Facing the cybercriminals

Trend Micro CTO Raimund Genes is at the forefront of the battle against malware. He discusses the latest threats and trends — and explains why his firm is not for sale

  • E-Mail
By  Published  September 15, 2006

As chief technology officer(CTO) for anti-virus firm Trend Micro, Raimund Genes is on the front line in the fight against today’s cybercriminals. Having worked in the IT industry for nearly 30 years, he has seen how threats and malware have evolved from being created for nuisance value into the tools for crime that we see today.

He tells IT Weekly how threats have changed, what people need to consider and why Trend Micro is not about to jump on the bandwagon and team up with a security firm.

Let’s start by asking what the biggest threats are that we are see in security today. What would you describe as the biggest dangers?

It is actually difficult to describe because you don’t see one single threat: we call ourselves an anti-virus company, but it is not about viruses anymore.

That is why I prefer the term malware, which covers a broad range. It also depends on what industry you are working in: what kind of customer you are.

For some of our customers, spam is the biggest threat becau- se it cloaks the networks, they can’t receive e-mails anymore. For others, targeted attacks are the biggest threat where a keylogger is deployed to get information out of the company.

So it is difficult to say where the threat lies. We definitely don’t see one big, single threat anymore. You will not see wide-spreading malware bringing down the complete internet or that kind of thing.

Why is that?

Because it is all now about making money — cybercrime is real. So these malware authors don’t have a lot of interest in generating a lot of attention.

They want to hijack computers and they want to use the computer power to do spamming, to do attacks, to set up a phishing server and so on.

What safeguard do people need to have in place then? What do users need to be doing now?

The basic stuff is always important. You need to have a complete anti-malware solution in place: one that consists of anti-virus, which consists of anti-spyware, which consists of a personal firewall and so on.

You definitely need to havea suite of security products at the desktop, as well as at the company level.

You also need to have something at the gateway, not only for inbound traffic, but more importantly nowadays for outbound traffic. That is because when you are a mobile worker, working somewhere away from the office, maybe the mobile worker’s machine gets infected with something.

When he goes back to the company network he may spread that across the company.

Recently, I was in the UK and went to the hotel and tried to access the internet from the room.

Immediately, my Trend anti-virus popped up — the web page to get the service was already infected.

So, I couldn’t use the internet in the hotel but I don’t want to know how many business people, travellers, who are normally using the internet and don’t have any protection at all, how many were infected at that hotel.

Or, rather, infected by the service provider who delivers the service to the hotel.

So what level of security is going to be acceptable for business travellers?

As I mentioned, you need to have firewalls, and so on, as a minimum. I know for a fact that more and more companies are considering getting rid of internet accessibility.

The new PCs all have modules for UMPS [universal microcontroller simulator] and so on, to ensure that they have more clean connections. If it continues this way, if we see more and more targeted threats, more and more variants that you can’t detect immediately, then I think we will see that we need more application firewalling.

In the near future, I think we will actually see a ‘white list’ of known, good, applications that are safe to use. So you will only be able to use those known applications that have been authorised by the company — those will be the only ones you are allowed to put on your PC.

White listing means you have a list of known, good applications, you do a check against the database and if it can’t identify the application as something recognised by the company,it won’t start it.

Is that something that we’re seeing now?

No, it is not happening now, but I assume this will start in around 2007 and will be widespread by 2009.That is, if the threat landscape does not change and I believe it will not change.

This is because the moment that money becomes involved, then these criminals really get creative, and that is what we are seeing now. The huge problem of course is the end users; you can’t believe how many of them are infected. For example, 80% of spam is sent out through so-called bot nets, that is amazing when you look at it.

The US is the number one target market but most of the spam is coming from Eastern Europe, from hijacked computers.

At the moment, Polish Telecom is spammer number one. It’s obviously not Polish Telecom, it is other users behind it.

What I would complain about is that the ISPs [internet service providers] don’t do anything.

They don’t have any safeguards in place, they don’t have any interest because the moment that they pick up the phone to tell the user that he has been infected, that his computer is being used to send spam or to do an attack on a company or so on, then the ISP will lose money.

Their rates are so low, that a phone call to a user will kill the margin for one year.

I think sooner or later though the ISPs will be forced to do something. The US Federal Trade Commission last year called on the ISPs to identify computers that were bots and from the ISPs nothing has happened. I think sooner or later they will be forced to do so.

Are other governments calling for similar initiatives?

Yes, you are seeing this from a lot of governments in the West. There are initiatives in Germany, France and so on, but again, right now they are just recommendations.

As long as they don’t force the ISPs to do anything, the ISPs won’t because it is just extra cost for them, it could even mean complaining customers.

What do you do if you identify bot-like behaviour from an end-user PC, if you are an ISP?

If it is enforced by law, if you have to do it, then you quarantine the end-user. Now, what if the end-user phones up and complains, ‘why can’t I use the internet any more?’

The ISP is already losing money, if it tells the guy that his computer is infected then it may lose the customer. If not all ISPs follow the rules strictly, then the customer may decide to use another ISP rather than clean up his computer.

Malware can be really hard to get rid of. If it isn’t slowing down the performance of the PC or hurting the end-user, then he really doesn’t care.

If it sends out spam without affecting the customers daily work, why should they care? If it is attacking other computers from time to time then as long as they don’t notice it then it is not a problem.

It is only going to be a problem for them when it is used to commit a crime like phishing and they have the attorney general at their door!

We have seen a lot of attention given to crimes such as phishing here in the Middle East. How big a problem is this globally?

It is a huge problem, and you get more and more customers being affected by it. In the beginning, it was mainly targeted against English-language organisations, banks like Citibank and so on.

Now in Germany, we are seeing phishing against German banks. The first attempts were very badly written and were easy to detect: bad translation and so forth. Now they are very good and very well written.

Phishing is getting extremely sophisticated. When online banking started it was user name and password. Since then, people have come up with transaction numbers to authorise each transaction number.

A bank will send out a sheet of paper with, say, 100 transaction numbers on it and each time you do a transaction you cross one number out. The problem now is that phishing attacks will say that to identify that you are really a customer please type in ten transaction numbers and people are stupid enough to do it. It is amazing.

To counter this, banks are working with indexed transaction numbers, so a bank will say give me transaction number five, which is safer.

But we saw a recent case in Spain where people were encouraged to type out lists of nu- mbers, and people were doing it.

In the Nordic countries they have issued smart tokens, which randomly change numbers, and this is the way to go. I assume that if phishing continues you will see more smart tokens or smart cards being used.

Banks are not charities, so they always calculate how much they lose to fraudulent activity and if that amount gets to be too much then they will put safeguards in place.

One bank in Germany was heavily targeted by these phishing attacks. Now they are sending information over your mobile phone — on customer demand they will send you an SMS.

Banks are normally very flexible on paying money back on phishing attacks — normally you have to prove that you did not carry out that transaction, but banks are afraid of attracting lawsuits — they fear that if too many people start complaining they will go to court.

That is what the banks really fear because then they have to prove that they had proper safeguards in place.

When you look at international standards such as Basel II, then I would never give a bank a positive Basel II rating for online banking in terms of IT security, because online banking is too easy to break.

There seems to be a fashion now for security firms to tie up with big infrastructure companies, especially storage firms. Do you see any benefit in that approach?

No, not really. Of course, backup and data integrity is a part of security but we don’t want to be involved in this, we are more a secure content management provider. What we do is to work more closely with partners.

For instance, we are a partner with Cisco, because we believe we need an additional level at the network layer, but we don’t have any interest in going into other areas like backup or whatever.

Do you think Trend Micro could be bought?

No, I don’t think so. We are pretty expensive, we are one of the top anti-virus players, we are the number one in the server-based antivirus market and we would rather partner with other firms, than be acquired.

When you look at a firm such as Cisco, it would prefer to acquire rather than buy a big company like us.

Trend Micro last year announced that it was to be working with Microsoft to provide antivirus scanning services for MSN Hotmail customers. How has that deal worked out?

This is still ongoing and it is working well. I am not allowed to discuss details but Microsoft is paying us for this and there are certain reasons why they are using us and not their own solution.

Of course, Microsoft is now becoming a competitor in the security market, with its OneCare service and so on. How have you reacted to that?

I think they have to do this because they are really losing credibility. One of the reasons that we have these security threats is because we have a mono-culture [in terms of Microsoft’s dominance].

Microsoft has positioned its software as easy-to-install and easy-to-maintain. Its software is very widespread, but it has not focused on security. Even with Vista, it has security installed but it is ‘click-yes, click-no’. In my opinion, Microsoft should have given OneCare away for free, not been blinded by this vision of there being so much growth in the security market.

With Vista, we all know it, until Vista comes out and is widely used it will be 2009. Companies who have just migrated to Windows XP will wait another three years before they migrate to Vista. Customers who are using Windows 2000, will migrate but it is still going to take time.

I really think what they are doing is pretty good, security is definitely tightened in Vista but time will tell how secure it really is. With Vista you have millions of lines of code, and they have re-used a lot of components. So flaws in Outlook and so on, will have an impact.

The entry of Microsoft into the antivirus market will bring down the price for end-users in the entry-level market definitely, but that is not a market that we make most of our money in.

Surely the MSN Hotmail deal was intended to help you get into consumer market though?

Well, it is not something that we have done a lot of investment in, but yes, working with Hotmail has helped us, especially in the US. What the Hotmail deal gave us was brand-name reputation.

We were not well known in this market, so getting that brand recognition has helped us make more money there.

But if our end-user revenue were to disappear then we would not be in financial trouble, whereas other companies would be in deep financial trouble.

What about the recent PowerPoint alert that you guys issued? There was a lot of talk about a potential big attack, which didn’t happen in the end. Is there a risk of over-hyping such dangers?

There are no big attacks anymore. We definitely identified about 50 types of malware — just that we know about — that used this flaw. But you don’t get large-scale attacks anymore, you
get targeted attacks.

So someone who has read about this PowerPoint flaw and is technical enough to analyse how to do this, might have targeted only one company. He or she could have sent a specific PowerPoint tuned to this company and had hijacked a computer in this company and we don’t know about it.

What we have done is generated generic samples so that our customers are protected, but I don’t know what has happened to other companies that we are not protecting.

So it is not ‘crying wolf’, it is simply our obligation to warn users if something like this happens. We never hype because we serve the enterprise market.

When we declare an alert we want the company to take it seriously so they will go to work and fix it, even if it is 2am in the morning. So you only do it when it is a real threat. In this case, we figured there was a potential threat. Even if there was nothing concrete it was important to warn users that it was possible.

Another area that has been heavily hyped is the mobile threat but, again, such a big attack hasn’t happened yet. How real is this danger?

First use the term ‘yet’. We haven’t seen it yet. I remember back in 1999, when Palm was popular, Trend Micro was asked what we were going to do about it. At that time we said there was no need for a specialist solution for handhelds, because there just weren’t that many devices out there.

During 2000/2001, when we were asked the same question we would give the same answer. By 2004 we were looking at a solution for the Symbian platform and later on for the Windows Mobile platform, but again, we still didn’t see a big threat.

However, we are now getting more and more requests from enterprise customers to protect their mobile devices as a compliancy thing. They have security policies, which say that any computer, PDA [personal digital appliance] or whatever that could be infected with malware, needs to be protected.
We have decided that next year, when we release our new corporate desktop protection, it will integrate mobile security.

The issue is not providing an application, the issue is management. You as the IT manager need to know that antivirus is installed on the smartphone, that it is working and that it is being managed properly.

So we have to provide protection but we haven’t seen any big threats yet. One of the reasons we haven’t is because we don’t have a mono-culture. Symbian is pretty secure, Windows Mobile, however, is not so secure.

But when we ask companies what their number one security concern is about smartphones, it is what happens if the smartphone is lost. So next year, we will introduce encryption, which is a way hotter topic than anitvirus for the customers.

“Malware can be really hard to get rid of. If it isn’t slowing down the performance of the PC, or hurting the end-user, then he doesn't really care."

“I would never give a bank a positive Basel II rating for online banking in terms of IT security because onine banking is too easy to break."

Raimund Genes, CTO, anti-malware, trend micro

Raimund Genes has been with Trend Micro for more than eight years. As managing director, he successfully built up the German business unit in Munich, making it one of the most successful units within the company.

In November 2000, he was promoted to the position of European vice president of sales and marketing and went on to become the president of European operations in the Autumn of 2001.

In March 2006 Genes was appointed chief technology officer (CTO) of anti-malware.

Genes has worked in the computer industry since 1978.

He was employed for some years by the German Air Force in the field of aircraft tracking and control.

He has gained in-depth knowledge in the security and antivirus arena and ran his own security-related computer company before joining Trend Micro.

A well-known IT expert, Genes has published many articles in security-related magazines.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code