Back to Home

Habrainterview with Igor Danilov (Dr.Web)

Igor Danilov · interview · Doctor Web · Dr.Web · ctfmon.exe · PM.Wanderer · Trojan.Skimer

Habrainterview with Igor Danilov (Dr.Web)

    Igor Danilov, Technical Director and owner of Doctor Web, answered the questions of the habitation audience.

    Which of the latest viruses did you like (hooked on by working methods, distribution schemes, anti-virus countermeasures) most of all and why?

    One of the last viruses I liked was PM.Wanderer, which was written a very long time ago, in 1996-97. He was interesting in that he used the protected processor mode. In those days, virus writers (and not only virus writers, but also anti-virus writers) could not master the protected mode. I kept waiting, waiting for at least one “normal sample” to appear. And I waited - here you can read about this virus.

    There are "interesting" samples now. But they don’t “catch me”. Yes, the implementation is more complex, yes, technologically more advanced. But there are no ideas. Everything has already been created before them. Of the last remembered - Win32.Polipos and Trojan.Skimer . The latter showed us how terrible ease it is possible to “knock out” other people's money from ATMs. Studying infected ATMs was a very interesting event for our analysts.

    Igor! How do you comment on the last major false positive of Dr.Web anti-virus, which resulted in the deletion of hundreds of thousands of ctfmon.exe files and the ruin of life for hundreds of system administrators?

    Yes, I repent, a very unpleasant event for us. And not only for us, but also for our users. I apologize to all the victims. I’ll only correct you a little - after all, the number of victims was much less than the hundreds of thousands that you are talking about. But that does not change the matter. In fact, there was a very curious case when, as a result of an error, a virus analyst manually disabled all the machines that block the release of an add-on that has false positives after a test scan. Currently installed additional control over all kinds of protection outages.

    What anti-virus (except Dr.Web), paid and free, do you think is the best and why? Only honestly.

    I personally can’t single out the best antivirus. And what does the best mean? There can be no better by definition. If only by a set of any given parameters. But who will classify these parameters? It is simply excellent if any anti-virus has at least one of its own technological features that will distinguish it from the crowd of competitors. But, as a rule, everyone is alike, like twin brothers. Especially today, when almost all antivirus companies steal technology and virus detection from each other. I hope I honestly answered your question.

    Do you know Eugene Kaspersky? If so, what is your relationship?

    Are familiar. We can probably get to know each other on the street. There are no relations between us.

    What is your opinion on Microsoft Security Essentials as an antivirus?

    The same as everyone else. I can note, perhaps, a good processor emulator that allows you to unpack packed objects. But because of this, the scanning speed of MSE suffers significantly - it is one of the slowest antiviruses when we scan virus collections. I can’t single out anything more outstanding after him.

    How can you comment on a recent message about Yandex launching its own system for checking sites for malicious code?

    In this case, I just can’t comment on this recent event. Maybe they did something. But how and how good, I do not know. And frankly, it didn't bother me much. If you did well - well done. If bad, then not very well done.

    What do you think, when will the era of SMS ransomware viruses end? And why is this era so dragged out on the expanses of Runet?

    From the position of a technical specialist in the field of IT security, I can only say that in our country there is a complete mess and mess in the field of computer crimes and fraud. And not only in it. When the mess will end, when operators will be taught how to control content providers, when law enforcement agencies will finally search for criminals, when ... And there are many other kinds of “when”. Unfortunately, in the current situation in the country, I think that this will not happen very soon. If ever it happens. Because this "era" and dragged on.

    Databases with signatures continue to grow, updating several times a day. Just pack the same virus in a different way - and the signature changes. Are there any successful (reliable / quick) solutions to this problem (such as heuristic analysis), or should new viruses first harm and get into the databases so that the antivirus starts to deal with them?

    Of course, such solutions do exist. And they are used by various antiviruses. For example, Avira or BitDefender considers all packaged executables, whose checksum is not in their “white list” of the database, to be immediately considered malicious and containing virus or trojan code. But this does not prevent viruses or trojans from often reaching computers that are protected by antivirus data. Somehow I got into the hands of a computer in which dozens of modifications of all kinds of Trojans lived and felt great. One of the above antiviruses behaved very tolerantly towards them. Therefore, I would not speak at the current stage of quick and reliable solutions. The problem exists.

    Literally, we just received a letter from a user who packed one of the antiviruses using the RAR archiver and created a self-extracting distribution. You can see the results here . Here is such a detection by reputable antiviruses. Including an antivirus that checked its own copy.

    You said in other interviews that the imagination of the current virus writers is completely impoverished, which makes it boring to write antivirus for stamping. What are your current job interests? What software projects do you personally promote in the company?

    I said this at a time when, by the nature of my activity, I was directly connected with the analysis and analysis of the virus code. Currently, unfortunately or to my delight, I don’t get so close to viruses. I have to be responsible for all the technical solutions of the company. I also personally participate in the development of a new anti-virus search module (engine or engine in the common people). And I find interest in generating ideas. In the creation of technological solutions, which competitors have no analogues. We (and myself) have something to be proud of. Few companies boast the availability or quality of products, such as Dr.Web for Novell NetWare, Dr.Web for Unix / Linux, Dr.Web ES or Dr.Web AV-Desk. And such a product as Dr.Web CureNet! no one at all. If anyone can boast about it, then these companies come from the Big Three. Can you tell me at least one company with a lower rank that has similar technological solutions? I cant. This is my interest - to do such things that not everyone can create. It really still gives me pleasure.

    Do you think antiviruses are not losing the war? The spread of high-speed Internet, the availability of computers, the craze for Windows make virus outbreaks predictable. According to the principles of its work, anti-virus always lags behind the virus and this step is enough to infect millions of machines. What exit does your company see from this deadlock?

    I think that they are losing. But antiviruses must a priori lose. This is the law of the genre - the attacker always has some advantage and a head start. And it's not even about Windows and high-speed Internet, although these factors are important. Viruses also won in DOS. Just then, the scale of computer damage was not as great as it is now. And viruses were written for the sake of pampering or your own vanity. Now, for pampering, no one creates viruses and trojans. The goal is different, more mercantile. This is the mafia. And the mafia is much more difficult to fight. Especially if, in reality, in some "developing" countries (Russia, Ukraine, China ...) no one is fighting or going to fight it at all.

    If we talk about us - of course, we constantly think about improving our own detection technology. And the situation is gradually improving. Significantly modernized or new methods appear: heuristics, "similarities", FLY-CODE, firewall ... Our new SpIDer Netting technology will soon appear. I hope our users will like it. And virus writers. We cannot stand still, however, like other antivirus companies. But you yourself can note that now the situation is much better than 3-4 years ago, when all anti-virus solutions were significantly outperformed by viruses.

    What happened to viruses over the past year that the CureIt healing tool doubled in volume?

    Nothing substantial. Just them, viruses, is becoming more and more. In addition, we have implemented some additional features for our own disguise, protection and anti-malware.

    What next step in the development of antiviruses do you consider the most interesting / promising?

    Improving the detection and recognition of viral code in the early stages of penetration into the system. Any way available.

    In general, what is now happening is happening “in the dark," behind the screen that is shown to end users? Did anything interesting happen in connection with the release of Windows 7?

    I did not understand anything about the "dusk". If you are talking about the anti-virus industry, then I do not know what interests you. Someone makes money, someone makes technology. But everyone seems to be fighting the "evil." If you are talking about the viral mafia, then I do not know what they are doing “interesting” at the moment. They are going to steal money from computer users with the help of the code written by them, apparently.

    And what could happen with the release of Windows 7? Did the world have to roll over with delight? I did not notice anything fundamentally new. Maybe it looked bad? Mark Zbikowski, under red wine, told me for two whole hours that Windows 7 is the best that has been done at Microsoft. I believe him. You can’t believe such a person.

    What is your opinion about the Russian Silicon Valley?

    Enthusiastic. Only I do not know where this "valley" is located in the Russian Federation.

    Why Dr. Does the Web use distribution schemes that resemble network marketing? A couple of times, annoying people turned to me with suggestions like: “We have an offer for you, your company and your customers - Dr. antivirus Web for less than official. ” Polite refusal ignored, have to send. Some providers impose on their subscribers, again, Dr. Web because conclude contracts with similar distributors.

    You open my eyes to our distribution patterns. And I still thought that we sell our product through partners and directly through online stores. But it turns out that we are using some kind of network marketing. The next time you bring these people to us. Could it be ordinary pirates or scammers?

    I remember that I used to read one file with the virus description that came with DrWeb, it had a lot of pearls like “In drive A: two diskettes !!”, “The fan is write-protected”, etc. Is there such a thing now? It seems that this was a tradition started by Dmitry Lozinsky and a similar file was bundled with his Aidstest polyphage?

    Exactly. We all started with Dmitry Nikolayevich Lozinsky. I just continued his tradition. Although before almost all anti-virus vendors conducted such more or less detailed descriptions of viruses. Fortunately, there were not so many malicious programs, and it was possible to compose a form for each copy. Today it is not possible. Too much all sorts of viral stuff. And the “functionality” of all is similar to each other to the disgrace. We make descriptions of only the most interesting, in our opinion, samples or those that have received the greatest distribution - causing serious viral epidemics.

    Interestingly, such 1997 Dr.Web brochures were created with your participation?

    No, I did not participate in the creation of these brochures. He acted only as a critic.
    These unique images were created by Alexey Abramkin (artist) and Sergey Ostrovsky (generator of ideas).

    Thanks for the questions. Thanks for attention. If you think that I have not answered in detail or in bad faith any question, if you have new questions - welcome to our forum in the " Questions to Igor Danilov " section. There we can continue the discussion.

    Read Next