F-Secure ‘Cyber Gandalf’ demystifies spells of the dark web

Finnish cybersecurity firm F-secure is all about explaining how the dark web works, classifying malware and providing technical validation for how cybercrime, cyber-espionage and other cyber-nastiness happens.

The firm’s chief research officer Mikko Hyppönen spoke at the recent InfoSec conference in London to explain how his company works to profile the connected cybercriminal today.

In January we started creating an archive of malware at the International Internet Archive [that’s the body that keeps a record of the whole Internet],” said Hyppönen. “This ‘malware museum’ means we are able to run old malware binaries and run them. This is worth thinking about — because everything old becomes new again,” he added.

Hyppönen’s old-becomes-new comment was made in the context of the 27-years that have elapsed between the AIDS information Trojan in 1989 and the emergence in May 2016 of Petia… it infects your Windows system and forces a reboot that encrypts your whole system.

“There are 27 years between these Trojans, but essentially they both infect your master boot record… ok one asks for money and the other works in bitcoin today, but essentially everything old becomes new again,” added Hyppönen.


F-secure’s Hyppönen went on to explain how ‘macros’ are also enjoying a new resurgence with the malicious use of ENABLE CONTENT (no, this is not the same as ENABLE EDITING, which is comparatively safer but not completely) being used in cases to send encrypted content to a user’s PC.

F-Secure's Patel: "You shall not pass!" Well, not if you're a malicious cybercriminal you won't

F-Secure’s Patel: “You shall not pass!” Well, not if you’re a malicious cybercriminal you won’t…

Back over in Helsinki, F-secure is continuing the ‘cybersecurity education process’ on a weekly basis with Cyber Gandalf (real job title) real name Andy Patel who writes a dedicated malware information share blog here to help explain the shape of the malicious cyber landscape.

Recent posts by Cyber Gandalf (sorry, he does prefer you call him Andy) include an explanation of what scanning engines are and how they work; a look inside behavioural engines; and what’s the deal with prevalence?

“The prevalence of an executable file is defined as the number of times it’s been seen across our entire customer base. Malicious executables tend to be rare over time, most live and die quickly, and thus the number of times we’ve seen a binary can give us an indication as to its suspiciousness,” writes Patel.

The Computer Weekly Developer Network blog will feature a guest piece from F-Secure’s Cyber Gandalf himself in the coming months looking at developer-centric security issues.