Malc0de CyberNet
Fulfill your daily dose of Security & Tech News.

Expert Talks: Q & A with Malware Analyst, Karsten Hahn

A small interview we conducted with Karsten Hahn, who is a Virus Analyst at G-Data Antivirus Company

0 773

Recently, I conducted a small interview with Karsten Hahn (@struppigel), on the present state of Cyber Security, with a special focus on IoT and the outburst of Ransomware. In this post, I will be presenting his opinions as it is.

Let’s Get Started.


Q1.) What is your opinion on the state of Cyber Security as of 2017 and How do you see it evolve?

Hahn, K.: My expert knowledge about the state of cyber security is limited to malware so I will see it through that lens. I believe security is still underrated by people and organizations, but due to ransomware, it is getting more attention. Especially the attacks on hospitals and transport systems might have shown everyone the large impact of bad security. These threats have ruined companies and some people’s lives.

I see a lot of denial of risks and pushing off responsibility. E.g. sometimes people and companies blame AV products because they didn’t protect them but at the same time they turned off the behavior blocker and regular signature updates and didn’t back up their files. We need more research to find better technologies for malware detection and prevention. Our technologies are good, but they are not nearly good enough to sit back and be happy with the status we have.

AV companies work together a lot, which is great to see and probably not so common in other industries. The security community profits a lot from the (often unpaid) work of malware researchers and open-source developers for reversing and analysis tools, e.g., without them sites like https://id-ransomware.malwarehunterteam.com/ wouldn’t be there. I am thankful for everyone who contributes and hope this mentality will not change too soon.

Q2.) Internet of Things has gained huge popularity in the past few years. Products like Amazon Echo or Google Home might occupy a corner on our desks very soon. What do you think should be done to preserve privacy in IoT products at both individual and enterprise level?

Hahn, K.: People don’t care that much about security nor privacy (see Facebook) because most security/privacy measures are uncomfortable, and people tend to think that nothing bad will happen to them. Due to these psychological conditions, privacy has to be made as easy to implement as possible. That means the default settings of every device should be the most private and secure ones. If you have to put work into turning privacy features off, people either think about it twice or just leave it turned on if they don’t want to think about it.

I see the problem that manufacturers will not care about privacy either because they don’t gain anything from it. It is rather the opposite because they benefit from the user’s information. They will only care if they either earn more money with that or are bound to it by law. In Germany we have good privacy protection by law, but other countries have not.

We could make people more aware of possible consequences, e.g., if suddenly your health insurance knows that you watch TV all day and buy only food with lots of sugar and the advertising companies know earlier than your husband that you are pregnant because of the way you changed the temperature settings. Then we can hope that there are enough people who are willing to decide for products with privacy in mind so that manufacturers in turn also build them with privacy in mind. The TV show that caused a lot of Alexa devices to buy doll houses demonstrated a huge problem with new technologies. These devices bring new possibilities for misuse and new risks, but most of the time no one thinks about it until something bad happens.

To sum this up: I don’t see any problem in finding or implementing technologies to make these devices safe to protect the user’s privacy. The real issue is our own psychology and the lack of motivation for the manufacturers to make them safe.

Q3.) How do you see IoT will affect the lives of people who are not much concerned about Security or Malware Threats in general?

Hahn, K.: People who aren’t concerned about it are probably the majority of the users for these devices. A lot of them aren’t concerned because they aren’t aware. Others are aware but don’t feel computer savvy enough to take care of it. Their lives will become easier and more difficult at the time. As long as it works and nothing happens, things are easy. But once they become a victim of a malware attack, it will affect their daily lives a lot more than before. There are now more things in your home that can be infected by malware, your washing machine might refuse to wash your clothes until you pay a ransom.

I guess in the long run people will be forced to be more concerned about security and might also value it more and put more efforts into it, maybe prefer more secure products. But that happens only after things have become worse.

Q4.) Ransomware is the #1 concern for organizations. It’s growing every year with a steep growth curve. Ransomware is like the newest startup with the potential to become the richest in the world. What is the primary reason for such growth? Security Awareness or Lack of Research or something else.

Hahn, K.: Bitcoin has made it easy for the attackers to use ransomware without any risk. So once Bitcoin became popular it was just a matter of time for ransomware to grow big. Once others saw the huge success of the first file encrypting ransomware families they tried themselves to earn money with that.

Then there started a boom with a business model called Ransomware-as-a-Service, which made it easy for everyday people to buy a ransomware and earn money with that. So by then we have also people without any technical knowledge, but some evil mindset and money, who got into the game of ransomware.

The next step was open-source ransomware. So far either technical people or people with money could afford to take part in the ransomware business. Open-source ransomware like HiddenTears and EDA2, which is ready-to-compile to a working ransomware binary, requires no money at all and only some limited technical knowledge to modify the parts you need. So at this point, almost everyone can take part in the ransomware business and that is, in my opinion, the third reason for it to grow even more.

So we have those three steps that led to growth: Bitcoin -> RaaS -> open-source ransomware

Q5.) Deep Learning is making great strides in Computer Vision and Natural Language Processing. In what way can Deep Learning help the state of Malware / Security research?

Hahn, K.: It’s been a long time since I worked with Deep Learning technologies. But indeed, I believe this can help to detect malware and identify malware families. This kind of technology more resembles how our brain works and is especially good to decide about problems where the input is incomplete, the outcome isn’t always clear-cut and the problem is hard to solve using conventional algorithms.

All of that is true for malware detection and identification. Virus detection is an undecidable problem as proven by Cohen. Since malware is a superset of viruses the same is true for malware detection. Whether a program is malicious or not depends a lot on the context, it might even depend on the user’s opinion and whether they want the program to be there. The best example for that is software for remote access. This is great software to get remote help from technical experts, but it is really bad if a person accesses your system without you wanting it. So we have an outcome that is not clear-cut. We might also have incomplete input, e.g., the system might only get parts of the malware as input, because a malware might be separated into several files and you just have one.

Furthermore, the evolutional change of how malware “looks like” is not much different to the problem of face recognition in people who get a haircut or put on make-up. That means face recognition and identification of malware families as they evolve is the same problem underneath, and we can use Deep Learning to solve both.

Q6.) Is there a possibility that Application of Deep Learning Research will prove to be the ultimate weapon of choice against Ransomware?

Hahn, K.: The ultimate weapon of choice for file encrypting ransomware is proper backups. This is simple, this is something everyone can do, and we already have this weapon.

Apart from that Deep Learning has the possibility to become the technology of choice for malware detection and identification. This will in any way entail more than just ransomware.

Questions w.r.t Scholars and budding Researchers.

Q1.) What approaches should be taken by the University to encourage research culture among students

Hahn, K.: It would be great if students have more opportunities to do something that they like and publish and demonstrate their works. Most students do have side-projects, but at least at the universities that I know you almost never get the opportunity to show it. Instead, students mostly have to present results for something they are not interested in. E.g. you could create a course that is a bit like free play for children. The students can choose what they want to do and with whom (also alone if they prefer to), but they have to do a project and write a scientific paper on it.

Q2.) What would you advise scholars who want to become a Malware Analyst like you?

Hahn, K.: Three things are important if you want to get into the field: skill, projects, and connections. In that order. That means before you even start a project you need to have the skills to tackle it. After you have a project (or parts of it) to show, it will be possible to build up connections to other people in the field.

Let’s look at the way I got into it as an example. I had skill in software development and knowledge about the Portable Executable file format. At that time I didn’t even know how to debug malware and I had almost no knowledge in Assembly. So I started my project which was a parser for PE files and then I published it alongside my master thesis. The project has several uses:

1. You gain more knowledge and you may become a specialist in a certain topic
2. You get to know more people
3. You show your future employer that you are actually interested in the topic.

Note: The project does not have to be a program or a research paper or a thesis. It can also mean that you write blog articles, create infographics or publish videos. It really doesn’t matter what you choose as a project as long as it has to do with malware analysis and as long as you can publish it.

Then it is your turn to connect to people. Without having something to show it is hard to get first connections, but this becomes much easier if you can use your project for that. E.g., I asked people for help and advice on my project who have more knowledge than me on certain topics, I published releases for my PE parser that people can use for free, I looked into similar projects as mine and helped out with bug reports, I wrote about my progress on Twitter. This step of connecting takes time and requires patience. For me, it took two years until I felt really connected in the malware analysis community.

 You do NOT have to know everything about malware analysis, or already be an expert on a specific topic in that field to become an analyst. In my case, the project was enough to prove my interest and determination so that I got a job as a junior malware analyst. I learned most of the things in that field during my job. Connections will help you to find the right job as well, although in my case it wasn’t necessary. Don’t become discouraged if you see requirements on job advertisements that you don’t fulfill. Apply anyways and write in your application letter that you work on those things that are missing.
Q3.) Any final words or advice in General for scholars, programmers, hackers etc.?

Hahn, K.: You will never get to a point where you can stop learning because you learned everything you need. In fact the more you learn the more you will realize what you don’t know. There will always be people who are better than you. Every single person is a noob in certain topics and every single person has to defecate (remember that if you feel inferior). So stop comparing yourself to others and stop beating yourself up. Don’t try to be better than someone else, compare yourself to yourself, be yourself, and do the things you love. Get used to making mistakes, they help you grow. You only fail if you stop trying. You are great and you can achieve great things. I believe in you.


With this, we concluded the Interview.  We would like to greatly thank Karsten for taking out time and providing such deeper insights on this topic.  We are sure that this Q & A will great help out readers and Security Enthusiasts.  My personal recommendation to all the budding security enthusiast and programmers is to follow the advice given in the last question. That is truly the holy grail of becoming awesome.


About Karsten Hahn

Karsten Hahn is a Malware Analyst at GData, Fighter against Ransomware and Author of PortEx. PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection.

Github: https://github.com/katjahahn

Twitter: https://twitter.com/struppigel

Leave A Reply

Your email address will not be published.