Photos: Inside the malware hunters' den
How F-Secure uses Google and mobile bunkers to catch cyber criminals
Antivirus company F-Secure's labs in Finland (pictured) are the heart of its operations monitoring and detecting malware activity around the globe.
The company has a response team which uses a variety of monitoring and detection tools to look out for suspicious cyber activity 24 hours a day, in three shifts, running between its offices in Helsinki and Kuala Lumpa.
Sean Sullivan, a technical expert with F-Secure, said the response team in charge of finding and dealing with any cyber attacks has to deal with, on average, 10,000 different samples of malware everyday and this number is "rising exponentially".
The 16-strong Finnish team hunt through reams of code to find malware in it, with automation tools also running to pick out any repetitions within the different pieces of code to prevent staff going over old ground.
Sullivan said cyber criminals are now using "malware factories" to bombard the networks with viruses and spam because they cannot beat the security companies by using complex code anymore.
The team also uses a host of other tools to hunt and identify a variety of cyber threats, including a mobile phone bunker, which they use to see how devices react to viruses, a Google Earth mash-up and a fake IP address to attract and catch fraudsters and infected machines.
Photo credit: Gemma Simpson
One tool used by the team is World Map (pictured) – which gives a visual representation of which IP addresses of customers using F-Secure products have been infected, and where in the world they are.
The team also uses analytical tools to get an idea of how malware can affect different systems and identify what has changed before and after an attack.
Photo credit: Gemma Simpson
Pictured is the response team's hub – with the World Map app appearing on a screen on the right hand side.
The centre screen uses a Google Earth mash-up to pick out infected IP addresses around the world.
This software works by running a 'fake' IP address with no machines attached to it, so there is no legitimate reason for anyone or anything to contact that address.
However, worms and other malware doing the rounds will contact the fake address. F-Secure can then pinpoint which IP address has made the attack, its location and what the malware is.
F-Secure's Sullivan said once an infected IP address is located there is nothing F-Secure can do directly except contact the appropriate people - such as the police – to deal with the situation.
The company also runs a Bluetooth honeypot within its offices to pick up on any infected mobile devices which may enter the building.
The honeypot's findings appear sporadically on the left hand screen in the shot – which is currently showing a 3D representation of a virus.
Photo credit: Gemma Simpson
F-Secure's mobile bunker (pictured) is where the response team can observe and analyse viruses as they pass from mobile device to device – but within the safety of the sealed room so the virus does not contaminate any public devices.
Mobile security is a relatively new arena for the antivirus company, but as F-Secure CEO, Kimmo Alkio, recently said: "The threat level on mobile malware is not very high at the present time."
Photo credit: Gemma Simpson
Inside the bunker there is a selection of mobile devices which are used for F-Secure investigations.
An F-Secure researcher demonstrated to silicon.com how a Bluetooth virus can pass between mobile devices.
Jarno Niemelä, senior mobile antivirus researcher at F-Secure, said: "Imagine this in a concert hall or sports hall then you can see how easily a virus can spread."
Photo credit: Gemma Simpson