Every once in a while you hear on the news that cyber criminals were arrested, today I have the honor to interview the man who put them behind bars!
Please meet @unixfreaxjp, founder and team leader of MalwareMustDie, NPO (malwaremustdie.org) and Kendo master (3rd Dan).
Disclaimer: A lot of criminals are looking for him, so we won’t disclose his identity
Q: How many years have you been working in the security field?
A: About 27 years, out of most of them I reversed bad stuff, which are mostly malware/viruses.
Graduating from Engineering took longer than usual, as I was more focused on reverse engineering than on my major subject.
In my first day-job I was working as a computer system engineer. While I was working there, my boss urged me to study Computer science, so I started study remotely and slowly achieved my master. So let’s say, I know a bit about computers.
My first “real” investigation was when I was investigated virus infections that was aiming either DOS, Windows, SunOS/UNIX/BSD and Novell systems in the company that I worked for.
Q: What was your motivation for getting into the security field in the first place?
A: I was interested in computer viruses since my time in the university. I learned assembly because I wanted to know how viruses worked, and why the OS let them to work.
Actually, the real reason was – in 1988 or 1990 I had PC floppy based game and it had a nice save data in it and a virus destroyed it. I really wanted to recover the saved data, and I couldn’t recover the data, to this day I still have the floppy disk.
My motivation is first as a hobby and then as work demands it, and until now that is the field that I am good at. I was working in antivirus company for years. At that time they needed my skill in technology in computer integration much more than my reversing skill, but I just kept on practicing my reverse engineering skills and analyzing malware I found so I can explain better to the customers, how it worked and how to prevent it (just in case antivirus could not handle it).
Q: Is there some security research field that you always wanted to learn but never had a chance?
A: I don’t have any research field that I would like to learn. But I want to teach my method of reverse engineering, which I find it a bit unique compared to others’. Teaching what I know would be a lot of fun, but I never had a chance to do it. Specially when during the day you have your day-job and at night you analyze malwares.
Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: My dream job will always be Malware Research. It’s fun and, in a way, it is a relaxation for me, just like breaking a jigsaw puzzle (I am good at it since I was a kid). I can put aside the “real world” matter and jump into a shell (a type of a chair) where there is only me, my shell and malware to dissect. My team mates know this well, they give me the space I need when I am on to something. But I don’t want to work in antivirus related industry anymore.
Q: Why did you decide to establish “MalwareMustDie”?
A: It was started in August 2012, when I went back from work to my house, in the train, I was reading a discussion on twitter that the detection rate of antivirus was getting worse. I knew something was wrong, and just decided to TRY to fix it in anyway I could, along with my best friends.
One asked me that: “What media can we use for this purpose, we have nothing..”, so I just made @malwaremustdie account, and just like that we just started analyzing ANYTHING, answering ANY questions of malware infection, analysis, or prevention, and disclose as much as possible bad stuff.
At first, all our operation was twitter based. When twitter wasn’t enough, we started a blog, and we just grow bigger, so we made NPO [Non Profit Organization] organization for MalwareMustDie (MMD).
Q: Was there a specific event made you decide to establish “MalwareMustDie”?
A: At that time malware actors already knew how to bypass the antivirus protection via weakness (flood, encrypted packers, polymorphism etc), and the antivirus industry was moving too slowly and was not able to catch up these weakness.
So MMD was a “movement” whose goal was to push industry to do better. In addition, we wanted to make people know that malware is not a the problem of security personnel rather everyone who has capability, must learn about it, in order to prevent the infection.
Q: How many active security researchers are there in “MalwareMustDie” today?
A: We have many. People are coming and going. But the core team stays, we are like a family, I know their background, they know me too, there are no secrets between us, we are like brothers and sisters.
Q: Do the AV companies / Cyber security startups share their knowledge / resources with you?
A: Sometimes they do. But we don’t ask for it, because we know they are really busy. Moreover, in analysis, we prefer to not be influenced by any sides, that’s why you see that MMD analysis is unique and original in many aspects.
Q: How common is it for malwares to use vulnerabilities (0-days)?
A: Oh, it is so very common, it is now the gold standard for malware to use 0day.
What worries me is that many 0days were known by “high level individuals” and they didn’t disclosed them. Moreover, when there is a leak, i.e. 0days becomes public (Hacking Team for example) its a disaster because malware almost immediately start to use them and that is a disaster for everyone.
For those people who keep 0day for whatever purpose, I have message to them:
“Gents, 0day leaks, it’s only a matter of time.
Don’t keep it to yourself for whatever reason you have, think of the other people who will get attacked once it leaks.
When that happens, it will be your fault.
Please inform the vendor about these 0days, as soon as you have the chance to do it, and God bless you for it.”
The other aspect that we have to worry about is the implementation of the patch itself. A country or an environment can have different time frame for implementing these patches, and this is what malware writes are studying a lot and thoroughly recently.
Q: After a 0-day is leaked, how long does it takes until you see the vulnerabilities being used by malware?
A: Depends on how good the malware writer is, the leak quality, and the purpose for using the 0day.
The thing is, once the Hacking Team tool like RCS leaked, the AV industry are racing to make signature to detect them. While, the malware writer doesn’t take the whole tool, rather only partial code or a concept for his malware, which will means it will go undetected by AV.
For crime tools, like Zeus, Carberp KINS, etc, when its source code leaks, it doesn’t take a long time for a new variant to be spotted. Same goes for Dendroid, MIRAI too… (PS: I was the first disclosed about Mirai, on the record, I wrote it in MMD blog) once it becomes available, copy-cat malware appear.
It is even worse situation for sophisticated APT and SCADA. These types of malware source code are starting to leak too. In no time we will see malware coders combine several attacking schemes and make one sophisticated malware.
Q: How many groups of malware writers MalwareMustDie follow?
A: We follow many of them, from script kiddies to organized malware groups, we’re also doing undercover stuff.
Recently we are less and less vocal about what we find since we know that they are trying to do the same to us. We feed the law enforcement organizations on a regular basis. We geographically map the groups and the teams behind some threats we follow.
We have a nice database, where we link this data to the specific malicious stuff they are doing, so one search for some hash or some specific IOC [Indicator of Compromise] for example, can explain a lot about the threat itself.
Q: Have you / your team members been threatened by criminals, because of your activity in MalwareMustDie?
A: Yes, and it goes with the territory of doing malware research. We work very close with law enforcement in countries we are living in and they help us fight these threats.
The one who send these threats can keep on doing that, if they want to so badly, this just adds to their list of crimes, those threats are very useful in the court.
Q: How does it feel to help law enforcement agencies to put the bad guys in jail?
A: We feel like “One down, hundreds more to go”. There is no “Blaze or Glory” about it. Honestly, the malware writer are sentenced of bad stuff they does. It’s common sense, if not us, then other groups of good guys will do catch them and do the same.
On other hand, we are all actually feeling sick and tired of being overwhelmed by malware crooks who keep on abusing and ransoming innocent people and thinking they can get away with it (and unfortunately they mostly do).
Q: Could you give us an example on how did you find out the identity of the criminals from analyzing their malware?
A: Please read these blog post, it’s so very self explanatory:
Q: Why most malwares target IoT devices?
A: Only some target IoT. Malware that target Linux appear to be all related to IoT now days.
IoT has a large amount of potentially vulnerable devices, they use Linux as their OS, and most of them are online 24×365, it is the perfect attack surface for malware writers who want to do these things:
- A leverage point for hacking credential via IoT as front end, Credential harvesting by SSH Direct TCP Forward attack via IoT botnet
- Make a DDoS army attacker, Overview of “SkidDDoS” ELF++ IRC Botnet
- Use the IoT as malicious redirector for network traffic to infect the end users to a malicious sites.
- To make a leverage point for the further attack vector in the APT or sophisticated state sponsored malware.
Its very common for routers and web camera to be used for one or more of the above points.
But let’s look at it a bit more, it is time for us to worry if the TV will spy us, or.. what if our car or our fridge will be ransomed one day? How about our baby’s phone is used to spy a house situation for the burglar purposes?
We need to improve the IoT situation soon. If not, we will have to live with a new problem of malware that will have no cure but will cause more damage, require more budget and resources …(this is actually already happening now)
Q: You are very experienced researcher and you analyze hundreds / thousands of malwares from different types and places. Do you have any funny stories? (For example – Someone targeting the wrong organization because he made a typo)
A: I have many funny stories.. here are three of them:
Funny story 1
Well once upon a time there was a keylogger crook, that forgot to turn off the test environment, so we ended up watching him viewing the target (via keybase.io) and we are viewing him view his victims. We just video taped the whole session and sent it to police.
Funny Story 2
Have you ever heard about Dendroid mobile botnet malware? We nailed the coder, you want to know how? Our ops member was talking to the coder directly in order to “buy” his product via LinkedIn 🙂 – and he answered! and that information went to police.
Funny Story (extra)
Once upon a time one Chinese hacker managed to hack in to my network. I noticed him and decided to see what he was doing.
He tried to pwn what looked like Linux machines, but actually they were SunOS. The attacker tried to pwn it with the linux rootkits and obviously it didn’t work. He tried to locate the log files to confirm his hack, yes?
He couldn’t get the files – He really didn’t have any idea what the heck was wrong. I saw this punk do nothing like for some seconds, then a minute. It seems that he was using copy paste instructions, then I saw him retying the same pattern of sequential hack commands like 5 or 6 times.
I was laughing, he was making sure the procedure he planned did not have mistakes and in the end watching this attacker typing “bash” and ending up with “command not found” apparently caused some shock for him.
He then tried to install some things via “yum” and “apt-get” but obviously that didn’t work as well. Soon after that he left, i was like yelling “pkginfo!!! ” oh God I should have recorded that was so much fun.
Q: What are their [malware writers] targets?
A: There are three major types of targets:
- Unfriendly neighborhood
- Political background
- Spying and data/info collection
Q: What’s the single most important piece of advice you would want to give for someone seeking out a career in the security filed?
A: Single most important piece of advice is: You have to, like any for any field of interest, have the passion for what you are doing. Without passion you’ll burnout.
Q: What are your hobbies?
A: I am holding the 3rd Dan of Kendo, it is my hobby since I was young (Japanese swordsmanship). I still practice it every once in awhile. If there is crook who thinks they can mess with me in real life I think I have a bad news for them.
It was a pleasure, @unixfreaxjp, to talk to you