Malwarebytes is evolving to beat cyber crime

CEO Marcin Kleczynski on machine learning, the trouble with Apple and the ease of social engineering

Marcin Kleczynski is the CEO and founder of cyber security firm Malwarebytes - which he built in 2004, while still at university. Since then, it has become the first anti-malware port of call for consumers worldwide. We talked to Kleczynski at InfoSec last week about Malwarebytes, WannaCry and the fallibility of people in cyber security.

"We were lucky, in some ways, that WannaCry was released when it was - 30 days after Microsoft released its patch," said Kleczynski as we began. "For every day earlier, we're talking two hundred, four hundred, five hundred thousand more infected machines. Regretfully it still infected three or four hundred thousand computers, and it keeps going. It just shows how many people aren't patching regularly. We were lucky it was so amateur."

WannaCry was broken into two parts: the basic ransomware, and the worm that spread it, which is alleged to have been based on the EternalBlue tool stolen from the NSA by ShadowBrokers. Kleczynski paints a picture of a world in which the hack itself was much more sophisticated - perhaps a variant of CryptoLocker, which forces other legitimate programmes to perform the encryption for it; it was notoriously hard to detect and stop for this reason.

The WannaCry ransomware itself was so basic that it was "a walk in the park" for Malwarebytes to stop - but some vendors still missed it. Kleczynski is amazed that there are still companies using signature-based detection: this means seeing the malware first, then fingerprinting it, then putting that in a database and pushing the database to customers. Malware today is polymorphic: it mutates, and that means that detection rate for signature-based systems has fallen dramatically. "Now you're looking for very, very generic behaviours that are malicious. You try to train on them, and there are machine learning algorithms out there that try to do this, but the world has changed dramatically," he said.

Malware evolves, and so do we

"Machine learning" is a real buzzword in the cyber industry, along with "Next-gen," "Behavioural analytics" and "AI." Kleczynski feels that many vendors claim to be doing these but aren't fully there; with machine learning, for instance, they are training algorithms to recognise a set of features, rather than make autonomous decisions.

"The industry is very single-threaded," says Kleczynski. "It picks a technique that works, like machine learning or signatures, and says, 'That's what we'll apply, that's what we'll use.' I've never believed in that: throw anything you can at the problem, as long as you can make it lightweight and efficient, and can make detections without false positives. That's been our approach...Malware evolves, and so do we." Indeed, in December Malwarebytes rolled its anti-malware, -exploit and -ransomware tools into one product, called Malwarebytes 3.0; and today it has released new endpoint protection for businesses, which puts management in a cloud console.

Mobile malware

For years, Apple fans have raved about the inherent safety of the Mac platform. In reality, while it is a bit more secure, the platform simply didn't have the market share to make it worthwhile for cyber criminals compared to Windows (the most common exploit on Macs today is a search hijacker) - but that is changing.

Functionality on a Mac is limited by design, and that makes cyber protection more of a challenge. The problem is even worse on iOS, says Kleczynski - anti-virus apps are banned from the App Store. Apple claims that, due to apps opening in a sandbox mode (they are separate from the rest of the system), third party protection is not required.

Android, on the other hand, is much more open - but also much more vulnerable. Unless an Android device is rooted, it will simply notify the user that a process (like malware) has started, but give no option to block it. "Android is a pretty prominent market for us," admits Kleczynski. "We have a couple of million users... There's a lot of crap out there - a lot of Americans getting infected by Russian SMS Trojans."

We do see a lot of activity in Russia

Attribution is very difficult for malware, especially if the authors are using a tool like the TOR network. However, Malwarebytes can identify many of the Russian attacks, thanks to laws that make it illegal to create and distribute a virus in Russia to a Russian citizen. If a virus spreads around the world, but avoids that particular country, identification is quite easy.

Tracing an attack is not always so easy for anti-virus companies, although Kleczynski says, "Government agencies have a lot more information than us, and they work with vendors." This is primarily because these agencies know that they're on the backfoot against hackers, who work together, while companies who have been infected do the opposite. Many attacks spread because companies hate to admit that they've been breached, or how it was done - which is commonly down to human error.

Hook, line and sinker

It is hard to believe if you work in the cyber industry, but phishing campaigns are still one of the most successful forms of cyber attack. One of the best (and we use that term loosely) that Kleczynski ever saw was a document with malicious code running in the background, which would only execute if the user chose to enable content. The document itself gave reasons as to why you might want to do so, and users trusted those instructions - just because they were in the document!

Even working in cyber security is not proof against being phished. Malwarebytes targeted its own employees in an attempt to raise awareness, and found a click-through rate of between 5 and 6 per cent - not among the cyber professionals (who disassembled the files and sent them back with an angry email), but among the staff in the sales, finance and marketing departments.

Kleczynski sums up his thoughts on social engineering as:

"You can find these EternalBlue exploits, and it's brilliant, because you then get this code to run on a machine connected to the internet all day long, without the user even doing anything; that is one of the most sophisticated attacks and Microsoft will pay half a million dollars for this kind of exploit; or you can just email a bunch of people, have them click a link and enable some content in a document. It's easier."