Authors: Derrick Wlodarz
If you’re involved in serious malware removal these days, chances are that Malwarebytes has a soft spot in your heart. Technicians around the world (including my own company) have been combating “virtual gunk” on customer PCs with the help of Malwarebytes Anti-Malware since its first release back in 2008.
At my previous IT job, there were instances where Malwarebytes was the only tool that could handle specific wide-scale infections. So when the company’s founder Marcin Kleczynski agreed to chat, it was the opportunity of a lifetime for me. We discussed a range of topics including the current state of malware, where its headed in 2013, and how the future of Malwarebytes’ software is shaping up for the foreseeable future.
Seeing as Marcin had a recent, lengthy interview with TechSpot that went in depth about the history of Malwarebytes and their success story, we’re not going to beat a dead horse there. You can read what he had to say to TechSpot on your own. I had a lot of questions that many techs may be more curious in, which he had no problems divulging his opinion about. I’m glad I was fortunate to catch the busy CEO on a light work day!
Derrick Wlodarz: Where do you feel that Malwarebytes Anti-Malware fits on a modern PC? In combination with another AV product, or as the sole protection solution?
Marcin Kleczynski: The simple answer is that it’s meant to work in combination with another AV product. The product [Malwarebytes Anti-Malware] was designed about 4 years ago when my antivirus had actually failed me. I was a victim of malware. I found a forum where there were hundreds of other people who were in the same boat. Even though they claim they do it all, antivirus software simply cannot.
Very quickly, we realized that zero day threats that are polymorphic in nature were simply too much for regular AV software, and there had to be some sort of stopgap solution. That’s where we came up with the Anti-Malware product. We wanted to plug those holes. We aren’t looking to necessarily replace your current antivirus product; we’re looking to supplement it.
Derrick: How long has Malwarebytes been around as a company?
Marcin: We were developing freeware until about 2006, and in 2007 I started writing the first version of the Anti-Malware engine. In 2008, we released the first true version of the product to the public. So while the program itself has only been available for about 4 years, the company has been in existence for about 8 years.
Marcin: It was actually a friend and I. He took care of the database aspect, and it was the predecessor to the Anti-Malware product. It served as the framework for Anti-Malware, which we built off of RogueRemover. Keep in mind that RogueRemover focused only on ransomware and rogue products, such as WinAntivirus 2007 and such. That’s what we really specialized in, and detected about 500 of those variants.
Derrick: This past summer, a Sophos study found that one in every 36 Macs has some form of malware installed. Does Malwarebytes have some solution to help address this problem for Mac users?
Marcin: Building a cross-compatible product for Mac and Windows is not a trivial matter; you can’t just port your Windows product to a Mac base. Fortunately, we do have a component called “malicious website blocking” that a Pro user can enable on their system. In essence, we have two components: file system blocking that prevents infection from malicious files, and the second one targets blocking connections to blacklisted IPs. These websites are ones that have either hosted malware in the past or are currently doing so.
The website blocking component is a lot easier to port because it works on a more standardized level that is common to both Macs and PCs. A malicious IP is the same whether you’re on a Windows or Mac system. So this component will likely be the one to get ported over in the future to any combination of platforms including possibly Linux, Mac, and mobile.
That being said, we hope to scale up in size and have a Mac research team that can detect these new threats [like we do for Windows now.] Our current research team is about 10 people, and they handle new threats via a hybrid approach of some manual work and some automated processing. We’re able to scale the problem down by using our own engine.
Derrick: You also have user forums where samples are being submitted too, if I’m correct?
Marcin: Exactly. These forums are very valuable to us. This is where the “good stuff” is; the “gold” if that’s what you want to call it. These are new samples that most of the honeypots out there have not even seen.
Derrick: Looking at the trends in malware today, what do you feel will be the biggest threat in 2013? What should users be on the lookout for?
Marcin: Rootkits and Bootkits; anything with a *kit in it! Just today, I tweeted out about a new Windows 8 bootkit that is already proof-of-concept. Anything that starts before Windows loads, and has to do with driver-level changes; these are all scaling in severity where criminals are getting very good at what they do.
And the other ones are those still common today, like ransomware. These are the ones that infect your machine, place all your files into a .zip file, and then try to get you to purchase the unlocking password by providing a credit card number. This is ransomware at its finest, and they’re making good money from people. There will likely be a lot more evolution in this aspect of malware. It’s a money business for them now.
Derrick: Malwarebytes Anti-Malware has had a similar interface for the last few years. Can we expect any major changes to the product in the near future?
Marcin: We are actively developing version 2.0 in both interface and engine, so yes, something is in the pipeline for next year. That’s about all I’m going to say for now.
Derrick: Your company markets to a lot of different segments. Where do you feel the most demand is coming from these days?
Marcin: I feel it’s really balanced. We started in the consumer market, and that’s how we gained our popularity. People were fixing their computers at home, then went to work, and once the IT guy found out about it – it evolved via word of mouth, honestly. Corporate and small business in particular is definitely getting bigger for us, especially with the launch of the Enterprise edition we just released.
A lot of businesses are starting to understand that layered security is definitely the next evolution in protection. Having multiple scanning engines from different companies, where each company can be accountable for some aspect of protection, is starting to become key to many organizations. Universities and other schools are also buying into Anti-Malware at a fairly good rate.
Derrick: Does Malwarebytes have any intentions of becoming a rounded AV solution like NOD32 or Norton 360? What are some of the longer term plans for the software?
Marcin: It’s an option most definitely, but we want to stick to what we’re good at. I don’t want to create an AV software, and also have an anti-malware product, and end up becoming just as ineffective as some other bloated solutions on the market. People may then steer clear from installing Anti-Malware alongside an anti-virus solution because they think one program handles it all. This is not the approach we want to push.
We’re able to do everything with a 10MB installer, where other programs have a tough time in shipping with less than 100MB. It goes back to our grassroots feeling and our belief in the community at large.
Derrick: Your company analyzes more samples of malware than one can fathom. What exactly are the “worst of the worst” doing on systems today?
Marcin: That’s a good question. Back in 2005-2006, you had infections that were very simple to catch. Same MD5, same filename even – I believe one was even called nail.exe. You looked for the filename, you checked its version information, matched it to definitions, and you were done. Nowadays, you and I can go to a malicious website and get infected and end up with different variants of the same basic malware. Different MD5s, different file sizes – completely different malware.
You can see how this becomes a large problem for our security researchers. We’ve had to evolve into using heuristics and install-pattern behavior to detect modern malware. It’s becoming very challenging to detect much of what is out there.
Derrick: Do you feel that signature-based detection is going to be a thing of the past some day?
Marcin: It’s already gone. Our approach is a hybrid one with signatures and heuristics, where each supports the other. The days of pure definition-based removal are long gone. Amateurs are using that now to make quick and easy malware. But if you look at all the sophisticated malware out there – the rootkits, for example – the nature of polymorphism is the scariest aspect of all this. And most major malware is using it these days.
For example, you may get hit with malware from a website claiming to offer keygens. You attempt to remove part of the infection, but the malware itself is so advanced that it will regenerate on its own and replace the missing files with fresh ones. You can’t even nuke these infections piece by piece anymore.
Derrick: Where do you see as being the largest source of infections today?
Marcin: It’s tough to answer, but social media is definitely the hottest one on the rise. The reason being is that with social media, it’s so easy to play off emotion to easily spread infections. You can post a link on a friend’s page saying “Hey, here is a photo of you – click to check it out” and by human nature, we are more likely to click on it as opposed to if we received it in an email.
Even if 10% of your friends click on it, and those friends of friends then see, it can spread very very quickly. That’s definitely on the rise and honestly a genius idea for how to spread malware.
Exploits from Java and Adobe are ones that are sticking around, too. The bad guys keep finding holes in this combination of software. The final big source of infection is still from people knowingly going to torrent and P2P websites, infecting themselves very easily.
Derrick: We now know that the upcoming Windows 8 is going to offer a bevy of security improvements such as Secure Boot. Is this going to pose an issue to Malwarebytes in the short or longer term in regards to functionality/capability?
Marcin: I don’t think it will pose too much of an issue honestly. We will work with Microsoft to ensure our product is as effective as possible. But what I fear is that with all of this deep-rooted security, we may actually see fewer, albeit bigger-impact breaches that will be harder to clean up and cause potentially more damage than what we see today. But it’s hard to predict that far out.
Derrick: There are a few top competitors out there alongside Malwarebytes Anti-Malware. What do you feel is the single feature that sets your product apart form the rest?
Marcin: There’s a lot of cool things that we offer in our software product (scheduled scanning, small updates, dual-protection modules, etc.) But the best way we differentiate ourselves is if you have an infection that Anti-Malware cannot remove, you can come to our forums and we will help you remove it for free. This is even if you are not a paying customer, and is just one of the perks that comes with our product.
Something also has to be said for our detection rates and removal success rates. This is how we grew to where we are; we are very comprehensive in our detection & removal approach.
But most important is our community approach to solving malware problems. When I had issues with an infection years ago, I will always remember how I came to a security forum to get help, and people had open arms. So I have a strong belief in this method of helping others.
Derrick: Knowing that Technibble is a place where IT professionals come for advice, is there anything you want to share with everyone as a final word?
Marcin: I think the best way to close out this discussion would be to open up the floor, so to say, to all the Technibble followers. What is it that you want to see in Malwarebytes Anti-Malware? What suggestions do you have for us? We’re very interested in hearing from the community that uses our product religiously – so please leave your suggestions in the comments area below!
Note: The original interview with Marcin took place on October 23, 2012. This interview transcript was edited for length considerations and editorial clarity.