Q&A: Interview with a Virus Slayer
Mikko Hyppönen on the Museum of Malware, the golden age of virus hunting, and the weaponization of viruses.
by Alina Simone
In the world of computer security, Mikko Hyppönen is probably as close to rock star status as it gets. He is a TED talking virus-slayer who Vanity Fair dubbed the “Code Warrior” for his role in helping extinguish the Ebola-level malware, Blaster. In addition to weeding out malicious worms, Trojans and botnets, Hyppönen has also been outspoken about the threat posed to both the free web and our civil liberties by cyber surveillance tactics employed by local police, national security organizations and other government bodies.
More recently, however, Hyppönen has come to occupy a new and unexpected role in the annals of computer security: as a historian of malware. Five years ago, he created a short documentary about journeying to Pakistan to track down the creators of “Brain,” the first known PC virus. (Two sheepishly proud brothers, Amjad Farooq Alvi and Basit Farooq Alvi, who today run a computer company named Brain Telecommunication.) And in January, he began volunteering with the Internet Archive, the non-profit digital library that includes the Wayback Machine, to help create the Museum of Malware, a final resting place for antique viruses.
I recently spoke to Hyppönen about the evolution of malware and how we went from joke viruses distributed on floppy disks to ransomware attacks that threaten to hobble entire governments.
So how did you first get interested in the history of malware?
I am a dinosaur in many ways. It turns out there are very few people who have worked in computer security longer than I have who are still in business, so I suppose I saw it as some sort of responsibility to try to save the history of early viruses. That’s why I started collaborating with Internet Archive. It’s a great project and I’m happy to be part of it. I really like the idea of preserving our past for future generations.
From a forensic perspective, is there anything we can learn about the evolution of the computer hacker from studying proto-viruses?
We can definitely learn how the profile of the average cybercriminal has evolved. We’ve seen huge technical changes in the types of attacks we see and the malware we analyze, but we’ve seen even larger changes in who we’re fighting. Basically, all the samples we have in Malware Museum were written by teenage boys and their motive was fun. They did not get money. They did not get famous. They just did it because they could. Some were destructive, but they were destructive for no reason at all.
The hobbyists disappeared 15 years ago, and we’ve had a constant evolution of attackers since then. First, we ran into organized crime gangs making money with online attacks, especially malware. Then we ran into ‘hacktivists,’ people who were breaking the law, but who were doing it for political motives (like Anonymous), not to make money. And then we got into government involvement: intelligence agencies using malware and cyberattacks to spy. Law enforcement, including the FBI, is using malware in criminal investigations. I live in Finland and the Finnish criminal central police has the legal right to infect my phone and my computer with a piece of malware if they suspect me of a crime. That’s a great example of the kind of malware that people never forecasted 25 years ago. I mean, if someone would have told me that eventually cops would be writing viruses and using them in their work, I would not have believed them, but that’s where we are today.
Presumably computer experts had to evolve as well in order to keep up with hackers. What’s it like working at F Security [the computer security now versus the era of the hobbyist virus-maker?
Most of the stuff we do here is quite mundane and boring. It’s people sitting at their computers and typing away at keyboards all day long. But there have been more exciting times, especially the virus wars, as we called them, which were the first years of the 2000s, a time of massive email worm outbreaks and web-worm outbreaks. Melissa, Loveletter, Blaster, Slammer, Sasser. All these viruses were still created by hobbyists not trying to make money with their attacks.
The very last years of the hobbyist virus writer became very, very hectic, because we saw these massive outbreaks over and over and over again, day in, day out, and we were working in emergency mode around the clock everyday of the week. I mean, the phone would ring, or our alarm systems would go off, and we would be running around trying to get the latest sample and decode it in 15 minutes or faster, build detection, run in through our Q&A systems, ship it and clock it.
It was sort of fun and exciting for the first couple of times, but when you have a week where you have six wake-up calls in the middle of the night — eventually you’re just living in a fog. And this lasted for months and months. We all were working from Finland so if something happened during the daytime in the United States, we were working in the middle of the night. Looking at it now, it was really heroic work. I am sort of glad I lived through it, but I’m sort of glad those days are behind us as well.
Whoa, wait: F Security had an alarm bell?!? Like a fire station for viruses…?
Yes, we would have an alarm ring and a light flashing. We also had codes for different levels of outbreaks. We called them Radar Alerts. Radar Level 1 was the worst. When we upgraded an outbreak to Radar Alert Level 1, that automatically meant that meetings were canceled and lab staff would not leave the office for lunch — they get free pizza instead. We had a pizza list that required you to mark beforehand “I want salami,” and when we were at Radar Alert Level 1, somebody just bought you salami pizza.
So do alarm bells ring and pizzas fly during current scares, like the Hollywood Hospital ransomware hack?
We don’t have to do that anymore. These massive outbreaks have gone away and that’s exactly part of this transition from hobbyist virus writers — who were trying to create massive outbreaks because they wanted to make headlines — to money-making criminals.
If you write malware for fun, you want to write the fastest malware. The hobbyists were actually competing with one another to see whose virus spreads worldwide fastest, and who makes the biggest headlines.
But as you start writing viruses for a living, if your malware actually makes the headlines, you’ve already failed.
You want to stay under the radar. You don’t want to become a massive outbreak that infects millions of computers. You can’t use millions of computers to make money anyway — you’re much better off infecting 1000 computers today, another 1000 the day after that. Keep it slow and steady. Bill whatever credit cards and bank accounts you are collecting, and hopefully stay out of the sight of law enforcement, media and security companies. That’s the reason we don’t see these massive outbreaks anymore.
So what was the actually turning point when hackers realized that viruses could be weaponized to make millions?
Fizzer was the turning point. This virus isn’t historically remarkable in any other way, except that it is the first money-making malware since the AIDS Information Ransomware Trojan in 1989. [A real outlier amidst the prank viruses of the 80s and 90s. The next successful ransomware attack would not be launched until the late 2000s.]
This is what really started the money-making with malware. When we found Fizzer in November 2003, it was just another email worm. Once it infects you, it spreads to everyone in your address book, and since your friends know and trust you, they’re going to open the attachment. What made it unusual is that when it infected a machine, it also installed a proxy on every infected computer. Proxies are used to reroute connections. Basically, this meant the attacker could reroute his internet connections through your computer.
We had never seen this before and didn’t understand why a piece of malware would do this, so we decided to investigate. We infected one of our systems on purpose with Fizzer and then we waited: it had a proxy running on it, now let’s see what they do with the proxy. We had an infected machine running for 3 weeks and nothing happened. Then one day, a massive amount of traffic — like megabytes of traffic — were flowing through this computer. Much much more than I was expecting. What was the traffic? It was email, all email. We look at what kind of email: Viagra ads.
And then it all dawned on us. Oh my God, they’re infecting computers on purpose so they can send spam from them.
Before this, all spam was sent from dedicated spamming servers. Spam had already been a problem for years, but filtering it was fairly easy: you just had to figure out which servers the spammers were using and blacklist them.
So the obvious counterpoint from the point of view of the spammers was, “Ok, let’s stop using our servers. Let’s send the spam from users’ own computers.” You can’t blacklist everybody’s computer because they send normal mail from there as well. That’s why spammers started cooperating with malware writers; they realized these guys already had access to tens of thousands of home computers and started paying them to turn those infected machines into spam botnet bots.
Ok, so we have hobbyists in the 80s and 90s, then spammers in the early 2000s. How did hackers evolve from there?
The next big step is we started seeing more and more keyloggers. Instead of making money by spamming, hackers started actually stealing your passwords from online stores. Very quickly, that evolved into automating the system so that every time you registered at an online store, they would record your credit card number, which in turn led to banking trojans. Online banking started taking off around 2005 and since people were using their home computers (which are very insecure) criminals realized they could insert extra transactions.
Then we saw quite a few botnets using computers to launch Denial-of-Service attacks. They would attack online stores and then demand payment for the attacks to stop, because as long as your site is down you have no revenue. And pretty much exactly five years ago, the first modern ransomware trojans emerged. Since then we have tracked the operations of over more than 100 different gangs from Russia, Ukraine, Belarus, Romania, Japan and elsewhere, making practically all of their money from ransom trojans. They are competing with one other for the same victims.
Yes, we still have keyloggers, spam botnets, and banking trojans, but ransom trojans are by far the biggest problem for end users, and where the greatest amount of money is being made. The mega trend that made this possible, of course, is Bitcoin.
To the layperson (read: me) it’s frustrating to hear that computer security experts know how many gangs there are and what countries they are based in, but can’t, you know, actually catch them.
Except we don’t know their names. We don’t know where they live. And that’s what is frustrating about Bitcoin. We see the money movements, but we don’t know where it goes in the real world. That’s why Bitcoin changed the game so much. There has been so much work done trying to shut down these ransom trojan gangs, but it is very hard. And it is a remarkably big business for these online crime gangs.
You mentioned the gangs are competing against one another for victims. Is the virtual mafia like the real mafia? Are we talking Sopranos-style assassination attempts?
They will not go assassinate each other, but they do hack each other. They do shut down one another’s operations. They do steal from one another — especially code, but also things like translations. Last month we saw that CTB, one of the ransom trojan gangs, hired a translation agency to translate ransomware messages shown to victims into over 20 different languages, including Finnish. So customers here in Finland get a message explaining how to send Bitcoin in perfect Finnish, not a machine translation. It’s remarkable; Finland is only a market of 5 million people yet they are targeting us with translations! And as soon as they did that, at least five, maybe ten competing gangs, stole their translations.
Another modern day cyber-threat you’ve discussed a great deal is the growing issue of governmental and police surveillance. What is more worrisome: the external threat of cyber hacking, or the internal threat of covert government data gathering?
There are different classes of threats and they are a little bit hard to compare. Yes, government surveillance is a big problem, and it’s a unique problem. Our generation is the first generation which can be tracked at this level.
Today it is perfectly doable to track every citizen’s location at all times because we all carry these devices which we call “mobile phones” but should maybe call “trackers.”
So that is a huge problem, but is it a bigger problem than the completely different problem of ransomware? People very concretely lose their data, their digital history, pictures of their children growing up. You go and speak to a ransom trojan victim and ask her: Do you think this is worse than being surveilled by the government? And she will say losing your files is worse than abstract surveillance which she doesn’t see and may end up having no concrete outcome at all.
We basically have two categories at the heart of all these computer security problems: technological vulnerabilities which make it possible to bridge the security of our systems, or user error. The user clicking on the wrong link, or typing his password into a phishing site. The user doing stupid stuff. We can try to fix the vulnerabilities through better security engineering, better security technology and better training of our developers. And that has been happening. Our security tech is clearly superior to where it was 10 years ago, or 5 years ago. But fixing people is hard. After 25 years, one thing I have learned is that people never learn. Education is a waste of time and money. It’s a pessimistic view on where we are today, and pessimistic given I’m spending quite a bit of my time doing education, yet I feel like it’s not really going to solve these problems. One half of it is technological, but the other half is psychological.
As a both scholar of malware and a career virus-killer, you probably know more about the dangerous porousness of online systems than just about anyone. How has that affected the way you safeguard your own personal information? Have you bought any typewriters lately, or launched any carrier pigeons?
Obviously, I am paranoid. It comes with the territory and I go to extreme lengths regarding my own security and own privacy. I’m trying to practice good operational security which is to say: I’m not going to tell you what I mean when I say I’m being paranoid about my own security.
Fair enough, Mikko. Fair enough.
Practically Unhackable is an Intel publication built for anyone who uses the internet — someone like you! Take your first steps to a safer online life with ourstep-by-step guides on everything from managing passwords to beating ransomware.