a complete and competitive range of security options. The new features in the 2010 edition include a behavioral-based detection system called the Urgent Detection System. The UDS utilizes the anonymous data of 10 million Kaspersky customers who choose to participate in submitting their system scans to Kaspersky's central servers for analysis. In fact, the UDS must be opted-out of--there's a check box and data collection statement to read when you install the program.

Although this might sound insidious, it's actually a smart way to leverage a huge consumer base for security purposes as long as the data remains anonymous. Symantec's Norton 2010 will contain a behavioral check, too, and what both do is look at programs installed on your computer and judge their safety based on how many people have them installed and how they behave. Among UDS's better sub-features are the ability to customize how long it takes to pass judgment on a new program and per-user configuration of the rules governing program behavior.

Even if a program has deep penetration and it starts behaving badly, Kaspersky will block it. If it's an unknown, Kaspersky will treat it skeptically, monitoring and restricting the program until it has been proven safe. The Vulnerability Scan option, available under the Scan tab, utilizes tech from Secunia to determine which programs are potential security risks because they lack recent updates or patches. For programs that may not warn you that they have a pending security update, such as Adobe Flash, having this tool baked-in could be exceptionally useful.

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com.au Wednesday. "They use cryptographic systems in the right way, they don't make mistakes--they are really professional."

Kaspersky says he's "60 percent certain" that Conficker is being controlled from the Ukraine, but can't be certain. And while the threat posed by Conficker seems serious enough, Kaspersky says, "It could be worse. We are lucky they are just cybercriminals looking to make money and not worse than that."

The unknown threat posed by Conficker, which hit 10 million Windows machines prior to the suspected D-Day of April 1, prompted a coordinated response. Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber Division, among others, began a campaign to frustrate Conficker's attempt to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul Twomey, was that Conficker was targeting the Internet's Domain Name Service layer, which is equivalent to the address book of the Internet.

During a keynote delivered at the AusCERT 2009 conference held on the Gold Coast this week, Twomey noted the change in tack by botnet operators. "The application layer has typically been used as the attack vector, but we are beginning to see the DNS resolution used as the command and control," said Twomey.

Conficker is the current darling of the Internet's dark side, preceded by others such as Storm, and spam-machine McColo. But all botnets maintain an edge over their various opponents: they are centrally controlled, "located" potentially anywhere, generally don't rely on third-parties, and are free of regulations.

Botnet operators in Russia, however, have started to cooperate with each other, according to Dmitry Levashev and Ruslan Stoyanov, network security experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a translator, the two gave a sobering account of what lies ahead for Australia in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot herder, I don't care about money laundering.' Or 'I do fraud, we just do our own task.' So, one is doing spam, like advertising services, and another is doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus, previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a software upgrade on April Fools' Day fought to coordinate themselves. While ICANN was responsible for coordinating Top Level Domains, Microsoft pushed out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using an algorithm to generate random URLs that it would target in order to download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it produced a new list. It looked for these URLs, and if they were online, the worm was designed to download upgrades form the URL. The initial version of the 10 million machine botnet would just wait and download. That's why we were really scared on April Fools' Day. We didn't know what was going to happen."

The group was able to exploit that algorithm and second guess the URLs that would be targeted, and block requests to those URLs. But, says Kaspersky, it was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an algorithm, so we generated all these URLs and registered these domain names, except ones which were already owned by someone. And because of that--the domain names not owned by those in this process--the Conficker authors managed to take control of one of these domains and upgraded the worm. That was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that key Internet players, such as Top Level Domain registrants, are capable of coordinating a response to such threats. Still, the Conficker response was the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.

At an ICANN conference held in Mexico in March this year, Rod Rasmussen, chief technology officer of phishing take-down firm Internet Identity, showed evidence of a recent nine-hour attack on CheckFree, an online bill payment provider to 22 U.S. financial institutions, which resulted in a two-day shut-down of affected online services and an estimated 10,000 infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed...basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's New Zealand subsidiary, Domainz. The hackers, who appeared to be politically motivated, defaced Coca-Cola, Microsoft, Xerox, and F-Secure's Web sites by injecting name server records for the domains in question by compromising Domainz' infrastructure. It didn't knock out critical national infrastructure, but it was able to take down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their Internet weapon, because the bad guys can use a botnet this size, not just for commercial interests, but other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.

Originally published at ZDNet Australia.

An independent audit of a data breach at security firm Kaspersky's U.S. Web site has confirmed that no customer data was exposed, Kaspersky said on Friday.

A Romanian hacker site used a SQL injection and cross-site scripting attack to get access to a database on a Web site of the Moscow-based Kaspersky and publicized the attack on Saturday.

Kaspersky announced on Monday that it would hire database security expert David Litchfield to analyze the breach.

In the report, Litchfield concludes that an attacker based in Romania used Google to search for Web servers owned by Kaspersky running applications that may be vulnerable to a SQL injection attack, launched an attack, and attempted to gain access to customer data, but failed.

"This caused a number of other attackers from various locations to probe the site further," the report said. "None of these follow-up attackers accessed any customer data either."

The report was delivered to Kaspersky on Thursday.

The same HackersBlog site also launched subsequent SLQ injection attacks on Web sites of two other security firms, BitDefender and F-Secure.

Romanian Hacker site Hackers Blog displayed screen shots of the compromised Kaspersky site.

(Credit: Hackers Blog)

Updated 3:10 p.m. PST with comment from BitDefender.

Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said Monday.

Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender.

In a statement, BitDefender said an unnamed partner site was compromised and that the company was investigating the incident to help the partner prevent it from happening again. "This was an unfortunate event and while we sympathize with the sites that were affected, BitDefender was not one of those sites," the statement said.

In the Kaspersky breach, which was discovered on Saturday, no sensitive or customer data was compromised, Roel Schouwenberg, a senior antivirus researcher for Kaspersky, said on a conference call with reporters. But to allay concerns about the severity of the problem, Kaspersky has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved, he said.

A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack, in which a small malicious script is inserted into a database that feeds information to the Web site, according to Schouwenberg.

The portion of the site breached had been developed by an unnamed third party and was not subjected to an internal code review process as it should have been, he said. "Obviously we are not happy about that and are in the process of making the review process stricter than it currently is," he added.

"A more advanced hacker" could have potentially accessed about 2,500 e-mail addresses of customers and about 25,000 product activation codes that were on the compromised server, but that did not happen, Schouwenberg said.

Kaspersky's new U.S. support site went live on January 28 and was publicly launched on January 29, the company said. There is no indication of any other breaches since then, according to Schouwenberg.

A Kaspersky employee in Romania was alerted to the breach on Saturday after seeing a report of it on the Romanian site Hackers Blog, he said. That worker notified Kaspersky workers in the U.S. and within half an hour, the affected section of the site was taken down and then replaced with the older, secure version of the site, he added.

Asked if the company was worried its reputation would be damaged as a result of the attack, Schouwenberg said: "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened. We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again."

Someone taking credit for the breach had sent an e-mail warning the company about the problem one hour before the attack, "which gave us little if any chance to respond" in a timely manner, he said.

The U.S. Web site of Russian antivirus vendor Kaspersky Lab was hacked over the weekend, exposing the company's customer database. But Kaspersky denies any data was compromised and says the vulnerability wasn't critical.

An unidentified hacker reported over the weekend that he was able to access a complete profile of the company's databases, revealing its clients' names, activation codes, list of bugs the company tracks, and client e-mail addresses.

The hacker claims to have hacked Kaspersky's databases using an SQL injection attack, which exploits a vulnerability in an application's database layer.

The method has become a popular means to gain information via Web-facing applications or as a way to use popular Web sites to spread malicious software.

Microsoft's U.K. Web site came under a similar attack in 2007 when hackers used an SQL injection to inject HTML code that seemingly defaced its Web pages.

The Kaspersky hacker, who published findings on Hackersblog.org, has since said that confidential data will not be released.

The "Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data. We just point our fingers to big Web sites with security problems," the hacker reported.

Kaspersky has admitted that a subsection of its USA.Kaspersky.com domain was vulnerable on Saturday when a hacker "attempted an attack on the site."

"The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," a company representative said in a statement.

Liam Tung of ZDNet Australia reports from Sydney.

White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.

The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.

(Credit: Bit9)

Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.

Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.

Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.

The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.

During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.

And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.

"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.