Paul Ducklin is head of global support at software vendor Sophos, which has anti-virus labs in both Australia and the UK that research the workings of viruses.
Speaking from its Australian lab, Ducklin said that one of Sophos' aims is to research and understand virus problems, so that it can be as proactive as possible when they strike. "You can't always predict what's going to happen," he said. "It's having the technology and expertise at our fingertips so we can react as quickly as possible when that's necessary."
"Having experience, procedures and infrastructure allows you to do things quickly and effectively--it's not an easy exercise."
Sophos researchers use what Ducklin described as a "dirty" network to run viruses. This is a network grouping of one or more computers, which isn't interconnected to anything outside the room, and the machines are designed to be wiped after each piece of work is carried out.
Safety is an important part of an anti-virus lab and Duklin said media--such as floppies or CD-Rs--are generally not allowed out of the lab once they've been brought into the room.
Likewise, the three staff who work in the lab can't read e-mail, access business parts of the vendor's network, or use the Internet from inside the room.
Inside the lab there is also a "clean" network, Ducklin said, where viruses are contained in their pure state. This network is used for examination, comparison and analysis, and as with the dirty network it isn't connected to the outside world.
Figuring out how a virus works is a mixture of analytical work, and sometimes running a virus in a controlled environment on the dirty network to understand better what it's doing, Ducklin said. Tools such as interactive disassemblers are used to go into the file and pull out the executable parts.
There might also be viruses where what's going to execute isn't directly visible in the raw file, because it may convert itself into another format and execute that. Ducklin said it was possible to write programs which allow researchers to look inside the unscrambling that the virus was going to use, and also to observe it in action.
The idea behind all this is for the researchers to be able to write an identity and description, to enable its customers to protect themselves against new viruses as quickly as possible.
Sean McDonald, a virus researcher at the lab in Australia, said that sometimes they've got enough information to release to customers, yet they will continue to work on the virus to see if there's anything else which is important to advice customers on.
Testing is also carried out on identities prior to their release, cross-checking the ability to detect the virus and making sure that innocent files aren't being condemned, Ducklin said.
However, not all anti-virus lab analysis is of viruses, Ducklin pointed out. He said it also assisted in answering questions from customers about suspicious files.
"The glamour part of the job is what the public can see when there's a really widespread new virus," he said. The invisible side is looking at lots of other stuff to understand what is viral, and how programs and operating systems work, Ducklin said.
