I’ve just come back from a trip to Sophos’s most recently opened lab, based in the beautiful city of Zagreb.
SophosLabs Croatia is based at a top secret location, within skipping distance of Zagreb’s financial district. At least it would have been if I’d been able to skip – the fact that I landed in the middle of a furious snow blizzard made most movement pretty precarious.
But I soldiered gallantly on, and as the days progressed the weather took a dramatic turn for the better – meaning I could do some sight-seeing too (more of that later..).
I managed to crowbar principal virus researcher Vanja Svajcer away from his keyboard for a few minutes to ask him a few questions about life in Sophos’s newest and most “boutique” lab.
Hi Vanja. How long have you been working at Sophos?
I started working at Sophos in the UK in November 1998. Wow, that’s almost 12 years ago now. My wife Andrijana (who has already been immortalised on your blog) also worked at Sophos but left last August to return to our home in Zagreb. I felt it was probably wise for me to follow her 🙂 so we set up Sophos’s newest “boutique” lab – SophosLabs Croatia.
Do you specialise in a particular area of malware research?
I have researched many different types of malware in these 12 years but I would not be able to say that I am specialised in researching a particular group.
Malware researchers need to be able to analyse all malware types, especially Windows executables, drivers, scripts, PDF files, flash animations and OLE2 files, since they are the main carriers of malicious functionality these days.
The work of an experienced researcher is not only about analysing individual malware samples and families but also working on development of systems like automated analysis and workflow systems which allow us to successfully tackle tens of thousands of malware samples we see every day. In addition to that we work closely with other teams within Sophos making sure our users are always protected with the latest in malware protection technology.
When I feel like I have looked at too many Windows malware samples for one day I like to have a look at attacks on different platforms – for instance, Mac OS X or the various mobile device operating systems.
You used to work at SophosLabs in the UK – what’s different about working from the labs in Zagreb?
Well, it’s a lot smaller for one thing! And we don’t have the luxury of free coffee machines (the ones in our other offices are pretty swanky).
I have to say I miss all my colleagues in the UK labs. Obviously we still communicate using IM (we used to do that even when we sat close to each other in the UK lab!).
Working in a remote lab can feel a little detached as it’s not as simple as walking upstairs and discussing new protection ideas with software engineers. Even though we have good comms systems between our labs I still like to regularly visit the UK to keep up-to-date.
What do you think have been the big changes in malware while you have been working at Sophos?
There have actually been a few major shifts in the way malware spreads, in its functionality and – of course – its magnitude.
When I joined Sophos back in the late 1990s, we analysed something like a few hundred malware samples every month and most of these samples would be parasitic viruses that infected other executable files. These viruses went out of fashion with the appearance of the mass-mailing worms in 1999, and macro viruses were also very popular.
The security industry was actually quite successful in detecting mass-mailing worms so the focus of the bad guys moved away from writing malware which could be easily detected by its spreading pattern to Trojans, which could be better targeted and controlled remotely.
These individual samples evolved into groups controlled from a single point, creating the botnets which are still very common today.
The biggest shift we have seen in the last few years has been the sheer quantity of newly discovered malware. It’s now jumped to tens of thousands of samples per day, with an emphasis on making money.
Banking Trojans, keyloggers, fake anti-virus software, ransomware, spyware, botnets all have a common theme, which is to make money from data or resources from infected machines.
The malware writers are now actually real criminal gangs (that is another change) with a serious budget for writing new malware and employing professional developers. That does not mean that the old school malware-writing show-offs have disappeared. There will always be people that think that writing malware is cool.
Social networks keep getting blamed for malware and spam attacks – do you think this is fair?
I do not think we can blame social networks for spam and malware attacks. Malware and spam is like water in your hand. You try to close a leak between your fingers only to realise that the water leaked through the gap near the thumb.
Where there are a lot of users there will inevitably be more people trying to exploit those users. This is why it is not fair to blame Microsoft and Windows for the fact that Windows is the most targeted operating system.
Are you on any social networks yourself?
Yes, I am on Twitter but not on Facebook. I think Facebook is quite a big privacy concern which could easily turn into a security risk, especially if you use your real personal information, post updates about where you are and what you do. It’s easy to imagine how such information could be misused.
I find Twitter incredibly useful for finding out what is going on in the security world almost instantly. It is easy to use and it does not require too much effort. A really useful tool for all busy people.
There’s been lots of talk recently about APT (also known as “Advanced Persistent Threats”). What are they, and should we be worried?
I have to say that I am not really keen on labelling threats with a new name. Of course, APT is not much different from malware.
With Advanced Persistent Threats the emphasis is on the fact that once installed on a network, APTs are very difficult to remove and use various tricks (that’s where the “Advanced” comes from) to prevent security personnel from detecting them. I’m talking rootkits, anti-debugging, polymorphism, frequent updates, etc..
So, in truth, most of what we see in modern malware is also an APT.
I have heard some comment that an Advanced Persistent Threat is not actually just the piece of code which a malware analyst will concentrate on, but the overall threat – which includes the intentions of attacker. The code is just tip of the spear in an attack which is specifically targeted and designed to steal user’s data.
Hmm.. I say, and what is new about this?
What do you think the future holds?
I’m not soothsayer and don’t have a crystal ball to consult – so the future is uncertain. One thing is definite though – there will be more malware.
Thanks Vanja for taking the time to answer my questions, and for being a great host!
Okay, that’s the interview over. Now we get onto the much more important part of this blog post. The bit that’s related to “Jet Set Willy”.
If you’re of a certain age (like me) then “Jet Set Willy” might mean quite a lot to you. Originally released on the ZX Spectrum home computer in 1984 it was a sequel to the still-wonderful-but-not-quite-as-fabulous “Manic Miner” video game.
I never actually owned a computer which could play either game, but I remember very well drooling jealously as I watched friends play for hours on end (these were the days when kids would chuck the various bits of their home computer in a bag and bring it – and a small portable TV – around to your home for a Saturday packed with game-playing).
There’s no doubt in my mind that “Jet Set Willy” was one of the finest games of its time – in fact, of any time.
So what does this have to do with my Croatia trip? Well, while I was kicking my heels with Vanja around Zagreb, we discovered that there was a Jet Set Willy-related exhibition at a nearby art gallery.
“Jet Set Willy” clearly made an impression on local artist Vladimir Biga, as he has taken images of the different rooms from “Jet Set Willy” and planted his own (somewhat balding) head onto the graphic of the central character.
Vladimir Biga goes one stage further, renaming familiar “Jet Set Willy” rooms such as the Butler’s Pantry as “Catering Å¡ljakeri” (Catering working class), The Kitchen as “Gladni kruÅ¾ok” (hungry gathering) and The Library as “intelektualne spike” (intelectual conversations).
And thus, “Jet Set Vlado” is born!
It’s just a shame we never found out what Biga had renamed the most famous of all “Jet Set Willy” locations, the one known as “We must perform a Quirkafleeg”.
If you are interested, Vladimir Biga is selling his art for 260 Euros each – which is probably a little more than the game cost, even accounting for inflation.
Don’t worry if you haven’t understood any of this. It’s just a bunch of middle-aged computer security specialists getting excited about an old computer game. Normal service on this blog will now be resumed.