Behind the scenes: Symantec's malware battle

The security industry is huge, with good reason. IT needs constant policing. Malware and botnets are just two of the ever-changing and increasing threats that users around the world face every day, with the security industry as the main - and often only - defence.

Indeed, there never seems to be an end in sight - leading some to doubt the value of the security industry, believing it exists to scare people and companies into buying products and support they don't really need.

But it is highly unlikely that there will ever be a time where the end-user will not make mistakes or insecure software won't be supplied.

And, as long as humans want to make money, and cybercrime offers an easy way to do so, security companies will need to keep up their work.

Symantec's frontline

It's a battle all security firms face, including Symantec. While the constantly changing frontline has been good for business - the firm was founded in 1982 and now sells to over 40 countries - it's no easy task to keep ahead of malware.

Criminals just don't stand still and many are as intelligent as the white knights of the security industry, with stories of gangs putting their people through computer school.

This means that the bulk of the work of the security industry, including Symantec, is behind the scenes in research and development.

While the California-based firm is possibly best known for its Norton series of anti-virus products, it's their research facility in Dublin which is taking the battle to the next level.

IT PRO recently had an exclusive look at those Dublin, Ireland labs - the Symantec's frontline in the unending battle between criminals and security.

The retro-fitted labs set up operations in 1990. There, Symantec deals with customer threat, response, antiviruses and antispam, and has around 900 employees. Although Symantec does have offices around the world, the Dublin offices are its prime manufacturing and research facility.

Changing vulnerabilities

Symantec deals with about 60,000 attacks and between 25 to 30 new malware vulnerabilities per month. Kevin Hogan, director of Symantec's response centre, said that tactics have changed in the last few years, from finding and deleting a virus when it had already hit to instead battling it at source, such as in browser protection. Rather than the focus being on detecting the virus, it is now more about identifying it before it can hit.

"Attacks have become more complex and multi-part. It was obvious that the technology and skillset had to change," said Hogan. "It's not about solely getting to the virus signatures anymore. We have to make sure the user isn't downloading it from something like Internet Explorer."

He also said that the sizes of the threats had increased. "We get sizes of definitions about 50 MB, which consumers can cope with, but with enterprises it can be a problem," he said.

Looking through the research facility, the bulk of the work appeared to be PC based, with only a small proportion of work done with Macs. However, Hogan made it very clear that this was not due to inherent flaws in Windows.

"Windows is not necessarily less secure," said Hogan.

He added: "I subscribe to the fact that as 90 per cent of users use Windows then obviously this is going to make it more of a target for attack. [With threats] the operating system is irrelevant."

Social Engineering

Another clear new trend is that rather than malware getting more complex, it was more the case that criminals were finding different and unique ways to infect users, using social engineering techniques. The work for criminals now was in finding new ways for users to download and install the malware, such as in using personal details taken from places such as Facebook, MySpace and even Google.

"It's not the technology," Hogan said. "Malware is downloaded by social engineering means. It is the most efficient way of getting it into people's systems."

The social engineering focus means that the technical aspect of the threats wouldn't change much in the future, he said. "Criminals don't need to know the code, they just need the applications. I think we'll see minor changes but from a technical perspective much won't change. It'll be the social engineering which will lure the victims."


Symantec's engineers gave an example of malware they had had seen called 'Silentbanker'. This was a Trojan which targeted 400 banks worldwide and intercepted web traffic before it left browsers such as Internet Explorer and Firefox.

The way it worked was that it employed various ways to find what they needed to access money which usually meant the victim's username, password or a PIN. It had various ways of doing this, one of which was called credential stealing. This involved the Trojan creating HTML code which matched what was on the banking website, and asking for personal details. In other words, it relied on human failures as well as technological ones.

Chopped bodies

Symantec said it didn't usually focus much on the motivations of the criminals, such as whether it was for financial gain or an act of vandalism. Hogan compared their investigation of a malware affected user to that of a murder: "We've found a chopped body. We look at what killed it rather than the motive [of the killer]."

And with the current IT security situation, there's an increasing number of chopped bodies lying around.

IT PRO put the question that maybe it was a good thing for them that there was a lot of IT threat out there as indeed, it kept them in good business. Hogan laughed and said: "Computers will always be around and data will always need protection. There is more than enough to deal with now than we can actually cope with."