The Digital Detective: Mikko Hypponen’s Escalating War On Malware

Mikko Hypponen  P1010586

One morning in December 2011 Mikko ­Hypponen, the chief security research officer at F-Secure, an anti-virus software company, scrolls down the screen of his laptop examining the latest of the 200,000 malware files to arrive in his office every day in Helsinki. As he does so, the data shifts downwards, the most recent files at the top. “This sample, PA3control.exe, arrived eight minutes ago,” he says. “It’s infected with a virus we’re aware of, which means we don’t have to do anything. We already know what it is.”

Hypponen is typing hard in short bursts. He is dressed in black except for a mustard-coloured shirt. His hair is pulled into a blond ponytail and he wears small, round spectacles. “Let’s look at this file deeper,” Hypponen says, clicking on another data point. “So what do we know? First of all, it’s very small. It’s two kilobytes, which is suspicious. We look at the file type… It’s a Windows executable.” An executable is a file in a format that the computer can accomplish itself, intended not to be read by humans. “When did we get it? Where did we get it? What’s the file hash? [A hash is a number calculated from the contents of a file, uniquely identifying that file from any other files.] How many times have we received it? What do we know about its structure? How many of our users have executed this file in the past week, or ever?”

Hypponen pulls up another window. “What I’m looking at is the report for this file,” he says. “It takes two or three minutes to generate, but I’m thinking that this file might not do anything interesting because it’s too small. What is more likely is that it’s corrupted. It looks suspicious because the header, the part of an executable that reveals what’s in the file, is missing, so it doesn’t look right. It’s likely that it will just crash.”

Hypponen is right: when the file is executed, it doesn’t even run. He looks down the list of data points before him. Some are in red, meaning that they haven’t been analysed yet. Further down the screen, the digits turn green: they have been processed.

As at every security company across the world, the Malware Sample Management System (MSMS) at F-Secure demonstrates a steady, and growing, onslaught of toxic binary fizzing through the internet, looking for vulnerabilities. Today, criminals are producing malware on an industrial scale. Security company McAfee identified six million unique malware samples in the second quarter of 2011 alone. And each sample means countless files containing the original virus loose online. Malware –Trojans, worms, spyware, backdoors, fake antivirus software, rootkits and others — is developed and sold to third parties, who will alter the source code for their own illegal purposes.

Hypponen checks another data point: his team claim to have logged 46,655 unique pieces of malware in just the past 24 hours.

Continue reading