Gary Warner

November 5, 2014

Malware Threat Intelligence

Gary Warner is the director of research in computer forensics at the University of Alabama at Birmingham. His work focuses on developing investigative tools and techniques for analyzing digital evidence in the areas of spam, phishing, and malware. Warner supervised the creation of the UAB PhishIntel system, used by more than 300 law enforcement and financial crime investigators, and the UAB Spam Data Mine which analyzes nearly a million spam messages every day for early threat detection. He has received awards for his contributions to fighting digital crime from Microsoft, the FBI, the National Cyber Forensics and Training Alliance, BankInfo Security, and the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG). In early 2013, Warner co-founded Malcovery Security and serves as its chief technologist.

Warner takes a pragmatic approach to online security and his commitment to protecting the Internet goes back to the early 1990s when, as a young computer scientist, he began volunteering long hours to fighting viruses because, as he said at the time, “our field is putting users all over the world at risk and it’s my responsibility as a computer guy to make sure the tools we made aren’t harming people.”

About this Lecture

The anti-virus industry originally existed to address just one problem, whether a certain file is good or bad. If it is bad, then the file is blocked, deleted, or cleaned; if good, it is allowed. Given that there are now 18 new malware infections per second, the original approach has consistently proven to be inadequate. But more importantly, it provides insufficient knowledge for a number of actions that the presence of malicious file might warrant.

    • How should an incident responder address the presence of a malicious file? Should the responder delete the malware and move on? Or format and reinstall the computer? Or notify the Pentagon?
    • How should a corporation possessing personally identifiable information and sensitive intellectual property respond? Has the malware enabled a data breach? Does the corporation need to alert customers? Or will the malware merely send out spam messages advertising fake Viagra?
  • How should a law enforcement officer respond to the malware? Is it a single occurrence of a rare trojan horse written by a high school student? Or is this one instance of a multi-million node botnet that has stolen $100 million?

Warner explains some of the implications of treating each malware sample as a stand-alone instance and offers some alternatives that should shape how we respond to malware, how we investigate malware, and how we research the malware solutions that will replace today’s malware-fighting technologies.

Due to technical difficulties, the video of Gary Warner’s presentation
was lost and only a portion of the audio remains.

Helpful Links

Why Do We Call It Cyber Crime?
Warner talks at a TEDx event

Rock Center: Easy Money
Warner helps FBI crack $70 Million cybercrime ring

Cybercrime Center
Warner’s group at the University of Alabama, Birmingham