Mastermind of Defense: Join the latest Q&A session with our Director of Threat Research

Alexandru_BD · 2023-12-05T11:01:14+00:00

There was an error rendering this rich post.

📣 We are excited to announce a new Q&A session that brings together our community for another insightful and interactive experience. Our special guest on the forum is Bogdan Botezatu, the esteemed Director of Threat Research at Bitdefender. Here's what he wanted to share with you:

Hi, I'm Bogdan Botezatu, Director of Threat Research at Bitdefender. I joined the company in early 2008 and I have been involved in several crucial projects spanning blog management, ransomware decryption efforts, and threat reporting ever since.

Join us and gain valuable insights into the current cybersecurity landscape, including emerging threats and trends, and explore the crucial role played by threat researchers in safeguarding digital environments.

We look forward to your questions and you can start asking in the comments below! ⬇️

Find more posts tagged with

cybersecurity

threatresearch

peopleofbitdefender

bitdefendercommunity

communityq&a

Comments

Nunzio77

Is Bitdefender preparing or is it already prepared against the challenges that could arise with attacks by "intelligent" GPT chats and whether behavioral analysis will be increasingly strengthened with the support and aid of artificial intelligence?

Nowadays, in addition to viral signatures, I think that the heart of excellent protection is both behavioral analysis and the timing of intervention to block the threat.

Thank you.

Bogdan BOTEZATU

Hi & thanks for this question, @Nunzio77.

This is a tough one - and i'd like to offer some context to the other readers before I get to answer your question: We're already seeing AI hard at work for scamming people out of their money and the situation looks even more dire for the year to come. The commoditization of LLMs will make it much easier for cyber-criminals to run automated scamming toolkits able to target hundreds or thousands of consumers in multiple languages simultaneously. The rise of artificial Intelligence (AI) and LLM has drastically lowered the barrier of entry for cybercriminals who speak English as a second language and in the future, these tools could help them break into new markets with victims speaking more "exotic" languages.

Another worrying issue is the fact that these AI models could generate everything, from text to images to real-time videos used for scamming people and technology can only help so much.

Back to your question: yes, we are working on technlogies to help people detect scams powered by artificial intelligence, technologies that will naturally complement our already mature scam detection technology stack. We're also spending significant effort in educating users on how to tell AI-generated content. You might find this piece interesting: https://www.bitdefender.com/blog/hotforsecurity/deepfakes-what-they-are-how-they-work-and-how-to-protect-against-malicious-usage-in-the-digital-age/

Stay tuned, we're going to have plenty of announcements on this topic shortly. Let me know if I can help you with anything else in the mean time.

Flexx

Hi @Bogdan BOTEZATU,

@Flexx here. I have a question that I have submitted to both malware researchers and the developers via the support team, but I haven't received a satisfactory answer yet. Can you respond back to the questions stated below in a SIMPLIFIED MANNER so that other users on the forum who are not tech-savvy can also understand the same!!!

Question 1

* Signature-based detection: Is it only based on the detections created by malware researchers or is there something else to it.

* How exactly does cloud-based detection work?

As far as I know, if Bitdefender finds something suspicious, it uploads it to the cloud to check for the reputation of the file,

How does the file's reputation work?

How does it search for reputation files in the cloud?

Where do these reputation files come from and how the cloud scan works on them, there must be some technology developed by Bitdefender even if the files get uploaded to cloud and the files is scanned by thousands of user reporting about the characteristics of file.

Additionally to above user thing, what I have also read on the internet is that files sent to the cloud are checked for malicious hashes for a known set of libraries that Bitdefender has. If the cloud also checks for the known set of malicious hashes from the Bitdefender library, the same way is how signature-based detection also works at some point, which sounds confusing.

* How are heuristic detections created? Are they also created by malware researchers, or is it different?

* Is Advanced Threat Defense similar to the behavior blocker used by other antimalware software?

Question 2

I've noticed that home users receive less protection than business/enterprise users. Your malware research team confirmed this through support, stating that some malicious software only targets business/enterprise users and not home users. They mentioned Mindspark adware as an example, which I reported to them repeatedly. However, they said it is detected by the business/enterprise product but not by the home product. This inconsistency doesn't make sense because any executable file, Java file, or any other file that can harm a business/enterprise Windows-based OS can also harm a home user with a Windows-based OS. Other malware vendors like Kaspersky, ESET, Norton, Avast, Avira, and AVG provide the same signature-based detection for both their business/enterprise and home products.

Question 3

Previously, Bitdefender included an integrated Android database in its Mac and Windows products. However, currently, the Windows and Mac products can detect all types of malware for all operating systems except Android. Is there a reason for this? If the Mac and Windows products can detect iOS, Symbian, and Blackberry mobile malware, why did you remove Android detection from these products? This is a significant drawback for Bitdefender. For example, after removing the Android engine from the Mac and Windows products, some Android files were still detected by the Windows and macOS products, but the Android product failed to detect them. I have a collection of over 1,000 Android malware samples detected by the Windows and Mac products but not by Bitdefender Mobile Security. If you had to remove the Android engine, you should have removed it completely, eliminating all Android detection from the Windows and Mac products. I contacted support about reintegrating the Android engine back into Windows and Mac, and they told me the respective team would work on it if it can be implemented again. I received similar feedback from some Bitdefender staff on the forum who said this would be a great idea and would share it with the respective team. Therefore, I kindly request that you reconsider and reimplement Android detection into the Windows and Mac products. If that's not possible, you should remove the detection of Linux, Blackberry, Symbian, and Mac engines from the Windows OS product and Linux, Blackberry, Symbian, and Windows engines from the macOS product. This would ensure fairness since malware designed for other operating systems cannot harm a specific system.

Question 4

Bitdefender's home product utilizes signature-based, heuristic, advanced threat, and cloud-based detection technologies. Bitdefender's business/enterprise product includes all of these technologies plus HyperDetect. Isn't it unfair that the home version lacks HyperDetect? Will Bitdefender continue to maintain that home users do not require the same level of protection as business/enterprise users? While I understand that you cannot comment on other antimalware vendors, all other vendors offer the same detection technologies and malware coverage for both their home and business/enterprise products

OR is HyperDetect a single term given to a business/enterprise line of products that comprises all signature-based, heuristic, advanced threat, and cloud-based detection technologies.

Question 5

What sort of machine learning and AI technologies are implemented in both home product and business/enterprise product lines? Also, on virustotal.com, there is an engine called Bitdefender Theta, which I suppose is based on machine learning. What is the use of that engine on virustotal when it is not implemented in any of the home, business, or enterprise ranges of Bitdefender products?

I believe these questions are significant, and I hope I have effectively communicated my concerns.

Regards

fedor

bonsoir Bogdan Botezatu,

content de te connaitre.

j'aimerais savoir si bitdefender a ou va utiliser l'IA dans le futur?

est ce que la fonction remeditation des ransomwares restaure vraiment tous les fichiers bloquer par un ransomware?

quel sont tes diplomes pour en arriver a ce poste?

bonne soirée et content de te connaitre.

Bogdan BOTEZATU

Hey @Flexx,

wow, that's some great homework for me here. Let me see if I can answer these questions in a satisfactory manner.

Signature-based detection: Is it only based on the detections created by malware researchers or is there something else to it.

No, signature-based detection is also added by several automated systems that process malware. A signature-based detection is something that is extracted from a file (so both malware analysts and systems manipulating malicious files can extract these features and create a signature).

How exactly does cloud-based detection work?

As far as I know, if Bitdefender finds something suspicious, it uploads it to the cloud to check for the reputation of the file,

Cloud-based detection extracts features from files and interrogates a cloud service about these features. This helps us detect emerging malware faster as we don't have to deliver a local update to be able to detect files.

How does the file's reputation work?

The file reputation system is exactly what's written on the can - a system that helps us identify popular, widely used files and then be more relaxed about scanning them in the future. We have several proprietary technologies that keep tabs of how many times we have seen a file in the wild, when we first started seeing it and when we last saw it. The older a file is and the more computers it already is on, the higher the file's reputation score is.

How does it search for reputation files in the cloud?

The Bitdefender product you have installed on your device generates an unique identifier for the file on your device and then asks the cloud about whether that file is OK (i.e. has been encountered by a lot of customers or only a few). The cloud compares the unique identifier with a file repository and then answers with a verdict.

I think this was covered in the previous two answers. The reputation files are not coming from anywhere; we just keep count of how many times we have seen files on computers. The whole point is to not upload the file (as this is probably a popular file, with a huge user base, it is likely part of a software application and we have it in our clean files collection already).

Before I get to answer more deeply, let me clarify one thing: the cloud is not processing files (the product does not upload files on the cloud to be scanned, the product *does* the scanning). Files that don't get a verdict from the product are processed like follows: the engines extract some features from the product; these features are are sent to the cloud and the cloud answers with a verdict (infected/clean). The product then takes teh appropriate measures to disinfect or quarantine the file.

So no, the cloud does not scan files but rather exposes services that have huge databases of information for files and URLs.

How are heuristic detections created? Are they also created by malware researchers, or is it different?

All detections can be created by malware researchers or automated systems processing the files.

Is Advanced Threat Defense similar to the behavior blocker used by other antimalware software?

Advanced Threat Defense (formerly know as Advanced Threat Control) is the commercial name for our behavioral detection technology.

Question 2

Bitdefender products for business have several technologies that, indeed, do not belong in a consumer setup. These extra safeguards can be feature- or policy-based. On the feature side, i would mention EDR sensors that record and aggregate suspicious activity at the organization level. This provides great insight, but it is inapplicable in a home setup because of its complexity and small network size. On the policy side, i would mention that enterprise products are more restrictive (i.e. an admin can disallow the use of specific software or technology to keep the endpoint locked down). This does not go well with a home computer, where the user is also the device administrator. and can do whatever they want with the computer, including uninstalling the antivirus if they wish so.

Bogdan BOTEZATU

[another block cause I exceeded the word count in the first one]

Question 3

Let me look into that and I'll get back to you shortly.

Question 4

OR is HyperDetect a single term given to a business/enterprise line of products that comprises all signature-based, heuristic, advanced threat, and cloud-based detection technologies.

HyperDetect is a technology that uses local machine learning models that are designed to intercept very specific types of attacks such as PowerShell abuse or tools and techniques used by APT groups, to mention a few. Gven that home users are not subject to state-sponsored attacks or advanced threat actors, HyperDetect will likely make no difference.

Bitdefender business and home products are targeted at two different audiences and include the mix of technologies that both audiences need to navigate the dangers associated to their daily activities. When we build these stacks, we always look at what the market needs and what their issues are, and always build (or port) new features to cater to their individual pain-points. Thoughout the time, we have ported several technologies form the enterprise products to the consumer portfolio: the Ransomware Remediation, Root Cause Analysis and so on and we keep doing that when it's relevant for our users. Throwing in business technologies into consumer products will likely make these difficult to manage and use for the average consumer. We believe that consumer products should be set-it-and-forget-it, because most people are not tech-savvy and don't like complex setups and maintenance.

Regarding fairness - we have a vast range of products that suit a specific type of users and we don't condition access to any. It's easy for people who think they need HyperDetect or any other business-only technology to make migrate to GravityZone, for instance (it is available for setups from 5 computers up to as many as you'd like - that's what I have at home :) )

Question 5

The anti-malware engines (and their capabilities) in our consumer and business products are identical, except for the fact that business products also come with HyperDetect and can be complemented with the EDR module + sensors.

Theta is indeed a cloud-only, machine-learning only detection technology. It is an experimental technology that we don't integrate at this point.

Hope this helps,

Bob

Flexx

https://community.bitdefender.com/en/discussion/comment/333326#Comment_333326

Hi Bob,

I wanted to take a moment to express my sincere appreciation for your prompt and thorough responses to all my requests. I'm currently awaiting the answer related to Q3. Additionally, it would be really helpful if Bitdefender could reintegrate the Android engine back into the Mac and Windows product.

Regards

Bogdan BOTEZATU

Hi, @fedor

Nice to meet you and please accept my apologies for the delayed answers. Apologies, but my French is terrible, so I'll have your questions answered in English instead.

j'aimerais savoir si bitdefender a ou va utiliser l'IA dans le futur?

- Bitdefender *is* and has been using machine learning algorithms since 2007 for malware and spam detection, as well as for detecting cyber-bullying and predatory conversations in Parental Control technologies. We currently Out of the 495 patents issued to us for core technologies, about 10% are related to machine-learning algorithms to detect malware & other threats.

- est ce que la fonction remeditation des ransomwares restaure vraiment tous les fichiers bloquer par un ransomware?

Yes. Bitdefender keeps a backup copy of all files before they are allowed to undergo encryption. If, during processing, Bitdefender detects that the encryption is triggered by ransomware, it would automatically terminate the encryption process and restore all files to their previous state.

- quel sont tes diplomes pour en arriver a ce poste?

I started working for Bitdefender almost 16 years ago. Before 2008, I worked as a system administrator at an university, where I gradually became acquainted with cyber-security, threat hunting, incident response and remediation - things that helped me gain expertise for the current role.

I hope this helps,

Bogdan

Flexx

https://community.bitdefender.com/en/discussion/comment/333326#Comment_333326

@Bogdan BOTEZATU the update on Q3 is still awaited

Regards

SeriousHoax

Hello @Bogdan BOTEZATU,

I hope this Q&A session is still alive.

My question is regarding malware using direct sys calls to try to bypass AV products:

Here is a EDR product test that was done in 2021:

https://arxiv.org/pdf/2108.10422.pdf

4 types of malware were tested here. Bitdefender did better than most products detecting 3 out of 4 but failed one exe-based malware that was using direct system calls in assembly to avoid hooked functions. So they implied that Bitdefender and some other product's high reliance on user-mode hooking could have been one of the reasons for them to miss that exe sample.

Since you're the Director of Threat Research, my question is how prevalent is this type of technique in your experience? The test was done in 2021 and now we're in 2024. Since then some things have changed in Bitdefender, like process memory scanning became available in Business products as well as paid Home products. Many new Bitdefender patents have also been approved in the meantime. So I'm wondering if Bitdefender has taken steps to prevent this type of malware that tries to bypass hooking mechanisms? Were you and your colleagues aware of this particular test?

Regards.