Mikko Hypp"nen collects coin-operated Atari game machines. And as chief research officer of Helsinki-based IT security firm F-Secure, Hypp"nen is also on the front line of defence against computer-virus outbreaks. He spoke with CWHK's Stefan Hammond after a joint press-conference with PCCW--the Hong Kong telco announced the adoption of F-Secure's Chinese version of "Security as A Service": a security product for Hong Kong ISPs branded under PCCW as "PC Guard."
CWHK: What changes have you seen in the computer security landscape?
Mikko Hypp"nen: When I joined F-Secure in 1991, there were 300 computer viruses in the world. Now there are about 140,000.
Of those 300 1991-era viruses, most were on floppy discs. If you compare the spreading speeds of those old viruses to the spreading speeds of these mobile [phone] viruses, they both started to spread when people travelled with either floppies or mobile phones. With a Bluetooth mobile virus, it jumps from Hong Kong to Helsinki when somebody flies between those cities, with their mobile phone. It's interesting: 15 years later, we're almost back at the same place.
CWHK:What operating systems were being targeted back in 1991?
MH: DOS, and Mac OS. In the mid-eighties, people thought that the computer virus problem was only a Mac problem, because back then there were zero PC viruses. Right now, Mac OS X: zero viruses, you don't need an antivirus at all. And PC, 140,000.
CWHK:What percentage of viruses affect Windows OS?
MH:99.99 percent. There are about 30 Linux viruses, 50 Mac viruses for pre-OS X, zero Mac OS X viruses, 83 Symbian viruses, and two Windows mobile viruses.
CWHK:Why more Symbian viruses compared to Windows mobile?
MH:Because Symbian is the market leader. Same reason why everyone's targeting Windows and not Linux or Mac.
[Another] reason we have more Symbian viruses: it's easier to create new viruses by modifying the existing ones, so it feeds on itself. But it's early days for a new problem, it's been only 15 months since we discovered the first mobile phone virus.
CWHK:Do you think you'll see similar growth in mobile viruses?
MH:We hope not, we're trying to prevent that. That's why we are active in this field, and working with mobile phone vendors, telcos and manufacturers like Symbian themselves in trying to secure the actual devices and operating systems.
CWHK: What changes have you seen with Windows OS viruses?
MH:Many people worry that if they get hit by a virus, it will destroy their files or format their hard drives. But nowadays, none of the current Windows viruses destroy stuff. They might of course have compatibility problems and crash the system by accident, but that isn't the target.
What they're trying to do is steal your files, steal your information, steal whatever you typed - your password, your credit card number--or to connect your machine to a botnet so they can use it. They want to benefit from your computer, not destroy it.
CWHK:We've heard that botnets are now a commodity that is traded on the Internet, for example in lots of 10,000 "zombies"...is this true?
MH:Sure. (laughs) You wanna buy some?
CWHK:OK, if you can find out who's selling them, do you tell law enforcement agencies? Say you find someone in Uzbekistan, you've got his IP address, he's peddling these zombies by the million, do you ever say: "go get this guy"?
CWHK:Is it that simple?
MH:It's that simple, and that's we do fairly regularly. Although typically, we try to track down the guys who write the viruses.
We call them "botnet-herders" - these guys who build large botnets - and we've been doing some tracking of them lately. For example, one group known as "Moop" did some underground information-gathering: going on chat systems and IRC systems undercover, trying to get [privileged] information.
More and more, these guys are moving away from working for spammers and getting into database theft. Because if they control, say, 30,000 computers [as zombies], it's likely that if someone comes to them and says, I'd be interested in information related to this or that organization, if they have tens of thousands of PCs, it's not far-fetched that one or two of those computers might be in an internal network belonging to that company. So they can search for data within that network and try to get information stolen from there.
So these guys were [bragging] that they were trying to steal data from IBM, from the World Bank. Because somebody was buying this information, so they'd get offers: "I wan to buy this or that database from that company, get it to me." This is changing the way they're making money out of these attacks.
CWHK:People are now requesting specific information?
MH:Yes. Of course, it's all criminal - criminals are buying and selling this information.
The going rate for botnets is getting cheaper and cheaper. We've been seeing viruses lately that are getting picky about which machines to infect. Because these guys have access to so many machines that they can afford to be picky.
There was this one virus which we analyzed - the first thing it did was to connect to a university system and download a Linux distribution set, a 2GB file. It downloaded the full set, and deleted it - it never used it for anything, but it timed the download, and if the download took too long, the virus wouldn't even infect the computer. Because it didn't have enough bandwidth, so the virus would wander on and find a better machine. If they're trying to build a botnet for DDOS [Distributed Denial Of Service attacks] for example, they want machines with high bandwidth so they can overload servers.
CWHK:You gave an example of a targeted email aimed at data theft: a bogus Microsoft Word file which was sent from email@example.com targeted a only a few dozen email addresses, in the .gov, .mil and .hk domains. Disguised as an IPR report, it was actually an RTF file which downloaded an exploit that allowed a remote host to control the infected computer. Are you seeing a lot of these targeted email attacks?
MH:Unfortunately not, which means we're missing them. If they are sending out seven emails [using a] totally undetected bot, it might go under the radar forever. None of the antivirus companies will ever see it. That worries me.
CWHK:Are any browsers inherently more secure than others?
MH: If we talk about the big three, well, the big two [Microsoft's Internet Explorer and Mozilla's Firefox] and Opera, they all have security vulnerabilities, they all have remote exploits, they're all risky. However, the bad boys are after the biggest markets, so they target IE the most, because it is the most common.
But they're starting to look more and more at Firefox, because its market share is rising. We've seen the first adware that specifically targets Firefox. We've seen websites that check the browser and if it's IE, uses an IE exploit but if it's Firefox, uses a Firefox exploit.
CWHK:How about Apple's Safari browser?
MH:Safari? I actually don't follow Mac that close, because there are no Mac viruses. We used to have a Mac antivirus product, but we discontinued it, because, there are no Mac viruses.
CWHK: Do you foresee a time when, due to security concerns, IT administrators will return to "dumb terminals" as workstations, with locked computer rooms?
MH:No, I don't think so. Because then you'd only have to protect one machine, BUT, it would be a very crucial machine. Because if it fails, everyone stops working, immediately.
Of course, people can be forced to work with anything. But I can imagine the amount of complaints from end-users if you took their desktops away. And look at environments today-people research via the Internet and are more efficient.
Are we going back to the days of black screens and green characters? No. I don't think so.