Interview with Malwarebytes' founder, Marcin Kleczynski

[ande]

Malwarebytes started its life as a company in 2004 as a one-man operation, but it wasn’t until four years later that its star product was released, simply called 'Anti-Malware'. Since then the company has rapidly grown to establish itself as a serious player in the computer security industry.

Based on a successful freemium model where users can clean already infected machines for free or get real-time protection for a one-time fee, Malwarebytes Anti-Malware already counts hundreds of millions of downloads and over five billion infections cleaned.

We recently had the chance to chat with founder and CEO Marcin Kleczynski about the company’s early days, the evolution of malware, his views on the industry, and more.

Julio: Malwarebytes was a bootstrapped company and that usually makes for a unique story on how you got started. Tell us a bit about your background, what motivated you and how you went on creating the company.

Marcin: It’s actually a very interesting story. I was working at a computer repair shop in Chicago as a technician during my last year in high school. It was me and the owner of the store. Every time a computer came in we would basically reformat it, regardless if it had a minor infection. Rootkits were still new, Ad-Aware was still the popular software and threats were just starting to evolve. But I never quite understood why we would never try to attack the problem using tools that existed until I got infected at home. When that happened I tried McAfee, I tried Symantec, I tried a lot of stuff and nothing would remove the piece of malware.

This was six or seven years ago. I googled the problem and found a forum called SpywareInfo that was very popular back then. I signed up on the forum, posted my problem and three days later my machine was clean. We went through the typical process, HijackThis logs, running this and that tool... I was very happy that three days later my computer was fixed, but it was still three days later!

So I decided to stick around that forum. They were really cool people, I know a lot of them. Some time after that I started developing very small utilities. One of them was called “About Buster”, which was the first freeware utility that I actually wrote. It tackled a common infection known as about:Blank that typical anti-viruses at the time could not clean. The app started to become popular, I was working individually at the time and someone approached me saying “We have this domain called Malwarebytes, we’re not using it – do you want to buy it from us?” I said yes and that’s how Malwarebytes was kind of unofficially founded.

As I was getting through college about four or five years ago, my college roommate and I started writing a utility called RogueRemover. It tackled a specific type of infection known as rogues, which are basically scams to try and steal your credit card information by tricking you into downloading a fake anti-virus software and warning you about a supposed infection that doesn’t really exist.

RogueRemover ended up becoming the engine that got Malwarebytes Anti-Malware going. I started selling it to a very niche market. I setup a forum where people could report anything that I had missed or any false positives, helping me improve the software.

One guy by the name of Bruce Harrison was a very common contributor. It got to the point where he would report something and I would Google it but couldn’t find any information. He was so quick I actually thought he was working for the bad guys. So I told him, “Hey, listen. I’m working on a product called Malwarebytes. I was wondering if you’d be interested in helping me out. I can’t pay you right now, we don’t have any money. We’re doing this for free.”

He agreed and we worked for a year developing this product. He handled the database side of things while I handled the rest. A year later we had a product. This was January 21st, 2008. It’s when we actually launched our first Malwarebytes Anti-Malware version.

We were very upfront with our community. Every couple of days or so we uploaded the latest database and asked for people’s help spotting things we had missed. That’s been our approach ever since.

Bruce became our VP of Research and he currently manages the team of about 10 researchers globally. We brought on our VP of Development Doug Swanson who was actually a physics PhD student -- we have a very diverse team. He had done some freeware utilities, same kind of story as mine. Doug stopped being a physics student and became a developer for Malwarebytes because he is very good at it.

We brought on Marcus Chung who’s our COO and had previously worked on companies like GreenBorder, which was acquired by Google, and Sygate, which was acquired by Symantec. He helped move things forward from a business standpoint – opened an office in San Jose; brought in our support team in-house; built a sales team, and so on. We’ve just kind of been moving along trying to keep true to our community, keep providing that freeware utility but also try to build a company and sell some products, and be able to improve the technology, so that we can help people protect themselves against malware.

What would you say was Malwarebytes’ big break that made you realize this was actually something you could do for a living?

Marcin: When I asked Bruce if he wanted to work for free and build this Malwarebytes anti-malware utility, I had no intention of ever making a living doing this. It was a side project to help everybody... It was a common problem and I wanted to do my part helping out. That’s still true. I enjoy doing what I do and every time I get a letter saying, “Thank you so much for helping me” it makes me happy.

"Businesses understand that they can't get these kinds of products for free because we've spent millions of man-hours developing and providing support."

It finally hit me that we could build a business out of this when Marcus came on and we started selling to businesses. Businesses understand that they can’t get these kinds of products for free because we’ve spent millions of man-hours developing, providing support, and so on. The minute that happened we started working on the enterprise edition, we started doing support for corporate customers, and so on. That was really the turning point for us, when I saw that corporate customers actually wanted to pay for our product and buy in bulk. Now there are Fortune 500 companies that are using Malwarebytes, sports teams, banks, huge companies.

Malwarebytes Anti-malware is a very popular Windows download on TechSpot. You offer this for free and it’s fully functional. What kind of usage data can you share from the consumer side things?

Marcin: The first thing I should note is that the free product is not necessarily “fully functional”. I mean, if you have an infection you can download the free tool and remove it, we don’t charge you anything for that. However, we do sell a real-time protection module for users that need a more proactive solution with scheduled scanning. We also offer a 14-day trial for this.

We stand by our product and believe users are going to love it so much that many are going to pay to protect their computers. But people don’t pay to get infected, and we’re not going to make them pay to get uninfected. In our website we say that every user has a right to a malware-free existence. That may sound cheesy but that’s what we believe in.

We have a few hundred million downloads and a few tens of millions of active users. But beyond those numbers what we care about is reach, how many people are we helping... We’re working on some form of reporting for the site to show how many people we’ve protected, how many malware infections we’ve removed and so on.

You started this on your own and a lot of helpful people joined your team along the way. But now you have a reputation to maintain, and once you miss one thing, that might be enough reason for somebody to doubt your program. How do you keep up with new breeds of infections?

Marcin: That’s a good question. Let’s start with saying that we are an anti-malware product. We complement your antivirus software, we don’t try to replace it. And even though we have a great detection rate, we never position ourselves as a do-it-all security software.

I mean I only run Malwarebytes on my computer, and many advanced users can probably manage with this as well, but I would never recommend that to the average customer. For my mother, my grandmother, I always recommend a traditional anti-virus because they do go after stuff we don’t: patched files, cookies, and so on. There are different criteria and having a layered security approach is a good idea. Our product is so light that it shouldn’t be an issue.

That being said, we do have 10 researchers on our team who work full-time, and are exposed to all types of malware.

When we started the company I thought there was no way we could keep up with new threats. Antivirus companies have 500 people in research or more. But we were able to scale down the problem. Our team can process three samples that look the same or act the same, write one signature / heuristic for it, and from there it will detect the entire family or even other families of malware. We’re very reliant on being able to use heuristic pattern matching and a combination of signatures to be able to do that.

Our researchers have about 300 different ways they can detect a piece of malware, so they pick and choose which tools they want to attack the malware with, and if it’s done a good job it should actually detect more malware than that specific file. We’ve also built trace detection tools so researchers only need a specific piece of the malware and our engine will go find and filter out the rest.

That takes a huge burden off of our researchers so they do have extra time to spend on certain samples that require it or or on potential false positives. We’re very dynamic, our researchers are a very tight group, and they can move very quickly to handle all these things.

So, would you say these algorithms that help the process of identifying threats is a competitive advantage of yours that lets you get a lot done with a relatively small group of researchers?

Marcin: Absolutely. If you think about it, many traditional antivirus programs use engines that were built 15 years ago. They had no idea what malware would look like today. Our engine was built three years ago and that makes it easier for us to adapt as malware evolves.

Tell us about the process of taking community feedback and putting it into your software.

Marcin: We receive community feedback and implement it within two to six hours. We have two sub-forums as part of our larger forum called “False positives” and “Malware contribution”. False positives are a big deal so if we have a researcher online and working at the moment the report comes in, it is typically answered within an hour. Say, for some reason we’re detecting Microsoft Office as malware, someone will report this on the forum and an hour or two later after verifying the false positive we’ll update a new database.

On the other sub-forum, as the name indicates, users can report anything we’re missing and we’ll download it, run it through our automated tools, do as much research on it as we can, and push out an update once we’ve figured it out. These are our users who are reporting malware so we act as quickly as possible. We know some of them might be managing huge networks of hundreds or thousands of computers so speed is important.

Now we’re actually about 50 people strong. These people are working full-time on things like support, sales, forum moderation. I was doing all of this by myself when I first started. Over time the forum started looking a bit loaded, so I optimized some things here and there -- merging some forums, improving descriptions, deleting inactive or spam accounts. I could have handed all this to someone else, but I feel the community is such a critical part of what we’re doing, it’s important to be involved.

What would you say is the difference between a virus and a malware?

Marcin: Traditionally, viruses infected your system and tried to harm it for no specific reason. That’s how traditional virus infections started. Malware, on the other hand, has a specific purpose, usually making money. So you have adware plaguing your machine with annoying ads, spyware stealing your passwords, Dialers which back in the day used your money to call paid numbers, keyloggers, and so on... all categorizable as malware.

Today both terms have started to merge together and become a bit more complicated. The main reason we call our software anti-malware is to distinguish ourselves from old antivirus software. We feel we react far quicker to threats that are hostile. We are more of a rapid detection engine for threats that evolve quickly and are more likely to affect you near term. Antivirus software often fails at that but they are a good support system for threats that have existed for the longest time but might still infect some users. Conversely, if you test our software with viruses that existed 10 years ago and are no longer active, we’d probably fail to detect them.

Would you say people writing viruses just want fame and people coding malware want money?

Marcin: Definitely. I think most of it has really moved into money nowadays, though.

Are infections getting more sophisticated?

Marcin: They definitely are. Things are getting sneakier, that would be one of the best ways to put it. Infections are hiding themselves better, they’re tricking users using social engineering, and often times they are much more legitimate looking than before.

Back in the day when the first rogues came out they used to be very unsophisticated. Just taking a glance at a rogue website, for example, anyone with a bit of experience online could identify it as a scam. There were typos, awkward images, everything looked fake. Nowadays, you could see a rogue site for Microsoft Security Essentials and have a harder time telling it apart from the legitimate one at first glance.

Everything looks very professional, they even have online chat support, prices similar to the actual software they are spoofing, etc. They’re also using advanced technology and rootkits to get around security software or make it harder for them to remove the threat even after a reformat -- that’s one of the first things we look for. It makes you wonder why aren’t more of these guys working for us if they’re so good at this.

Windows' Security, Mobile, Competitors

In your opinion has Windows gotten any better security wise in the past five years?

Marcin: To some extent. Clearly from XP to Vista to Windows 7 there have been attempts to make machines more secure, with the introduction of User Access Control, for example. It was buggy in Vista and kept asking users over and over again if they wanted to allow a certain program to run.

I think it wasn’t very clear to users what User Active Control really was. When people keep seeing the same prompt they don’t think twice, they just click yes. It got to the point that users either disabled it or just clicked allow and got going. And that’s why malware is so successful, people don’t want to be bothered with every little thing, they just click yes and keep doing what they are doing. Windows 7 fixed some of this.

When people think Microsoft they don’t necessarily think security. A lot of people prefer to rely on a third party solution -- especially in a corporate environment.

Microsoft has been bundling more and more software to help protect users’ machines, such as Security Essentials and Windows Defender. So, I think that’s been a great leap forward. I don’t feel those products are mature enough as some third-party security solutions, but they are moving in the right direction.

Another thing is that when people think Microsoft they don’t necessarily think security. A lot of people prefer to rely on a third party solution -- especially in a corporate environment.

Same with Internet Explorer. Microsoft’s browser has been moving in the right direction and becoming more secure. You remember Internet Explorer 6. Well, 7 and 8 are far better. But people that are worried about security still use Chrome or Firefox, and for good reasons. A lot of people just choose to use third party software, versus relying on Microsoft software.

Do you see a future for Malwarebytes outside of Windows and on alternative operating systems like OS X and Linux, maybe mobile?

Marcin: We have a website blocking module that basically blocks your computer from ever accessing servers that can contain malware. So, if you visit a website that was hijacked and has an ‘iframe’ in there trying to pull a malicious executable and get it on your system, Malwarebytes will let the page load but block access to the executable from a malicious server. We’re hoping this website blocking module can be ported, we’ve actually started the process to get it on Linux, Mac and mobile platforms.

We expect to have at least that part of our technology available by the end of this year, if not sooner, because it is a very valuable piece of technology that lets users block malware from the source.

The Flashback malware that hit OS X a few months ago, for example, that wouldn’t have been an issue for someone with this blocking module. We would track servers pushing the malware and block them. So, this is just a part of our technology and it’s a start. It could evolve into a full security product for those platforms, but that’s a bit of a tougher issue.

To clarify, this module works only within the browser or is it more like a firewall that monitors your entire network stream?

Marcin: It’s not a browser add-on. It works at the lowest possible level. If you are in your browser, if you’re in Skype. I’ve actually had it block a torrent transfer -- a legitimate download of LibreOffice -- because I was downloading from a peer that had been involved in malicious activity.

There are two more things I want to add here. Let’s say you download a sketchy piece of software, and once you start the installation process, it starts installing malware as well because they get paid money for every installation that people do. This is not an uncommon issue, whether it’s adware or toolbars, some free applications make their money this way. In those cases our IP blocking module detects that connection and blocks it. So you can actually continue your install without installing any malware. So, that’s number one.

Number two is let’s say you download malware from a specific server that we failed to detect. That’s our miss and unfortunately the malware is now installed. However, we can still mitigate part of the problem, because as soon as it starts pulling other malicious software from a server that we do know, we will block that transfer. This can prevent vital components of the malware to be downloaded, thus lowering the risk for you.

How do you think closed ecosystems like Apple's iOS or Microsoft's Windows Phone, which try to proactively filter out malicious software from making it into their stores, will affect your ability to get into the mobile market?

Marcin: That’s a very interesting question. Unfortunately, I’m not well-versed in the mobile market. It seems to me that most of the time smartphones get compromised with malware it’s because the owner installed applications from an unverified source at a third party store such as Cydia or the like. Maybe it’s for the best that these ecosystems remain closed, whereas for desktops it’s a different story. So, yeah, I don’t have an answer to that question right now but those are some of my initial thoughts

That means you’re not actively looking to get into the mobile market?

Marcin: Not necessarily. It means that we need to find the experience that can help us do that. We've been researching and we do have some prospects. Part of it is porting over some of our technology as I was mentioning earlier. But I personally don't see it as a valuable market today. Potentially in the future and if that’s the case we’ll definitely be in there. I’ve never bought a security product for iOS, and I don’t think many people has. I know they’re already promoting some stuff for Android, though. We need to see where the market is going.

A couple of years ago we heard about an unfortunate incident with another security vendor which took your malware database and used it as their own. Is this the type of thing common in the industry? Were you forced to implement more efficient ways of detecting theft?

Marcin: I wouldn’t say that’s common in the industry but it did happen to us once. A couple of people approached us saying they had found a rival anti-malware product using our database as theirs. So what we did is plant a fake definition into our database and filtered it out on our end so our software didn’t detect it, but theirs did. We called them out publicly. Of course, they played it down and said they weren’t using our database, that it was just a false positive, but this was a file that we built ourselves, nobody had access to it and their software detected it as malware. So it was very easy for us to verify that they were in fact using our database.

We do have some other protections to make sure people can’t easily take a part of the database and reverse engineer how our technology works. So that was a huge wake up call for us and we started taking some additional precautions since then.

Now we do a check every month or so with every vendor just to be sure. But it’s not a common thing in the industry, it hasn’t happened again, not even partially. Reputable security vendors have their own teams and processes and their own way of doing things, so they just focus on that. They don’t need to steal from others.

What has been your experience competing against huge established players like Symantec, for example, which have been around for way longer than Malwarebytes, some of them for a decade or two.

Marcin: The first thing I’d like to point out is that we don’t pitch ourselves as direct competitors to those companies. As I said earlier, we want to complement anti-virus software, not replace it. We overlap in some areas and we do have a great detection rate, but we never position ourselves as a do it all security software.

But to answer your question, I think the very, very huge vendors that have been around for a long time got too comfortable and had to kind of start overhauling their solutions. Speaking of Symantec, for example, it was a great product 15 years ago, a terrible one 5 years ago, and now they’ve gotten much better. They are on the right direction. I still think they are a bit resource hungry compared to other solutions out there that are equally or more effective than theirs, though. I mean Malwarebytes is 10MB and can be uninstalled in 30 seconds.

They are doing a good job in some areas. They have 100, 200, or 1,000 times more customers than we have and dealing with all the support and sales part of the business is not easy. We rely a lot in our community. We have people contributing with us freely because they don’t see us as the corporate giant that’s trying to take all their money -- and we’re not. We’re trying to provide a useful service for our users.

So that’s my view. There are a few great products out there, like Avast, ESET, GFI, among others. All of these are reputable companies. We’re compatible with all of them, we’ve even had some business discussions with them about marketing stuff and so on.

I think the very, very huge vendors that have been around for a long time got too comfortable and had to kind of start overhauling their solutions. Speaking of Symantec, for example, it was a great product 15 years ago, a terrible one 5 years ago, and now they’ve gotten much better.

Some security vendors get deals with OEMs like Dell and HP to get their software pre-loaded on machines. To be honest, we’re not big fans of this practice because usually what you get is a limited time trial, or one that we wouldn't have chosen in the first place. But it’s one way to get market share. Have you considered or are already doing something like this?

Marcin: We do some of this in a very limited fashion. We work with a small distributor in Utah and a couple of others. But we’re not dealing with HP or Dell, we’re talking about somebody that installs two or three very reputable products and they actually bought the license on the customers’ behalf. So it’s already purchased when the computer reaches the customer’s hands. The other thing we do is white label rebranding.

Basically, we have some deals in place with a handful of companies that sell rebranded versions of our products. They often remove some features to make it as easy to use as possible for a specific scenario, or make some interface tweaks to appeal a specific demographic.

For example, we license our software to a company that specializes in software for women, and also to companies that sell computers and offer customer support whenever anything goes wrong. I’m not saying any of these are our customers but think Geek Squad, Staples, Home Depot, and the like. That’s just one of the opportunities we’ve taken and it's a growing part of our business.

The most likely source of infection in any computer environment is usually its weakest link: the user. Obviously, that works fine if you are in security software business, but do you think Microsoft and developers of other ubiquitous software like Adobe are doing enough to keep their users safe?

Marcin: I don’t think that these companies are investing enough resources into the security of their products. I think security comes first, then usability. You already mentioned Adobe. Java is another good example. I know they try to fix bugs as fast as they can, but… come on, you need to bring in consultants, you need bring in the community to help you find vulnerabilities and make it worth their while.

If you look at Google Chrome -- and I think Firefox too – they acknowledge people that find bugs within their software and even offer compensation depending on how significant the flaw is. So there are some things they could do to take the security of their users more seriously and to my knowledge they don’t always do.

Clearly, Java and Flash have been some of the biggest exploitable tools out there and that hasn’t changed much. And people think it’s Microsoft’s fault where it may not always be the case.

One last closing question: What's on your desk? Tell us about the platforms you rely on day in and day out for desktop computing, mobile and other any other gadgets

Marcin: Desktop, pen and paper for writing down ideas, iPhone reminders for anything that comes up during the day and I'm not by my computer. Lightning calendar for scheduling, headphones for taking calls. No other real gadgets.

Thanks for taking the time to answer our questions, Marcin. It's been a pleasure chatting with you. Any closing thoughts for our audience?

Marcin: A message that we want to get out there is that anti-malware and anti-virus software work together. Users should be running both to get sort of a layered security system. We’re starting a campaign around that. Using only an anti-virus is not enough. They’re not as fast as they used to be. We’re here to help fill the gaps.

SOURCE

[captcha]

very good

[baso]

best malware cleaner

[jimbojet2011]

Malwarebytes Rockssssssssssss bigtime

[Shadowx]

Good new to hear :)

[emil47]

I like MBAM.

[SnakeMasteR]

Bam Bam Bam ... MBAM. ^_^

[House_maniac]

great piece of software amazing story :)

[sirri]

He is 23 :o ...oh boy, I impressed full story @http://www.reddit.com/r/IAmA/comments/119cyf/iam_marcin_kleczynski_founder_and_ceo_of/

charm..awesome guy

[David]

great interview.... makes me want to buy their software and not use crack here in this site