VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Interview with Eric Filiol

Valhalla #3
October 2012

[Back to index] [Comments]

Eric Filiol, born in 1962 in France, is Scientific director of the Operational Cryptology and Virology lab (ESIEA, France). He is scientific director of EICAR as well as program chair of the EICAR conference. Furthermore, he is the editor-in-chief of the research journal Journal in Computer Virology (Springer).

He has done a PhD Thesis in applied mathematics and computer science. Among other positions, he worked as a "Military cryptanalyst" and "Head scientist officer and scientific director of the Virology and cryptology lab" at a french military academy.

His research covers several topics in information security, including computer virology. Among other topics, he mathematically characterizes (known and unknown) viral topics which led to fantastic results for k-ary viruses, undecidable metamorphic mutation grammars, tau-obfuscation and many others.

You can find Eric's homepage at and contact him via [email protected]

The interview was done in two sessions in September/October 2012 via e-Mail.

Have fun :)

Hello Eric, thanks a lot for accepting to answer a few questions! I'm sure this will be interesting! First let's start with some private questions - please talk a bit about yourself! What are your hobbies? What kind of music do you listen to? How do you spend your free time?

Well not an easy task. In fact I have a scientific background in Mathematics and Information Security Engineering (Ingineer diploma, Ph D and Habilitation thesis). I have spent 22 years in the French Army (French Marines Corps/Infantry) first a platoon and company leader then as mathematical/IR security expert (I am also graduated from NATO in Information Operations). I am now heading the R & D Department of ESIEA, a French engineer schools group as well as the Operational Cryptology and Computer Virology Research Lab.

From a private point of view, I am married with a boy of 16 and my main hobbies, aside programming and mathematics, are running (marathon and half marathon), playing bass guitar, reading and motocycling.

Music indeed is very important in my life and I like any kind of music provided that it is good music. But Jazz, Blues, Rock and Electro are my favorite kind of music. The three recent albums I love: Neil Cowley trio (the face of mount Molehill), the last Dead Can Dance and Paul Kalkbrenner (Icke Wieder). Three most favorite films: Fight club, A River runs through it, The Deer Hunter.

Please explain your way to this unusual topic of research. When did you have the first contact with computers? When did you start code? What did you do before you started working on Cryptology and Virology? How did you get the first employment in this field as a military cryptanalyst in 1991?

In fact I work in cyber attack with application to cyber defense. Up to me it is a deep conceptual stupidity to imagine defend systems of you are not able to attack them or at least to understand how they could be attacked. It does not mean that we actually do attack but all my research is conceptually (from theory to applications) driven by the attackers' perspective. My first contact with computer was in 1981 with the mythical Apple 2E. I was programming in Pascal and of course in Assembly language.

Before starting with cryptology and Virology, I was first a student in mathematics and then an infantry man (even if I never stopped to code and to learn mathematics). My first employment as a military cryptanalyst came naturally. In fact after several years as infantry man (lieutenant and then captain) you have to choose which career you wish to follow: either going on with infantry regiment positions (but I was a little bit too old) or as a military expert in a technical field. I had more diploma than the average (damned) and then the military staff decided that it would be a waste to stay in regiment while there were many other area of expertise where my mathematical background would be useful. I do not regret this choice since I joined the intelligence domain, did very exciting things. Moreover I think that I did far more operational stuff than any of my colleagues ever did while staying in regiment.

Since the 1990s you are working as a cryptoanalyst and researcher in computer virology for the military and for the government, including applications to cyberwar. This sounds like a fascinating job! Could you please explain what you are working on exactly? What are the goals of your research and how is it related to cyberwar? Is most of your work confidential or do you publish all of your findings in scientific journals and conferences?

Computer virology and cryptanalysis are just techniques and tools. Cyber war is the art to use those tools (along with many others like conventional weaponry in a combined perspective) while conducting a general war maneuver. Most people forget that there is a huge difference between having a powerful malware and to use it in the most clever and efficient way. This why (see further) I consider that Stuxnet and later avatars is a amateur work. To be more illustrative, you can have the most powerful guns, if you ignore how to use it, if you are unable to organize your troops in order to use those guns efficiently you will fail.

Part of my research consists precisely in building operational scenarii (thinking like a potential attacker or like a digital infantryman if you prefer), to test them on simulator, to analyze real attacks, and to model general attack framework (what military call doctrine, tactical schemes). Most of the concepts are of course inherited from the military doctrine (remember that I am graduated from NATO in information operations) but I also use mathematical concepts (combinatorics, proability theory, statistics). I have published the general theory (while operational framework are also described) at Brucon 2009 and in a chapter of the book Cyberwar and Information Warfare published by Wiley. This chapter contains a few realistic scenarii (drawn from operational reality). I have published another scenario at ECIW 2009. Of course, most of this research has to remain unpublished.

About two years ago, Stuxnet appeared and marked the first big publicly-known cyber-attack of a government. Later Duqu, Flame and Gauss were discovered. What do you think about these cyber weapons? Do you know of earlier cyber-weapons used by governments? Where you surprised about attacks of this type and these code's complexity? How are these cases related to your research in cyber-defense?

Well I am strongly puzzled about Stuxnet and later avatars. I think that most of this is a huge buzz organized by Kaspersky. First Gauss is a classical malware that just spies on specific data (financial data). The technology inside is not significantly different from that of very nice oldies from the 80s and 90s. Stuxnet is a little bit different but from a code point of view Aurora codes were similar except for the number of simultaneous 0-days used and of course for the stolen cryptographic certificates. In fact the success of Stuxnet comes from that: to be able to look like a legitimate resource. Duqu (and the very comic buzz around a allegedly unknown programming language by Kaspersky who seems to ignore what a formal language is a pity). Lastly Flame is a mediatic scandal. Whale and Dark Paranoid malware were very similar and probably far better designed and implemented.

For me those malware are not cyber weapons (or the "military" authors have to change for another job). I cannot believe that the US or Israel armies would do such hugs mistakes. A military purpose malware has to be stealth, efficient and very targeted. In fact you will never learn about it and you will never detect it. You do not let evidences (or alleged evidences like in Stuxnet code) that can identify you as the malware author or user. Unless intelligence services intend to send a message. In this case it would be a technical, strategic and operational error since now all rogue countries are aware and are prepared.

In fact cyberweapons are already used for a while by governments in a more clever way. This has begun directly in the 80s but no one except a limited number of experts in the domain has ever heard about them. Secrecy is a mandatory aspect (which includes not to be detected) if you want to gain a tactical and strategic advantage. And of course if you want to replay attacks. I have analyzed two real, very sophisticated attacks which were very likely (the last in 2004) from foreign intelligence services. The code has been discovered because we suppose that the leak of secret data could be explained by the use of spying malware. We have found it on three computers of a try sensitive company. They were installed for months ahead and never detected by any users or AV software. The analysis clearly proved that the crypto was of governmental nature as well as the operational management of the malware. We never managed to identify the author and the users. We have here a true cyberweapons.

To conclude with question, part of my research is precisely to design this kind of malware in a context of cyberwar. But to be honest I have been more in sired by clever and marvelous virus writers (29A especially) than by Stuxnet or other avatars. Military and governments need to have 0-day (recall the the recent buzz coming from the Grugq and Vupen about 0-day trading) which is a limited view. In my own research I am interested in malware that do not rely on 0-day or any other vulnerability except those of the users. Using 0-day is easy not to say a technical laziness. But it is operationally limited and has only a limited lifetime. 0-days can and will be patched later or sooner not users: there is no patch for users!

In some of your presentations and papers you mention that malware detection is undecidable (which has been proven by Fred Cohen already in the 1980s). Yet people from anti-virus community claim that every self-replicator can be detected. Now what is correct? Could somebody write a self-modifying virus that can circumvent every possible methode like clever algorithms, emulation including behaviour analysis, statistical approaches, ...?

The claim of the AV community is not only wrong from a scientific point of view but also either it is the proof of their scientific incompetence and ignorance or a marketing lie. We have proved and designed malware for which we can prove that they cannot be detected (for exempt if you use suitable underlying formal grammars for code mutation, or if you use sophisticated code armoring techniques). Moreover the time is THE key issue. Malware have time, not AV (just imagine if every time you or the system do anything, the AV blocks it and analyzes for tens of minutes). AV just allocates a (very) limited number of cycles for analysis. We have designed a lame but very efficient malware as follows (the malware moreover embeds code mutation techniques): the malware encrypts itself and throw the secret key away (the key is changing regularly since the malware generates keys at random). Then to operate the malware has first to decrypt itself which can be tuned up between 10 or 30 minutes. It is what we have called tau-obfuscation (tau standing for time). From a general point of view, if you want do design a truly undetectable malware you have to use mathematical tools from the computability and complexity theory. So the answer is yes and we have already did it. We test all AV regularly and none of them have been ever able to detect our malware. Now I have to make a very important comment: there is a big difference between having a powerful malware and being able to use it efficiently. Everything lies here: the operational/tactical thought behind. If you spread a malware which make millions of copies well (unless you use special malicious crypto techniques and suitable malware network management) you increase the probability of identification of at least one copy and then draw the attention of the AV community (I would like to stress on the fact that still nowadays, some AVs are still not able to detect and clean up some specific instances of the Conficker worm -:)). That is why more and more targeted attack (up to a few hundreds of targets) will be always truly undetectable. We have submitted to Infiltrate 2013 a talk where we intend to present what could be the next generation of truly devastating botnets. At last, the problem is not only to detect but also to clean up and remove malware.

A few years avon we have designed malware that do not care to be detected since they reinstall themselves constantly (use k-ary malware for that).

In your article called "Metamorphism, Formal Grammars and Undecidable Code Mutation" you connect Metamorphism to a undecidable problem (word problem), and explain a certain implementation of an undecidable mutation system called POC_PBMOT. Can you briefly explain the idea of POC_PBMOT? The implementation is based on Mental Driller's MetaPHOR. Why did you use MetaPHOR as a basis? MetaPHOR has about 17.000lines of assembler-code - how much does your implementation have? You explain that the implementation is based on a macro-level grammar, but you actually never show the grammar looks like. Where you really scared that somebody might implement this grammar even if you knew that commercial malware do not even use good polymorphism? Have you sent your engine to other researchers or anti virus companies? Have you got a lot of feedback on this idea?

The basic idea is to use a grammar class 0 and a Thue system containing a Tzeitzin rewriting system. It is then impossible for any AV detector decide that the code is a malware. In fact, you have not only to work at the static level (the code itself) but also at the dynamic level since there is a moment where the code is under an "unprotected form". So you have to combine the code mutation technique (e.g. metamorphism) with code armoring and functional polymorphism. The paper indeed contains the formal grammar we use or at least the very critical core (the Tzeitsin system). We used it in a wider class 0 grammar which is far from being optimal. Metaphor was just taken by the way as an example. While it is a very nice code, the rewriting rules used in it (I mean the metamorphic rules) are those of regular grammars (class 3).

The part of POC_PBMOT dedicated to metamorphism (there are many other parts) is approximatively three times the size of Metaphor. Since we have found better grammars but we did not take the time to program a new malware from scratch. My approach from the theory to the practice is new and represents a technical advantage and remember that at that time I was still in the army -:)

Once again my concerns is not about the known malware but about those that we cannot detect and that are used by real, state-level attacker. I do not want to be responsible of any bad use. When I analyze some recent malware, I think that their author have read and applied some of my papers. As an example Conficker combinatorial management of network is rather close to what I published in 2006 (Combinatorial Optimization of Worm Propagation on an Unknown Network). i may be mistaken but well who knows? You cannot be sure that a few bad guys will use or not what you publish but in case of the AV community is ready to find nor to say create buzz and wrong evidences. I have exchanged with researcher (not the code) but some of the technical data. They have experimented on their own with the same conclusion.

Beside of PBMOT-engine, which uses an undecidable mutation grammar, you also created prototypes of other great techniques such as functional polymorphism or k-ary codes (splitting of the entire code into k distinct parts). Why have you never released the source codes publicly? What about freedom of knowledge in this case? What did you do with the source codes? Have you given them to other selected researchers?

I have never released the corresponding codes. My former student Anthony Desnos, published a simple instance of those code in Python at 2009. The issue you address is very critical: trying to find the best trade-off between freedom of knowledge and not infringing the law. Moreover I am convinced that the most interesting is not source code of particular malware instances but the general and mathematical basics that enables to produce any instance on his own. It is better to learn how to fish to people than giving fishes to them day after day. On the other side, the real issue is that k-ary codes for sophisticated instances are really undetectable and no one can imagine how a real bad guys would use published code.

You say that there is no way to detect specific well-ideat computer viruses (which contain techniques like chomsky type-0 grammar for mutation, k-ary concept, tau-obfuscation). Currently it seems like those projects are only in academic (who dont use it for attacks) or military use (who might use it for very small-scale attacks). But what would happen if criminals with commercial interest could find ways to implement such techniques, and start large-range attacks against? How could you protect yourself against such attacks?

In fact here you address a very old issue regarding scientific dissemination. The first part of the question is that we have to stay very humble when doing science and keeping in mind that if I have been able to find/invent/discover anything, very likely other people did as well, but probably have chosen not to disclose it for bad reasons (and bad uses). So the second part of the question is another question: what is the worst thing: to publish nothing and let bad guys do their dirty actions or to publish to make people aware and try to find another way/system/organization that may mitigate or prevent the threat. The fear of the danger does not remove the danger!

What are the viruses that you find most interesting and why? What techniques did you find most surprising/clever?

The most interesting malware I have seen until now are not public yet. They have been discovered during real attacks. Reader may be surprised not to say shocked to learn that no copy have been sent to AV vendors. Readers must know and be aware of that when you gain a technical advantage (discovering new sophisticated malware instances) your cannot share it. That is the new context of cyber warfare. International cooperation stops where national interests begin. Now as far a as known malware are concerned, I would say Conficker (for its combinatorial management of the rendez-vous points), Blaster (for the way it is able to deal with two different branches of Windows system family) and Stuxnet (because the way it is fooling security by using stolen cryptographic certificates; by the way, this is another example of very clever tactical design and use of techniques to avoid detection: just create a legitimate environment and turn the security confidence back to the victim). Of course some oldies malware must not be forgotten and deserves to be mentioned: Brain, Stealth, Q-Casino and many more.

What would you suggest people who want to start research in the field of computer virology? Which books/papers are obligatory? Which fields of mathematics and computer science are required? What are open questions in computer virology?

Programming skills are of course the first mandatory skill (Assembly, C essentially). Then a as good as possible level in Mathematics (Algebra, combinatorics, Probability Theory, Statistics) and Computer Science (Complexity Theory, Computability Issue, Automata Theory, formal languages). As for the books, well there are a lot to read. Aside good handbook in all those areas, I would recommend Rogers' book on Theory of Recursive Functions, Hopcroft and al.'s book on Automata Theory. Languages and Computation, Jones' book on Computability and Complexity and of course Cohen's books and Mark Ludwig's books.

Regarding open questions they are a lot. But one of the most critical is the identification of minimal grammar class 0 (according to Chomsky classification) with suitable properties for code mutation. The search for Thue or semi-Thue systems are also very critical. More generally, the malicious cryptology domain offers a lot of open problems.

Beside of scientists as yourself, other people have researched computer virus technology as well. Have you had or do you have contact to those hobby-viruswriters? Have you ever met some of them in real life? What do you think about people who discover and develope new techniques for computer viruses and release the source code publicly-available in the internet?

In fact, there are unfortunately very few malware and virus technology academic researchers. They fear to be blame by the academic community which is itself heavily financially supported by the AV industry. You cannot imagine how it has been difficult to create and launch the Journal in Computer virology. The community tried to intimidate Springer Verlag (the world largest scientific publishing house). They spread rumors against me. So any academic who intends to have a career will never work on those "rogue subjects". Upt o me it is some sort of intellectual terror and intimidation. There is no forbidden knowledge there are only forbidden uses. Happily, it is now forbidden to burn people on public places. But the AV industry, to protect its commercial interests operates like the holy inquisition. The consequence is the lost of knowledge (for example 29A is no long active) and no serious studies are performed in universities and only in military labs. So I think that it is very important to open knowledge and to spread it. I am terrified by the fact that in the USA you can distribute millions of weapons that actually kill people and you cannot publish malware source code. Remember all the troubles that Mark Ludwig had to face when he published his books. So publishing source code malware is very important since it is the only way to learn and prepare for the protection. And it is an issue of knowledge freedom. Now I think that the most clever way to do it is not to publish source code (the instance) but to teach of the underlying concepts which are mostly of mathematical and algorithmic nature: it is better to teach how to fish than distributing fishes to hungry people. I have noticed that the AV industry does not understand a single line of mathematics but is able to identify lines of code. I consider that my papers on Formal grammars, K-ary malware, tau-obfuscation, processor-dependant malware are far more potentially dangerous than simply releasing source code. But who would dare forbid mathematical results. The AV community is too narrow-minded to understand that.

I have never met malware writers, unfortunately. I was in contact by email and tries to help them in the best way.

In the end of 2005, you launched the research magazine "Journal in Computer Virology", where you are still the Editor-in-Chief. Can you please explain what were your intentions and goals creating this journal and? You mentioned problems caused by the AV industry - what did they do and are they still trying to interfere? Do you experience that this academic field of research gets more accepted for the last few years? Do you have some good advices for young academics who want to work in this field?

In fact before this journal (and before I won an academic award for my book on computer viruses) computer virology was considered as a bad guy activity and as just code writing of course by those that still consider that computer virology should be the monopoly of the AV community (the bona fide researcher in other works). I wanted to show that computer virology is a true science with formal and mathematical background and to promote serious and independent research in this field. At that time, for a young academic (mostly PhD student) it was impossible to publish scientific work related to computer virology. It was a shame and you were considered like a witch who would be worth to be burnt. The AV community tried to prosecute Springer Verlag, to threat and to intimidate but Springer has been very courageous (that is why I like Springer, the best scientific publisher in the world). Then they tried to present me as a bad guy. But I became the scientific director of EICAR. I have been banned from Virus Bulletin conference. But now the AV community has fail and the journal is still alive. For young researcher, I would advice to start from the theory in order to think in terms of class of techniques and not in terms of code instances (the major failure of the AV community). And to keep in mind that studying malware techniques must have a unique goal: to understand what the attackers/bad guys can do or can imagine to make the protection/defense even stronger. Do not fall into the dark side if knowledge. You will lose your soul.

VX Heavens has been closed since March 2012, due prosecution of herm1t. You were among the first public supporters of herm1t, and motivated other researchers to follow your example. What were your thoughts when this virus-related library was closed? VX Heavens exists for many years, why did they investigat against herm1t now? What is your prediction for the next steps in this case? Has the shutdown influenced the research of scientists like yourself?

This story is not very clear. I do not want to make any comments that could be misinterpreted by the Ukrainian justice and then put Herm1t into jeopardy. But I cannot reject the idea that the AV community is behind by a way or another. Since a few months many initiatives like VxHeavens have been in trouble or have closed (the best example is the offensive computing website which was very useful). The existence of sample database which are independent, and not under some remote control of the AV community is something difficult to find nowadays. It is clear that the AV community do not want independent testing and research (one of the main issue debated during the last two EICAR conferences). I sternly hope that this prosecution is a mistake and that the Ukrainian court will acknowledge that it was a stupid prosecution. Let wait and see. But if things would went wrong, I think that it would be worrying for the freedom of knowledge. But I want to remain optimistic. A number of hackers and researchers are ready to provide mirrors of VxHeavens or to launch new projects (like Organizers of 2012 intend to invite Herm1t to an invited talk. He will then explain maybe things better I would. And to will be a great honor and pleasure to meet him at last and to pay him for a beer !

What do you think will the future of computer viruses look like? What do you expect in a near future 3-5 years from now? And how might self-replicating codes might be in a distant future 15-20years from now?

Well I am not really optimistic but I am not too pessimistic too. The problem is not malware in themselves. The problem is the lack of security in development, in IT security awareness and education. As long as software vendors, editors will implement their product without any care for security (just wait for the next patch) we will have troubles. As long that it will be possible to steal cryptographic certificates launching more and more attacks will be possible. As long as governments will impose to software editor and security software manufacturers to embed trapdoors it will possible to design high level attacks. The problem is not malware writers. It is people and IT professionals who do not make their job seriously either for laziness and incompetence or for commercial/strategic interest or both.

I think that new malware will use more and more mathematics and malicious cryptography techniques (refer to the chapter I have wrote in Cryptography and Security in Computing, Dr Jaydip Sen ed., Intech Publishing, ISBN 978-953-51-0179-6 [free book] about Malicious Mathematics and Malicious Cryptology; it is only a very partial part of what I have in mind). We already work of what will be quantum malware for quantum computing. Malware will just adapt to the evolving ecosystems. New platform, new OS will bring corresponding malware. The only change will occur with the increased used of theoretical concepts and with new operational approach. I think that in the future we have to worry about attackers able to design malware while using sophisticated mathematical concepts and thinking like infantrymen for the tactical use.

Quantum malware - this sound fantastic. Could you please explain a bit more what you mean by that? What has already been acchieved and what are your goals? What is the effect of the No-Cloning-Theorem on quantum malware?

Well, at the present we try to use the simulation of quantum computer by classic computer to validate some interesting concept around metamorphism. But beyond a few, limited validation the idea are more theoretical than practical. If someone is ready to offer a quantum computer...

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka