Malware hidden by the hacker, I look for a reverse engineering technology.

Cyber security demand is increasing significantly as cyber storms are growing worldwide. There is also a fierce competition for global technology hegemony to occupy the rapidly growing market. GDNET Korea meets the next -generation security company with global technology competitiveness and conducts a relay interview to examine the potential of cyber security as a national strategic industry. [Editor]

Emails, essential for work, are the best ways for hackers to spread malicious code inside the company. This is supported by the survey that 75%of domestic hacking accidents were conducted through e -mail. Hackers are cleverly hiding malicious code in ordinary document files or image files, not an ‘EXE’ executable to avoid doubts. This is why it is difficult to catch up with the evolving attack techniques day by day with security education that ‘do not click on files attached to suspicious emails’.

Security technologies are also developing to find malicious code hidden in these non -executable files. Security has secured a high diagnosis rate through the reverse engineering technology developed by the vulnerable analyst. It is called reverse engineering technology that traces the finished file and trace the design technique. It is an algorithm of the reverse engineering technology used by vulnerable analysts to analyze malware.

The only key curator is the only malware detection solution in this way. “Signature -based detection, behavior -based detection, and content harmless (CDR) technology complement all the shortcomings of existing malware detection technologies, and the diagnosis rate is high, and the detection speed is fast and there is no document damage at all.” Proud technology.

Security has attracted 20 billion won in cumulative investment in recognition of its technology and marketability. We are also preparing to list this year. The company plans to start full -scale starting overseas with the funds secured through listing. Overseas sales are already coming out in Saudi Arabia and Malaysia, but they are ultimately an ambition to become a Korean security solution that is recognized in the US market.

“We will grow into a company that is recognized in the United States and grow into a group value,” I met with a representative of Security, who has an ambitious aspiration.

-There are already various malware detection methods. What are the limitations of existing technology?

“In the past, someone once filtered out an infection is the ‘signature -based detection’.

There is also a technology called ‘content harmless’ that removes potential malware from the document. Since macro, action scripts, and JavaScript, they can be malignant using the normal functions of documents, so if these functions are included, it is a technology to remove all and recombine documents. The original document may be damaged during recombination, which often makes users feel uncomfortable. It is also difficult to find the malware hidden in the font or table.

There is also a ‘behavior -based detection’ solution that runs a file once in a sandbox environment. You can diagnose unknown malware, but the disadvantage is that you can find ways to bypass hackers. In the actual sandbox virtual environment, it is making malicious code not to work at all. In addition, it takes about 5 minutes because it takes about 5 minutes because it is necessary to see the act.

-How do Security’s reverse engineering works work?

“Only those who have made malicious codes know how this works. The analysts must judge whether this is malicious or normal. It is a reverse engineering technology in vulnerability analysis.

Reverse engineering C programs (64bit vs 32bit) - bin 0x10
We automate reverse engineering and have the technology to find potential exploit factors on debugger when files come in. It is a technology that diagnoses at the Exploit cause stage.

For example, because the PDF file is a non -executable file, it can not do anything in itself. Open a document through the Acro Batreader to get malicious behavior. It is to complete the reverse engineering of the Acro Baby Leader and determine whether it is malicious and normal according to the algorithm at each point. Understanding and expertise of file formats is needed. We know what the normal file has, and our competitiveness is that it is possible to analyze malware. ”

-How did you automate what the original analysts did manually?

“I have studied vulnerability analysis since I was in college, and I worked as an analyst at AhnLab before the start of Security. It is very sophisticated that I am vulnerable because I am vulnerable, so it can be different in terms of detail, but there is something in common with the fundamental principles that cause exploit. I noticed it, and I kept analyzing at the assembly level and the pattern began to see.

The debugger also took the brake point at the assembly level and trekked up the CPU register, so I felt that I could make it an algorithm. I wanted to make repetitive things into a program and people only need to study algorithms. So I even started a business. “

-What is the reverse engineering method ahead of the existing method?

“Most hacks come through non -executable files, but existing signatures and behavior -based solutions are not well diagnosed with non -executable files. The method of diagnosing non -executable files well is a reverse engineering method that diagnoses malware at assembly level It is not only possible to find unknown malware, but also find potential vulnerabilities that have not yet been expressed because of the lack of working environment.

The actual diagnosis rate is also high. The Korea Internet & Security Agency (KISA) ‘s APT solution performance evaluation shows that the diagnosis rate is 100%, but there is no perfect security solution (not in the evaluation environment, but in the actual environment), but it is better than a competitive product. I can say.

In addition, the diagnosis rate is fast. GS certification has been confirmed that it takes an average of 45 seconds. Diagnosis speed is very important for bulletin boards and destruction environments where documents must be processed in real time. “

-In addition to e-mails, how is malicious file detection solutions in the bulletin board or destruction environment?

“Public institutions receive a lot of documents from the complaints through the bulletin board. At this time, malware may be planted in the file posted on the bulletin board. It’s too long, but it’s too long to divide static analysis and dynamic analysis so that civil complaints can be uploaded and the staff can see them in real time.

There are also products for the network environment. If the external network is separated from the business network and the Internet, it is to diagnose whether or not to bring the document file from the outside. ”

-What is your business performance so far?

“At first, it was a completely new solution, so it was very difficult to lead to the introduction.

He did not work in a way that follows short -term achievements in front of his eyes, but tried to operate in a long -term perspective. Immediately after the founding, I received about 2 billion investments from Korea Investment Partners, so I could start operating with a vision of technology. Now, the cumulative investment amount is nearly 20 billion.

We also introduced our diagnosis rates and introduced a few national institutions where security is important. Currently, there are many cases of the Friendship Business Information Center, the National Health Insurance Corporation, KEPCO, and the Korea Internet & Security Agency.

Last year, the company’s sales amounted to about 2 billion, but this year, the goal is to achieve 7 billion. It has grown doubled every year, but this year, it will be three times to grow. There is a wider recognition that this solution is needed in the market, and the company’s awareness is accumulated.

-Do you have any overseas business results?

“Saudi Arabia, Malaysia, etc. are already using our products. Saudi Arabia is helping our business because the government fund has been in our investor. It is provided as a cloud product. There are also 3,000 malware detected per month. “

-What are your plans in the future?

“First of all, we are preparing for the listing this year. We plan to actively do not only domestic and overseas with the funds secured through the listing. Basically, most malware is a non -executable file anywhere in the world. Our solution will work abroad. I see it. In order to settle the business that can be successful abroad, R & D investments are required and many people should be manpower.

First of all, the company plans to enter the Southeast Asian market. You have to enter the US market in archery. In order for security solutions to be properly valued in the global market, they must eventually be recognized in the United States. Then you can go to the units. Cloud security startup crowdstrike, USA, is a new company, but its company value is 60 trillion won. Later, we plan to find strategic investments in the United States. ”