Eugene Kaspersky is the head of antivirus research at Kaspersky Labs. On a recent tour of Europe he stopped off to chat with ZDNet UK about viruses and the state of the Internet.
Q: Virtually everybody who has or who uses a PC has been infected by a computer virus at some point, and many people have come to accept that. But as mobile phones get more complex, it appears to be only a matter of time before they too are deluged with viruses. What is your prognosis on the virus threat to mobile phones?
A: There are three rules that any system must comply with if it is to be affected by viruses. First, it must be able to run other applications. That is, it must be an operating system. Microsoft Office is an operating system in this definition because it can run macros. So when we talk about operating systems for viruses we are not just talking about Windows or Linux, but sometimes about applications such as Microsoft Office and also mobile devices. Also, the operating system must be popular. You need that because for a virus to be developed there have to be a virus writers, and if no writers use the operating system then there will be no viruses. So the operating system has to cover at least one hacker. Consider Windows and OS/2. There are only about five viruses for OS/2, because so few people use it. Second, the operating system has to be documented. If there is no documentation, it is not possible to write a virus. Compare Linux and Novell servers: Linux is documented, but Novell is not. There are about 100 viruses for Linux, but only a single Trojan for Novell, which traps passwords. Third, the operating system has to be unprotected, or the protection has to have a security breach. Consider Java: this has about three viruses, but even these cannot replicate without user permission, so it remains relatively unaffected by viruses. So the system has to follow these three basic rules: it has to be widespread, documented and poorly protected. OK, so what does all this mean for mobile phones?
If you have a popular phone with a documented operating system and a breach in security, then you will have a virus next week. But their operating systems are well protected and are not generally speaking documented right now, although it seems this may happen soon because of the competitive need to add extra features such as the ability to download games and applications. If mobile phone operating systems are documented, then the phones will meet the first two criteria, but the manufacturers have a lot of experience in making very secure operating systems so they will not meet the third criteria and should be able to stop any viruses. But that is only my prediction. Life does not always prove predictions. Also, it all depends on the manufacturers. To my mind, the big manufacturers have a good knowledge of cryptography and security. The likes of Nokia, Siemens and Ericsson should be safe, but new manufacturers may find their products are more susceptible. But even so, any viruses that do appear will be specific to one model of phone, or at least to one platform. How about other computing devices, such as home appliances?
Internet fridges and washing machines are subject to the same rule as other computing devices. If any of them meet those three criteria, then there will be viruses. Already manufacturers are adding extra software features in the name of competition. But the difference is that these companies don't have any experience in security, so the first non-PC viruses will probably appear on Internet fridges and washing machines before they appear on mobile phones. And if different vendors produce washing machines with the same platform then the viruses could be more widespread -- just as in the PC world. So talking of the PC world, what is going on there?
The Internet is occupied by viruses more and more. One day the amount of infected information will equal the amount of clean information. The day after that, the amount of infected information will outweigh the amount of good information, and the logical extension is that one day we will have to stop using the Internet as we know it - you will find 20 emails in your inbox, and 19 of them will have been sent by viruses. So the problem is this: the situation will arise when the Internet will be virtually full of viruses, Trojans and such-like. As an example, I tried to calculate how many PCs were infected by Klez. Now this virus sends out an infected email, then sleeps for ten minutes, then sends out another. We have 250 email addresses at Kaspersky Labs, and in one day we received 5,000 infected emails. We did some rough calculations, and worked out that 0.5 percent of all PCs were infected. Imagine what will happen if the next one infects 5 percent and instead of sending emails every ten minutes, infected PC send messages continuously, well, the ISPs will not be able to cope with the traffic. It is almost impossible to automatically differentiate between emails sent by a virus and genuine emails. The only way to deal with this threat is to change the way the Internet works. It has to be similar to the experience of driving a car, where you have a licence plate to identify the car and driving licence to identify yourself. On the Internet, if you don't announce yourself with some form of ID then you should not be able to send or post information. You should be able to read but not write. And if you lose your ID you should have to notify your ISP. I don't think that all viruses and all hooligans would be stopped this way, but the amount of viruses would be 1000 times less than now. Of course it would be possible to circumvent something like this, but if it's done right it would not be easy. This is the only way we have to go. So you're thinking along the lines of Microsoft's Palladium?
Palladium is an ID for the computer, but I think what we need is a personal ID. I am not going to invent that, and there will be groups opposed to the idea. But there was a time when there where no car licence plates or driving licences. I'm sure there were people who were opposed to the introduction of licences on the grounds of privacy. Eventually we will have two Internets: one secure and one insecure -- like the one we have today. The insecure Internet will be full of hackers, so fine, I don't care, let them attack each other. This all sounds like hype, something that antivirus companies -- including Kaspersky Labs -- are constantly charged with. For instance, every time a new virus appears, press releases are immediately issued by the big antivirus companies, often even when there is no real threat. How do you respond to this charge?
There are two paths we can take when a new virus appears: one is to say nothing, the other is to hype everything. The correct path is somewhere in the middle. I don't like to hype -- I don't want to run my business that way, making money off hype. The thing is that customers just stop paying attention to new viruses, and so may miss them. That's bad. The mission of antivirus protectors is to protect people, and to be protected you must follow three rules: First, you must have an antivirus product installed on your PC; second, you must update it weekly or even daily; and you must be careful with information you receive. (For instance, if you get an email and there is an attachment from someone you don't know then do not read it. If it comes from someone you know then phone them first to check that they actually sent it.) And third, you must follow information from antivirus companies. If you follow these rules, you will be 90 percent protected. Companies that hype, break the third rule, I'm negative about that. I want to release information that is equal to the threat, but sometimes we do make mistakes -- we see a virus and get three calls from customers so we prepare a press release, and later find out that the calls came not from customers but from the virus writer looking for publicity. Often you can tell the messages that comes from virus writers, as they are written in a particular way. But sometimes we get fooled and issue a release when the information we are sending out does not meet the threat. The second reason for sending out information is if other companies are hyping a virus. For instance the .gif file infector -- that was bullshit. We had to release some information to try to counter the hype. For instance, in the case of the .gif file infector, the operating system is Windows infected with the virus -- not Windows itself. OK, and what about the age-old charge that antivirus companies are involved in writing viruses. How do you respond to that?
I draw a large 'NO' on a piece of paper and hold it up. NO! Years ago I wrote a program 12 bytes long that was able to copy itself to a file named 5. If you renamed that file to 5.exe, and then ran it, it would replicate itself. But this was saved only on a Ram drive, and after I wrote it I reset the machine so every trace of it disappeared. Besides, it was not really a virus. Another time I was asked to write a virus by a Russian journalist, so I took a pen and paper, and wrote a silly virus on paper. That's all. For me, I never thought about writing viruses. Neither do other antivirus companies. The risk is too great.