Behind the scenes: Symantec's malware battle

IT PRO visited Symantec's offices in Ireland to find out more about its fight at the ever-changing frontline of malware.

The security industry is huge, with good reason. IT needs constant policing. Malware and botnets are just two of the ever-changing and increasing threats that users around the world face every day, with the security industry as the main - and often only - defence.

Indeed, there never seems to be an end in sight - leading some to doubt the value of the security industry, believing it exists to scare people and companies into buying products and support they don't really need.

But it is highly unlikely that there will ever be a time where the end-user will not make mistakes or insecure software won't be supplied.

And, as long as humans want to make money, and cybercrime offers an easy way to do so, security companies will need to keep up their work.

Symantec's frontline

It's a battle all security firms face, including Symantec. While the constantly changing frontline has been good for business - the firm was founded in 1982 and now sells to over 40 countries - it's no easy task to keep ahead of malware.

Criminals just don't stand still and many are as intelligent as the white knights of the security industry, with stories of gangs putting their people through computer school.

This means that the bulk of the work of the security industry, including Symantec, is behind the scenes in research and development.

While the California-based firm is possibly best known for its Norton series of anti-virus products, it's their research facility in Dublin which is taking the battle to the next level.

IT PRO recently had an exclusive look at those Dublin, Ireland labs - the Symantec's frontline in the unending battle between criminals and security.

The retro-fitted labs set up operations in 1990. There, Symantec deals with customer threat, response, antiviruses and antispam, and has around 900 employees. Although Symantec does have offices around the world, the Dublin offices are its prime manufacturing and research facility.

Changing vulnerabilities

Symantec deals with about 60,000 attacks and between 25 to 30 new malware vulnerabilities per month. Kevin Hogan, director of Symantec's response centre, said that tactics have changed in the last few years, from finding and deleting a virus when it had already hit to instead battling it at source, such as in browser protection. Rather than the focus being on detecting the virus, it is now more about identifying it before it can hit.

"Attacks have become more complex and multi-part. It was obvious that the technology and skillset had to change," said Hogan. "It's not about solely getting to the virus signatures anymore. We have to make sure the user isn't downloading it from something like Internet Explorer."

He also said that the sizes of the threats had increased. "We get sizes of definitions about 50 MB, which consumers can cope with, but with enterprises it can be a problem," he said.

Looking through the research facility, the bulk of the work appeared to be PC based, with only a small proportion of work done with Macs. However, Hogan made it very clear that this was not due to inherent flaws in Windows.

"Windows is not necessarily less secure," said Hogan.

He added: "I subscribe to the fact that as 90 per cent of users use Windows then obviously this is going to make it more of a target for attack. [With threats] the operating system is irrelevant."

Social Engineering

Another clear new trend is that rather than malware getting more complex, it was more the case that criminals were finding different and unique ways to infect users, using social engineering techniques. The work for criminals now was in finding new ways for users to download and install the malware, such as in using personal details taken from places such as Facebook, MySpace and even Google.

"It's not the technology," Hogan said. "Malware is downloaded by social engineering means. It is the most efficient way of getting it into people's systems."

The social engineering focus means that the technical aspect of the threats wouldn't change much in the future, he said. "Criminals don't need to know the code, they just need the applications. I think we'll see minor changes but from a technical perspective much won't change. It'll be the social engineering which will lure the victims."


Symantec's engineers gave an example of malware they had had seen called 'Silentbanker'. This was a Trojan which targeted 400 banks worldwide and intercepted web traffic before it left browsers such as Internet Explorer and Firefox.

The way it worked was that it employed various ways to find what they needed to access money which usually meant the victim's username, password or a PIN. It had various ways of doing this, one of which was called credential stealing. This involved the Trojan creating HTML code which matched what was on the banking website, and asking for personal details. In other words, it relied on human failures as well as technological ones.

Chopped bodies

Symantec said it didn't usually focus much on the motivations of the criminals, such as whether it was for financial gain or an act of vandalism. Hogan compared their investigation of a malware affected user to that of a murder: "We've found a chopped body. We look at what killed it rather than the motive [of the killer]."

And with the current IT security situation, there's an increasing number of chopped bodies lying around.

IT PRO put the question that maybe it was a good thing for them that there was a lot of IT threat out there as indeed, it kept them in good business. Hogan laughed and said: "Computers will always be around and data will always need protection. There is more than enough to deal with now than we can actually cope with."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download


Malware developers create malformed code signatures to avoid detection

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers

New malware uses search engine ads to target pirate gamers

21 Jul 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?

What is cyber warfare?

15 Oct 2021