Rodrigo Branco, director of vulnerability and malware research at Qualys Inc. talks about vulnerabilities, malware sophistication and whether the move to cloud-based services will change the way cybercriminals conduct attacks. He talks about a new Malware Exchange System he is developing which enables researchers to share attack data and conduct more thorough analysis of new threats. Branco, based in Brazil also compares the threat landscape in that country to the threats posed to U.S.-based enterprises.
Read the full transcript from this video below:
Black Hat 2011: Attack vectors, vulnerabilities and malware analysis
Interviewer: We're here with Rodrigo Branco. He's the Director of
vulnerability and malware research at Qualys. Thanks very much for being
Rodrigo Branco: It's my pleasure. It's very nice to talk to you.
Interviewer: Let's get your take on the state of the vulnerabilities
that we see out there these days. Are vulnerabilities getting
more serious? Are we seeing more kinds of the same
vulnerabilities? What's your take on that?
Rodrigo Branco: I believe the importance that people give to the
vulnerabilities are growing, which is great. In general, the
security world is improving. All the products that used to be
very vulnerable are improving, and that's why we start seeing
vulnerabilities appearing in other vendors that were not the
major ones in the past. Also, the way that the vendors deal with
vulnerabilities and with the researchers is
improving a lot. Nowadays there is much better communication,
and much better procedures on how to fix, and how to give the
right credits. So, I believe that in general everything is
Interviewer: Why are we seeing the same coding errors over and over
again? That's right, right?
Rodrigo Branco: Actually, the kind of vulnerabilities appearing are always the
same because the problems that are going to be released into the
public and exploited usually are the easiest ones to explore. So
those are the ones that will show up all the time in different
portions of the code.
Interviewer: What else is contributing to that? How about automatic
Rodrigo Branco: Attackers are improving a lot in the tools that they used.
Fuzzers are much better than they were in the past, so now it's
not just about randomly generating inputs for software, but
generating inputs that are probably likely to generate a crash.
Also, the capacities of the attackers are growing a lot. Now the
attackers have much more technology and much more knowledge. So,
that's why you see the complexity of attacks improving as well.
Interviewer: What about patching in general? Are vulnerabilities
getting any easier to patch?
Rodrigo Branco: The procedures for patching have improved a lot. All the
vendors now have automated mechanisms for patching, but still we
see that the problems being exploited in the wild, the ones that
are actually being used by malwares and exports kits, are still
old vulnerabilities, which means that people are not updating to
the latest versions, which includes the automated patching.
That's why we still see a huge problem with patching.
Interviewer: Let's talk briefly about malware and malware
sophistication. When Stuxnet came out, everybody said "Oh,
this is it. This is proof that malware is really getting
sophisticated." Is malware in fact, in your opinion, getting
Rodrigo Branco: What malware needs to do is very simple. It needs to capture
whatever information it wants from a machine, and it doesn't
want to be detected. The technology for detecting malware is not
really improving a lot, so I don't believe there is a lot more
sophistication. What is happening now is that we are seeing the
wild exploitation being used together with the malware
installation. Now the operating systems by default don't let
the user do some mistakes that they used to do in the past.
Social engineering is not working so well any more. The
attackers are using kinds of social engineering together with
exploitation of vulnerabilities to install the malware, so
that's why sophistication is growing. It's becoming more common
to see zero data vulnerabilities being used, and maybe it's because now
we are detecting that and in the past we didn't.
Interviewer: I do want to ask you about cloud computing, and the whole
movement to cloud-based services. Do you think that's going to
change the attack vector for cyber criminals?
Rodrigo Branco: It becomes more difficult when the initial attack is on an
infrastructure that is managed by professionals. Because people
going into a cloud--when they have a good cloud vendor, and they
have good measures--the central point for attacking is much
easier to defend than when you have everything distributed in
different points. I understand that moving to the cloud, if
you're thinking about the security from the beginning of the
movement--not only thinking about the prize, the economics, but
also about the security--you can have a much better, much stronger
environment in the cloud.
Interviewer: Mobile. We hear so much about mobile being the next
frontier, the next front lines for the war against cyber criminals. Do you
think mobile is where it's at, too?
Rodrigo Branco: Because the cell phones now are computers, cell phones are
going to be targets as well. The information is there, and the
attackers are going after the cell phones as well. What happens
is the cell phone is much more in control of the environment, so
it's easier to protect cell phones. If you look at the iPhone
protection mechanism, for example, they are much more expensive
than what we have in normal desktops. So I understand that
attackers are going after the mobile, and users are going to do
the same stakes in the mobile because they don't see the
threats in the mobile, but still it's easier to defend this kind
More videos from Black Hat 2011
Watch a video about why experts say SSL is broken
Learn about mitigations and database threats
Watch a video about preventing Android attacks
Interviewer: Let's talk about a vulnerability that you actually
discovered, and was patched by Microsoft in April. Tell us just
a little bit briefly about that.
Rodrigo Branco: In April it was the Excel vulnerability. It was a remote code
execution vulnerability affecting Excel. Basically, the
triggering product vulnerability was when the user opens a
spreadsheet that he receives. It gets code execution on the
machine, and it spreads control over the machine. These kinds of
vulnerabilities are pretty common, actually. The problem is that
users tend to believe spreadsheets, PDF files, that they receive
by email. They already understand that they are not supposed to
open executables, but they still need to learn about the threats
inside Excel, PDF, and other complex platforms. It was a simple
Interviewer: I think it was labeled "Important" by Microsoft. Why was
that, why did they just label it "Important"?
Rodrigo Branco: It's important because it required a user interaction in order
to exploit the vulnerability. It was not like remoteware that
does not require any kind of user interaction. It just kind of
makes a file and the new user needs to open the file, so that's
why it's rated always as "Important".
Interviewer: Wasn't the browser a component in that, in terms of an
Rodrigo Branco: It is possible to force that through a browser component, when a user chooses
to automatically open files in the Excel format. But the typical
behavior is to save it, not to open it. So that's why it
requires a user interaction.
Interviewer: That brings us to browser components and browser
vulnerabilities. Do you think the browser makers are getting any
better at patching vulnerabilities? And what about third-party
Rodrigo Branco: The big problem with browsers are the third party, actually.
The browsers themselves are pretty good. They are improving, of
course. If you look into Google Chrome, they have a sandbox
which makes exploitation much more difficult, because now you
need to combine the other vulnerabilities in order to actually
get code execution on the machine. So the browsers are
improving. There is a huge improvement that the other vendors
need to do. Chrome for now in my opinion is the most secure one.
The problem is the users have a lot of plug-ins, and it's normal
for the user right now to install a new plug-in every time he
goes to a different website. So, until we manage to have a
better way to solve the plug-ins challenge, I believe the
browsers are going to be the biggest victim.
Interviewer: Tell us a bit about the malware exchange system. You've
written a couple of papers about the exchange system. What's it
Rodrigo Branco: Basically, I wrote an architectural for analyzing malwares
automatically. The architectural was released as a community
import, with the name of the project was Dissect. We have the
total support of Qualys; Qualys is behind it. The original idea
was to provide the mechanism for researchers to actually deal
with a lot of malware and to have the computer power to do
things related to malware. The biggest challenge we see nowadays
in malware research specifically, is that researchers don't have
the machine power. Or, they don't have the samples--the millions
of samples to actually try, and analyze, and see. Because
usually the way that the websites that do this kind of finance
work is you upload your sample and it will give you the result.
It doesn't let you choose to get your own code to analyze the
sample on their machines.
What we're doing is completely different; we exchange samples
with different vendors. We have 30 million samples in the
database. We provide the computer power for researchers to plug
in any code that they want to analyze the samples, to test
whatever ideas they have. So the idea is to include more people in
the malware research world, and to make it possible for more
ideas to come from different parts of the world. And maybe there
will be some breaking news, something really good coming out of
Interviewer: And it's been running for about three months now?
Rodrigo Branco: The project itself has started for one year. We got the support
from Qualys six months ago, and because of the support we are
growing a lot in the number of machines. Now we have eight
machines analyzing malware; in the beginning, it was only two.
So, right now it's really growing because of the support of
Interviewer: Have you been to Black Hat before?
Rodrigo Branco: Yes, I have been to Black Hat before. In the past year I was
here, and in the year before as well. Black Hat is a great
conference. It's a great opportunity for researchers to stick
together, to talk, to discuss, to have this kind of talk. I
believe this is very important for the world and for the
community as a whole. Because there are many people you know
through the Internet. But when you have the opportunity to sit
down with them to talk, to exchange ideas, then I believe it
starts a lot of collaborations out of that. I believe Black Hat
is the most important conference for that.
Interviewer: Where are you based out of?
Rodrigo Branco: I am based out of Brazil. I organize a conference myself in
Brazil, a kind of Black Hat though much smaller of course. It's
called Hackers for Hackers for eight years now.
Interviewer: Compare what's going on in Brazil to what's happening in
the United States. There are some subtle differences there,
Rodrigo Branco: Actually, there are a lot of challenges for implementing
security in Brazil because of piracy. The end user in Brazil
usually doesn't buy software. It's very common to have pirated
software. That creates a problem. For example, there is no fake
AV attacking Brazilian machines. Because no one is going to buy
the real AV, can you imagine a fake one? But the problem is,
because everyone is using pirated software, it is more common to
not have automated updates in the machines in Brazil, so they
are more vulnerable.
Also, in Brazil the banking system is much more complex than the
banking system in the U.S. The malware threats, the malware
attacks, they became much more expensive in Brazil, targeting
banks. They don't have the fake AV, so there was no other way to
make money. They needed credit cards; they needed the account
numbers. So they only target banks. And because they target
banks, the bank system became much more complex.
So, the malware is much more complex in the sense of the attack
they do to get bank accounts, the way that they scope out the
accounts, the way that they take screenshots from the screen to
avoid virtual keyboards; in this sense the attacks are much more
In the other sense, usually the malware in Brazil is written in
Visual Basic and Delphi, which means the malware writers in
Brazil are probably not that skilled as they are in other parts
of the world. So, it's like a counterbalance. You have a more
complex piece of software, but it's written in a much simpler
language. So, you'll have a malware with four megs of size,
which is big for a malware.
Interviewer: It seems like a lot of security vendors have kind of
converged on Brazil, that they see that as a growing market.
Rodrigo Branco: That's true. There are a lot of researchers coming out of
Brazil. Brazil has good universities, it's creating good people.
And because of this trend of attacks, and because the attacks
there are completely different and its an emerging market, I
believe that a lot of the security vendors, if they don't have
an operation in Brazil, they soon will have.
Interviewer: Rodrigo, thanks very much for being here.
Rodrigo Branco: My pleasure. Thank you very much.