Visiting Symantec

Friday morning I flew down to the Symantec southern California site in Santa Monica.  They flew me down to the site as a security professional and as a blogger.  We had agreed ahead of time that this trip carried no expectations of a blog entry (like I'd really pass on a chance to blog on the experience) and no expectations of a positive review.  I spent the day talking to the management of their Security Response Center, their DeepSight and their Research Labs.  My one regret from the day was that the time spent with Carey Nachenberg and Steve Trilling from the Symantec Research Labs was cut short because I had to run to catch my flight, literally.  I made it, but just barely.

First thing in the morning I met with Vincent Weafer and David Cole .  These two gentlemen see more of the virus activity going on in the world on a daily basis then most of us will ever see.  Our conversation centered around the evolution of viruses and phishing; what we're seeing today is radically different from the malware world of two or three years ago, and the world of one or two years from now will be radically different from today.  The days of pandemic virus outbreaks are almost entirely gone, with the viruses of today being quieter, aimed at stealth rather than volume.  The threats are becoming more modular every day, often starting as trojans from malicious web sites, then once the computer's been compromised, the bulk of the attack being downloaded one piece at a time.  The ability to be updated automatically is also much more common in the attacks; one example was a piece of malware from Brazil that was being recompiled and downloaded to compromised computers over 100 times a day.

The malware is also becoming much harder to detect and remove.  Rootkits have become the norm rather than the exception and encryption of the malware on the computer is becoming much more common.  And while the traffic that's affecting the home users' computers is dwindling some, it's because the malware is using less traffic for it's control channels and patching the vulnerabilities it used to compromise systems.  From Symantec's viewpoint, the sheer numbers of malware are increasing daily.

Speaking of numbers, Vincent Weafer and Javier Santoyo showed me the racks of computers Symantec uses to automatically sift through the thousands of virus reports they get on a monthly basis.  I missed it in my notes, but I think the number they said was approximately 300,000 reports a month, a number which is continually increasing.   The first several racks of 1U computers were just for the initial analysis and review of the reports, of which only between two and fifteen percent  are passed on to the next stage of review.  The rest are automatically responded to, usually because the virus can be identified as an already known piece of malware.  Of the remaining viruses, many can be categorized by the computers automatically as variations of existing malware.  Whatever is left is sent to a live person in Symantec's 24x7x365 analysis centers.  They have three centers, the one in Santa Monica, another in Ireland and a third in Japan, so that the analysts can have regular 9-5 work schedules in the respective time zones.

I've got pages of notes from Friday and will be talking more about the tour.  In and of itself, the 'tour' wasn't that exciting: racks of computers and cubicle farms, nothing I haven't seen many times and on daily basis.  But it was the chance to talk to some of the people who are on the frontlines of the war on malware.  Talking to them, I get the feeling it's a hard battle, but while we may not be winning, the war is far from over.  I'll be posting more over the next couple of days and you can also check out my personal blog.