Interview with a malware hunter: Jérôme Segura

Interview with a malware hunter: Pieter Arntz

Welcome to our new series: interview with a malware hunter. In these Q&A sessions, we’ll take you behind the scenes to get to know our malware intelligence crew. Without further ado, we present our first victim, researcher, and blogger Pieter Arntz.

Pieter Arntz

Where are you from? Are you still there now?

I’m from the Netherlands. I’m there now, yes.

You speak four languages. What are they? How did you learn them?

I speak Dutch, German, English, and French. We got the basics at school and I lived in London for a time and a place near Hamburg, Germany, as well. France was a favorite vacation spot for me, so that’s how I kept up to level.

How did you get into cybersecurity?

I started participating in the forums a long time ago, helping people who had computer problems. Because of the people I met in the forums—Marcin, Doug, Bruce, Mieke [Malwarebytes company founders]—I got interested in malware, specifically adware and spyware. They were looking for someone to write removal guides on the forums. I volunteered, so that’s how I ended up in cybersecurity, working for Malwarebytes.

Did you major in computer science? How did you know how to help people with malware problems?

I studied it a long time ago at University, so I had to have some basic knowledge of code. I actually got my bachelor’s in geodesy, so we had to use a lot of computer programs of our own making to put in all the data.

How long have you been a cybersecurity researcher?

Professionally, seven and a half years. I started doing it as a hobby 18 years ago.

When did you join the Malwarebytes team? What made you join?

November 2009 is when I joined. I watched this company grow enormously, and I liked the people that worked here. It gave me a lot of freedom, and it made my hobby into my work, so what else can you want?

What makes you stay? What do you like about this line of work?

I keep on learning. It doesn’t get boring, there’s always something new. That’s what keeps me going. The people I work with, like Adam [Kujawa, Director of Malware Intelligence] and Jérôme [Segura, Malware Intelligence Analyst], know so much that I don’t know, so I’m always trying to pick their minds.

What area of cybersecurity research do you focus on? Why this area?

I specialize in adware. It’s the easiest to understand for me. It’s like a puzzle I can work out. When I started, there were people who were spreading viruses just to make a name for themselves. Now we have to deal with hardened criminals. With the money angle in mind, there is a motive to what they do. And adware is what the majority of people have to deal with nowadays.

What’s the most interesting/impactful discovery you’ve made as a researcher?

I think it was Vonteera, an adware that marked certificates for security programs as untrustworthy. Because of that, people who were infected couldn’t download security programs. I was the first person to find out how they did that. I posted the results on the blog and wrote a fix for it. After that, the adware disappeared a few days later.

What’s the biggest cybersecurity “fail” you’ve witnessed?

My previous employer had a synchronized backup to back up the system every hour. When they got a virus infection, they didn’t notice for a week, so all the infected files got written to the backup. So they lost a week’s worth of work. I was very glad I didn’t work in IT there!

Talk to me about a day in the life of a researcher. How do you conduct your research?

I start with looking at forums and see if there are any new things that people are complaining about or having problems removing. I try finding an installer for it using programs such as Cosmos and VirusTotal. If I can’t find it anywhere, I reach out to the users who are complaining and get the infected file from them. Then I look to see if I should write about it—especially if it requires additional user interaction or if it is hard to recognize the infection. Then I check Twitter and Facebook to see if there are any other new trends I need to write about. If I find something that Malwarebytes does not tackle, I let the research team know.

What tips you off that something might be malicious?

I usually can guess if something is malicious is by the way it acts and the way it’s presented. If it talks like a duck and walks like a duck, it’s probably a duck. You always can tell if a program has something to hide.

When an outbreak like the recent WannaCry ransomware attack occurs, how does that impact your work?

I was tipped off about WannaCry when I noticed on Twitter that a lot of companies were complaining. People in England were being sent home from the hospital. Alarm bells started to ring. By the time I found out what was really going on, the other researchers in America were online and together we came up with a plan. When we found the sample, everything else stopped, especially since we knew our premium products already protected our customers. Zammis [one of our researchers] started working on reverse-engineering right away. We had to get that information out there so other people could be safe.

What kind of skills does a person need to be a malware intelligence researcher?

You have to be able to follow tracks. Finding the sources of the malware is the biggest part, really. You need logical thinking and enough understanding of coding to be able to decipher the raw elements. A big part of tracking malicious programs down is understanding the money flow, the business model. If they offer something for free that promises everything you ever wanted, and there is no catch, no improved version to purchase later on, how do they make their money?

What advice do you have for people who want to break into the field?

If you really want to make a difference, then try to learn reverse engineering or hacking. If you’re a good reverse engineer, you can work for any company you like.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Writer, editor, and author specializing in security and tech. Content guru. Lover of meatballs.