Thompson Cyber Security Labs (TCSL) is dedicated to performing malware research and anti-malware testing, and was founded originally by Roger Thompson. Since 2017, the company has shifted its primary area of research to firmware, as the underlying problem that the world now faces. Roger points out that there are something of the order of a million new, and unique, pieces of malware each day, but these are nearly all running at the application level, and most are programmatically generated variants of a relatively small number of malware families, and most are ransomware, or some form of crimeware. Not unreasonably, most antimalware companies are focussed on these, but Roger thinks there is a deeper problem... the firmware... anything malicious that is running in the firmware will be invisible to most antimalware products.
Roger describes himself as a first generation antivirus guy, an innovator, and a serial entrepreneur, having developed several "firsts", and having started and sold a number of companies, over the last thirty years.
In his personal life, he is an accomplished musician, and chess player, and he and his wife have twelve children, eight of whom are adopted. He believes that we should never stop learning, and his personal motto is "Always a beginner".
He got started in 1987, when computer viruses were brand new. He was runnning a team of contractors doing Oracle development in the state government, in Queensland, Australia, when two things happened.
The first thing was that everybody in the department was running an unlicensed copy of a program called Smartkey, and word came in that Microsoft was doing raids on government departments, looking for unlicensed software. The department panicked, and ordered about a hundred copies of Smartkey. Roger remembers being both amused and pleased for the Smartkey author, and impressed. He decided right then, that while he was making a great hourly rate as a contractor, it would be better to write one piece of software, and have everyone in the world buy a copy.
The second thing was that he got a virus.
Or rather, he thought he had. He had heard about "viruses", and assumed they were just a "press beat up" or an exaggeration, and then everything changed.
He turned on his computer one day, and out through the speaker came the Mushroom jingle. (The mushroom jingle was an advertisement for an air freshener, at the time.) In those pre-Windows days, having a computer play music through the little tweeter was entertaining, and amazing. He quickly found a program called "Mushroom" in the autoexec.bat file, and gave it to all his contractors, saying, "This is great! Put it on everyone's computer."
A few days later, he was teaching a programming class at the local college, and one of his students said, "Have you heard about Mushroom? It's a virus."
He could see lawyers getting ready to sue him, so he thought he'd better do something about it, and started thinking.
He quickly realized that all the data recovery programs at the time were designed to find "lost" data, but not things that wanted to hide, and there was simply no way to find something hiding in the Master Boot Record, or the Dos boot record, or in the slack space in clusters at the end of files, or a bunch of other places, and he immediately set out to fix that.
He had a friend who had written a program that would catalog all the files on a disk, and he said to the friend, "If you modify your program to calculate a checksum for each of these programs, and then compare them each day on boot, we will have an antivirus program, and everyone in the world will need it." His friend agreed, and so Virus Buster was born.
Looking back, he finds it amusing that Mushroom actually turned out to be innocent. It was the first false positive, but by the time he had figured that out, he had developed reverse engineering skills, and some pretty good antivirus software, which came in handy as real viruses started to spread.
Roger likes to say that life, like music, is all about timing.
By 1990, his company, Leprechaun Software, had 60% market share in Australia, and he decided throw his hat into the big ring, and in 1991, moved to the United States, to start Thompson Network Software.
Roger's principal innovations during this period, were Network Security Organizer, or NSO, and Macro Virus Track, or MVT.
The dominant network at the time was Novell Netware, and the dominant malware problem of the time were program-infecting viruses, which would spread across the network. Roger realized that this issue could be solved by setting Netware to deny write-access to program files, but allowing it to data files. The problem was that there was no way to tell which users had write access to program files. NSO would analyse the network, and figure this out, and allow network admins to properly secure their network.
This was pretty cool, and innovative, and the only product of its type, but ... again ... timing...
In 1995, Microsoft released Windows 95, the first protected mode operating system. This was an extinction level event for the malware of the day, Dos boot viruses, and Dos program infectors, as they could not operate in a protected mode environment, and no one knew how to write Windows-infecting malware. Yet.
But one hand taketh away, and the other hand giveth back. Office 95 was released at the same time, and it had a powerful version of Basic as a macro language. Almost immediately, the first Macro virus was released. The antivirus industry dubbed it Concept, as it had a Payload function, that contained a line saying, "And that's enough to prove my point." No one knows who wrote it, but the idea took off, and macro viruses started appearing everywhere.
At first, no one knew how to parse the compound files that make up a Word doc, but Roger discovered that he could write a special type of DLL, called a WLL, which had access to the insides of a document, and he designed Macro Virus Track, again an innovative solution to the problem of the day.
Macro viruses continued to be a problem for the next four of five years, until Office 2000 was released, which had better security, and proved to be an extinction level event for macro viruses, but, in July 2001, the Code Red worm was released, and spawned slews of copycats, and variants of network worms, blasting across the Internet.
In response, Roger wrote the first (or one of the first) distributed honeypots, that he called WormCatcher. WormCatcher would listen on ports known to be being attacked by worms, and would pretend to be a vulnerable IIS server. It would capture the attacking worm, and send it back to Roger for analysis. It was running when Nimda blasted into existance, in September of 2001. As anaside, Roger learned to not forward such reports to his pager, and also learned, the hard way, what a DDOS was.
Nevertheless, network worms persisted as the problem of the day, until 2004, when XP service pack 2 was released. The firewall was on by default, for the first time, and Roger knew that this would be an Extinction Level Event for network worms, but he also knew three things:
(1) The Bad Guys would not be stopping
(2) exploits coming from malicious websites would not be stopped by the firewall, because the session originates from inside the firewall, and is thus trusted, and,
(3) exploits are hard to write, but easy to copy.
He realized that what was needed was something that could scan traffic as it came off the network wire, but before it got to the browser, and in 2005, he designed LinkScanner to do just that, and founded Exploit Prevention Labs, to develop and sell it, and in 2007, AVG agreed, and bought Exploit Prevention Labs.
In 2017, he shifted his focus to analysing the security issues around the Unified Extensible Firmware Interface (UEFI), and general BIOS analysis, as he believes this is the next battlefield.
Contact: Roger Thompson