How Virus Hunters Catch The Bad Guys (Part 1)

Using similar techniques to traditional police investigation, the APL is responsible for detecting malicious attacks and arresting the spread of malware. In a cyber environment, live bait becomes honeypots—fake targets made to attract cyber criminals. Big data analysis replaces interrogations as millions of data points are analyzed and visually represented to determine behavioral patterns. Forensic analysis is just as clinical: viruses are carefully dissected in post mortem analyses.

The end result? An average of 130,000 malicious files and more than 20,000 infected websites are detected and tracked every single day. Several million connections per minute to our servers are made to push real-time counter-measures to our users’ computers and mobile devices.

Ever wondered how viruses are identified as soon as they are created?

This article is Part 1 in a series, which explores the world of virus hunting. In Part 1, we look at how Avira’s virus hunters gather clues about how malware operate. Parts 2 and 3 will explore how the Protection Lab analyzes that information and formulate counter-measures to malware, which are being developed in real-time.

Where Hackers Hang Out

The Avira Protection Lab gathers information about malware – and about the hackers who create them – by infiltrating hacker chat rooms, monitoring poisoned websites, and collecting forensic samples of malicious code to reverse engineer them. How we infiltrate chat rooms is our well-guarded secret, but the primary method of collecting code samples to reverse engineer is well known: ‘honeypots.’

Honeypots, Honeynets & Honeyfarms

Honeypots are regular computers, unprotected and connected to the Internet. Hackers regularly scan IP addresses across the Internet looking for vulnerable computers like these, and they have automated tools to penetrate these machines and look around for banking documents, passwords, address books, or any other information that could be sold to spammers and other hackers en masse. Often they leave a keylogger (records keyword strokes) and back doors (remote access) so they can continue to harvest new passwords and credit card data, and turn the computer into a botnet or spam relay.

Avira’s virus hunters monitor these hacker intrusions and learn as much as they can about criminals’ tools and intentions. To increase the likelihood of being discovered and hacked, they set up rows of these honeypots on virtual partitions (called ‘virtual machines’). To avoid the liability of the infected honeypots being used to harm others — what is known as ‘downstream liability’ — the honeypots are usually set up in a honeynet behind a firewall that allows all Internet traffic to come in, but none to go back out. The whole operation is called a honeyfarm.

Of course, hackers monitor the forwarding of log files, keystroke captures, and outbound traffic. So Avira has developed a number of ways to mimic such activity so that they can gather as much information as possible from the honeypot without the hackers detecting fake activity.

Social Engineering

Social engineering is the Achilles Heel of Antivirus security: we can stop malware code from executing on your machine, but we can’t stop you from clicking on something you shouldn’t. Nigerian banking scams, Ransomware (like Cryptolocker and CryptoDefense), Spear-phishing and other successful scams all rely on of social engineering in combination with malware technology.

Social engineering is the art of convincing a computer user to willingly divulge passwords, social security numbers, and other personal identity information that can be harvested and sold to others, or held as ransom for immediate payment. Social engineering can also be used to convince users to download fake anti-virus software (which does exactly the opposite of protecting you) or to visit fake banking websites where you unwittingly enter your account numbers and passwords.

While Avira’s virus hunters can’t prevent you from spilling important information to someone pretending to be a Microsoft Tech Support engineer, we can help you identify patterns in social hacks and more easily recognize scams.

In Part 2 of this series, we’ll explain how Avira’s engineers tackle the enormous daily volume of malware samples using big data analysis to automatically develop counter-measures.

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.