Antivirus champion

By

When F-Secure’s Mikko Hypponen comes to town, people listen. David Quainton talks to the malware guru about the future of antivirus

It is a surprisingly balmy March day, and Mikko Hypponen is in town. As head of antivirus research at Finnish company F-Secure, Hypponen's opinions are in demand.

Antivirus champion

He has delivered talks on the future of mobile communications, and the potential for attacks, to Nato and the Finnish army.

He is booked to speak in less than a month at Interpol's Sixth International Conference on Cyber Crime in Egypt. His task will be to tell the world's law enforcement agencies how mobile communications networks could become the next frontier for computer viruses.

In the rarified world of top-class antivirus engineers, Hypponen is revered. Graham Cluley, senior technology consultant at rival antivirus company Sophos, describes him as "one of the world's leading virus experts."

Before gracing SC Magazine's cover, he has been profiled by publications as diverse as the Financial Times, the Wall Street Journal and Vanity Fair. At base, in the world of antivirus it is hard to find someone more respected or qualified.

His professional life in computing began in 1991, when he joined the firm that was then Data Fellows as employee number six. Hypponen was a gamer and a geek, who decided that he would learn assembly language to get more speed from his computer.

This knowledge also endowed him with the ability to reverse-engineer viruses, a skill in demand even then but with few qualified candidates. Over the following 14 years, Data Fellows became F-Secure, and Mikko Hypponen became, in a way, an industry celebrity.

Today he is in London, dressed in a canary yellow shirt and sporting an impressive wristwatch, and when he talks about the future of viruses, he begins with the past.

"We were getting customers asking us what antivirus they should use, so we created our own," he says. "We built scanning engines and then, after a while, I was handed my first virus to analyse."

That first piece of malware was Omega, a landmark virus that still appears in textbooks, and the reason why every F-Secure employee receives a natty Omega watch after ten years of service. Defining the Omega virus pressed all of Hypponen's computing buttons.

"It was like playing a game," he says. "At first, I thought it would not be very cool, but then you realise you're up against an invisible enemy who's written the virus and made it hard to understand. He puts in traps. It's like chess."

But this is a game of chess that is becoming ever more complicated – the professional virus writer is now in it for money, and uses increasingly clever tricks.

"We did some investigations with Bagle variants," says Hypponen. "There were some that mined information from a list of websites. Some of these websites were decoys and the rest were empty – except for two weeks after the virus hit the wild, then a file that appears on one website for maybe only half an hour. It's very hard to track, very clever."

Hypponen admits to a professional respect for his enemy, but laments the more dangerous criminal territory it has moved into. Like most antivirus firms, F-Secure works to catch these criminals with the police, another group Hypponen greatly admires.

"Scotland Yard and the National Hi-Tech Crime Unit are excellent. They are surprisingly tech-savvy," he says. "We work very closely with Scotland Yard; they do a very good job with a huge workload. It's a shame so many [of them] get snapped up by the [private] sector."

The interview is briefly interrupted by a cleaner, then a waitress bearing drinks. Hypponen acknowledges them politely, then moves on to the subject of the day's press call – the future of viruses.

It's a subject on which Hypponen speaks with a great deal of enthusiasm. He is trying to tell the world that newer technologies are just as vulnerable to attack as the existing ones, and that these newer technologies are still insecure.

"I don't think we will see another major network virus soon," he says. "SP2 has put a stop to that. If we do see any, it's going to be IM [instant messaging] worms. First, because they have a scarily effective method of spreading, and second, because IM connections come through firewalls."

After Blaster and Sasser, he says, everyone made sure they had suitable firewalls and antivirus protection. Virus writers now have to look elsewhere, including to closed-source VoIP, instant messaging and file transfer system Skype.

"It's so popular now, I think it reached critical mass when I recently heard my kids discussing it with their grandparents," says Hypponen.

"Popular technology is always a target. It's pure speculation of course, but a new threat would have to come through the firewall and Skype does just that."

Skype, produced by a small team from Sweden, is becoming very popular, with over 100 million users. It represents one of a host of new technologies, including mobile phones and WiFi, that have the potential to cause security problems.

Earlier in the day, I received my first piece of mobile phone spam. I brought the subject up with Hypponen, who suggested that the recent spate of mobile phone viruses and an increase in spam were just the tip of the iceberg.

"There is a great deal of potential for mobile phone malware," says Hypponen.

"I cannot provide technical back-up for this yet, but coming from Finland I know a lot of mobile phone guys. These guys have told me it is perfectly possible to attack a base station of a mobile phone company if the right virus was created. It's a nightmare scenario, of course, but a possible one."

At the other end of the scale, there are more obvious, simpler impacts, such as potentially huge costs.

"If a mobile phone virus mines a phonebook, it can send spam from that phone at no cost to the virus writer. The cost is to the owner of the phone," says Hypponen.

"I'm fairly sure this will happen. It might be that this sort of virus turns up embedded in games, but it could be through the current techniques, too."

Mobile phone viruses first appeared on the industry's radar in June 2004, with Cabir. The virus, which does very little real damage to a handset other than to display unasked-for messages, spreads itself via Bluetooth connections.

Almost all mobile viruses attack the Symbian operating system, which Hypponen admits was a surprise.

"We didn't expect that. I thought it was much more likely to be Pocket PC and maybe a virus that appears as a text message saying 'Hi, download this cool picture'," he says, gesticulating with his own, surprisingly average-looking phone.

"But mobile viruses have never done the simple things. For example, Bluetooth is very slow, not an obvious target."

For now, he continues, it is hard to get infected by a mobile virus, but these are very early days. Cabir took eight months to get around the world, which is an age when compared to network worms such as Sasser.

Perhaps because F-Secure, like Nokia, is a Finnish company, it has managed to get a handle on mobile phone threats very early. After all, Finland is famous for having almost as many mobiles as inhabitants.

The first handsets with antivirus installed are already being shipped by the country's handset giant, and Hypponen expects this to be a major area of growth in the future.

"I firmly believe that, eventually, we will all be running antivirus on our mobile phones." he says. "It will take a while, but there are many more mobile phones on Earth than computers."

But computing still relies on a lot of insecure technology, created years ago when usability was the only concern.

The SMTP email protocol is, according to Hypponen, the single biggest reason that email-borne malware persists.

"Email worms will never go away," he says. "In fact, if someone wanted to take down email altogether they could do it. It would not be difficult."

According to Hypponen the only thing stopping an attack that could cripple ISPs is a lack of motive.

"There is no reason to. Why would anyone want to? An extremist group might, I guess," he says, thinking about it for a couple of seconds, then nodding in agreement with himself. "SMTP has been around for 30 years; it's ancient, insecure and has no encryption."

The technique for using the SMTP protocol to make shattering attacks on the infrastructure of the internet has already been shown by the shadowy Sven virus, which received relatively little press coverage when it spread in late 2003. In September that year, it took down many ISPs, including Demon in the UK, and gave Australia's largest ISP a seven-day email backlog.

It worked by sending massive amounts of messages to non-existent addresses which forced the ISPs to bounce them back. The volume was so great many could not cope.

"That particular technique can be handled now, the mails can be detected and filtered. But if a virus could use the same technique to send legitimate emails, then we would have a problem," warns Hypponen.

"100,000 computers sending copies of old emails to legitimate addresses over and over again would block a lot of inboxes. Except the inboxes would not reach that stage because the ISPs would not be able to cope. That's all it takes."

It's easy to see why this industry attracts Hypponen. He loves figuring out what is going to happen next, loves being surprised and proved wrong, and loves beating the virus writers who often refer to him in the most vitriolic terms.

"I get stuff written about me in viruses," he says. "It happens to all antivirus people. But if they didn't write viruses, I wouldn't have a job. So who wins?"

Winning, you sense, is at the heart of Hypponen's attitude. He's fighting for the good guys in a virtual war, fought in the real and digital worlds, in a battle that probably has no end.

"People will always need antivirus," he says. "People do silly things and make mistakes. That's why I am here."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?