Malware Beware!

A group of technicians in various international locations is striving to stay at least one step ahead of cybervillains through the 24/7/365 operation of a cybersecurity laboratory. These experts employ novel techniques such as using cloud computing and behavior blocking to destroy dangerous files in an attempt to protect users. The efforts focus on specific clients, but because of working relationships among competitors, the benefits have far-reaching effects.

PandaLabs, the center of Panda Security’s technical support services, is a secure laboratory in Bilbao, Spain, focused on detecting and eliminating viruses, malware and other computer security threats. The laboratory includes satellite employees in various global locations who participate in the search for and destruction of malicious software and code. PandaLabs has been in operation for more than a decade, and during that time it has morphed to handle the unprecedented amount of dangers attacking networks daily. When operations began, personnel handled approximately 100 malware samples a month. Now, they deal with more than 30,000 per day.

The sheer number of files prevents technicians and automatic techniques, which handle about 99.4 percent of the case load, from being able to address every issue. “Even 1 percent, though, means a lot of files,” Luis Corrons, technical director of PandaLabs, explains. For the files they manage, technicians make decisions on what is legitimate and what is malware, and engineers in the detection department look at how to improve existing technologies or whether new technologies are necessary. Ideally, PandaLabs would like to cope with 100 percent of the files they receive. “That will never be real, but we have to be as close as possible to that,” Corrons states.

PandaLabs has four main departments: surveillance; detection, the biggest department; antimalware delivery; and collective intelligence. This final section is altering the malware detection landscape by performing processes through cloud computing. The collective intelligence works as an online, real-time database that stores the majority of signature files, keeping that to a minimum on the end point. All Panda users serve as sensors for new malware, sending statistical data about malware presence back to the cloud. The approach also reduces bandwidth needs as well as offers almost instant notification of problems. Information is pulled into the cloud in real time, and when technicians identify a file as malware it will be classified as such for all users within a matter of seconds without the need for anything to load onto users’ computers. 

The cloud computing technique grew out of a proof of concept product called NanoScan, developed by PandaLabs in 2007, that gathered antivirus protection information for a couple of months. At the end of the time, experts found that more than 20 percent of those screened, which included Panda and other vendors’ customers, were infected with malware. With NanoScan, technicians were able to identify malware in only a few seconds. When laboratory personnel explained the technology to other people in Panda Security, suggestions were made to build the process into products. However, the process is so complex that running it on a normal computer is impossible.

Instead, PandaLabs built a system and put servers—now totaling more than 150—onto the Internet so products can connect to the cloud. Information is analyzed there and no local computer processing units are needed. To ensure privacy and to save time, entire files are not uploaded, only specific pieces of information. When a determination about the content is made, the information is sent back to users. “That’s something that’s a great difference between PandaLabs and other antivirus companies,” Corrons says.

Though the main beneficiaries of PandaLabs’ work and research are Panda Security customers, the efforts have broader impact as well. Corrons explains that PandaLabs has good relationships with other antivirus companies and the various competitors share information and malware samples. Attempts to protect customers are both reactive and proactive. “We think the proactive technologies are a must,” Corron states.

One of the laboratory’s more novel preventative methods is a behavior blocker. The blocker looks at every file run on the computer, and as soon as it detects something suspicious it kills the file. Corrons explains that the file often will be unknown, but by its behavior, the technology identifies it as a threat. The difference between the behavior blocker and most similar technologies is that it does not rely on the end user to determine a virus. Most computer users are familiar with pop-up windows that ask whether or not to allow a file, but few people are qualified to make the decision. The behavior blocker skips that step, eliminates the threat and informs users that a file has been killed. Users then have the option to send the file to PandaLabs for further analysis.