Interview with a Webroot Threat Researcher - Marcus Moreno


Userlevel 7
Badge +56
  • Retired Webrooter
  • 6752 replies
This month we'll be talking to Marcus Moreno, who works in the Broomfield office with Dan Para who we interviewed last month.
 

How’d you get involved in threat research?

 
When I first started working here as a front line engineer, I was hand-picked to do additional training on threat research. Particularly ENZO, which is our determination database. After learning most of the ins and outs of ENZO, I was offered a position as a threat researcher. 
 
What’s the most challenging piece of malware that you’ve run into?
 
I would have to say any type of file infector is the most challenging piece of malware that I run into - particularly Expiro. Expiro seems the be the hot commodity that everyone is getting infected with. It injects malicious code into legitimate files. Replacing those files can be a pain depending on the severity. [note - detection for Expiro was added to WSA in version 8.0.4.57]
 
Tell us a bit about the fantasy football league you run
 
I first got into fantasy football back in 2012 when a friend invited me to play in his league. I was skeptical at first, but it ended up being very fun for me. Plus I won 1st place. I heard some of the guys around the office playing it too. So I figured I'd start a league here at the office. We're going into only our second year, but we're getting a good kick out of it! 
 
Favorite game or gadget that you have right now?
 
I have a Raspberry Pi that I converted into an emulation station. My son and I are able to play basically any game made in the 90's with any console. He only plays Donkey Kong and Super Mario World for SNES. I like to mix it up. Lately I been playing a lot of NBA Jam and Street Fighter. It's a good time for us. 
 
Who is your role model?
 
This one's tough. I really don't think about this that often. I would have to say my dad. He's a BAMF. He grew up in Mexico (along with my mom), and they were migrant workers in the 70's and 80's. He was finally able to land a job at Coors in Golden in the early 90's. I say he's my role model because he taught me so much about life in general. I feel that I have good work ethic, mainly due to him. He's also able to fix anything. And I mean ANYTHING. He rebuilt his car, built our unfinished basement, fixed my fake Rolex back in high school, plumbing issues, builds materials made out of wood, welding...basically anything. I use to help him fix cars when I was younger and I learned a lot. The type of thinking I use when working on a car is the type I apply when working on computers. 
 
--
 
Thanks for helping us get to know you better Marcus!  
 

20 replies

Userlevel 7
Nice interview, Nic...you are getting a dab hand at this. ;)
 
Always wondered about life a a Threat Researcher...and now I have a little more insight...many thanks, Marcus.
Userlevel 7
Badge +54
Thank you Nic, amother great interview. It is great to see those behind the scenes, the ones we never see but who keep us all protected, thank you Marcus.
Userlevel 7
Badge +62
Thank you Nic! Great to see the Man behind the scenes as well! 😉
Userlevel 7
Thanks Nic. Wonderful interview. Thanks for sharing all that with us Marcus and thanks for keeping devices protected. 🙂
Userlevel 6
Thank you for introducing Marcus Moreno to us Nic!
 
Interesting and enjoyable interview!
Userlevel 6
I've got two more general questions on the job of a threat researcher.
 
  1. How does your daily work look like? With the huge amount of new malware every day I wonder how one can keep up analyzing them.
  2. What are the most important skills needed in the job? And do you need to know certain programing languages?
It would be great if the community or even on of the stars could answer my questions 🙂
Userlevel 7
Badge +56
Sorry I took so long to reply Marcus I just got lost in time! Nice to meet you and see you again ENZO was so cool to see in action when I saw it during my visit! One Question that I forgot to ask what does ENZO stand for?
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +56
Marcus is actually out on paternity leave right now, so I'll see if one of the others can jump in and answer the questions.
Userlevel 7
Badge +35
@ wrote:
I've got two more general questions on the job of a threat researcher.
 
  1. How does your daily work look like? With the huge amount of new malware every day I wonder how one can keep up analyzing them.
  2. What are the most important skills needed in the job? And do you need to know certain programing languages?
It would be great if the community or even on of the stars could answer my questions :)
Good questions!
 
1. A good majority of our day is spent using our ENZO research database hunting for malware and adding new detections. Being cloud based and having researchers spread out over the world helps us keep up with all of the new malware that comes in. 
 
2. The most important skill is the ability to learn and adapt - the malware landscape is constantly changing, and we have to change with it in order to keep up. Understanding how malware works and knowing how to spot malicious behaviors vs. legitimate behaviors are also important skills, as well as general Windows troubleshooting skills. Most of us tend to have an IT background that involves manual malware removal. A programming background definitely helps, especially when it comes to the more advanced levels of analysis.  
 
-Dan
 
 
 
Userlevel 7
Badge +35
@ wrote:
Sorry I took so long to reply Marcus I just got lost in time! Nice to meet you and see you again ENZO was so cool to see in action when I saw it during my visit! One Question that I forgot to ask what does ENZO stand for?
 
Thanks,
 
Daniel ;)
You'll actually get two different answers to the origins of the name ENZO depending on who you ask. The most common one you'll hear is that it comes from Enzo Ferrari or the Ferrari Enzo model - a fast database named after a fast car.
 
The story I initially heard when we were first in talks with Prevx is a bit different though. ENZO was named after Ensor, a character from the British science fiction series Blake's 7. Ensor was a scientist that built a supercomputer named Orac, and ORAC was the name of the database that preceded ENZO at Prevx.
 
-Dan
Userlevel 7
Badge +56
Great one and thanks Dan! 😉 The fast car one sounds better IMHO! LOL
 
Daniel 😃
Userlevel 7
To echo what Dan said each of the threat researchers goes about there day slightly differently.
 
I myself am on the community, I do support tickets, Android research, Enzo work, training duties,sample testing and I will talk to customers if needed. Some of the guys on the team do Mac research, some do purely Enzo work, some are exclusively Android, some of the guys do more testing etc. Its depends on your skillset and/or your interests.
 
Since Malware is so varied (on a number of platforms) its very hard to be briliant at everything...not an problem I have of course :D
 
 
 
....gets coat
Userlevel 6
Thanks nic and very nice interview Marcus. And by the way Marcus, any fantasy league tips, feel free to slip under my door! ;)
Userlevel 7
Of course, males sense now...ORAC, Blakes 7, Ensor, etc...wonder why I did not spot that earlier...doh
Userlevel 6
@ wrote:
@ wrote:
I've got two more general questions on the job of a threat researcher.
 
  1. How does your daily work look like? With the huge amount of new malware every day I wonder how one can keep up analyzing them.
  2. What are the most important skills needed in the job? And do you need to know certain programing languages?
It would be great if the community or even on of the stars could answer my questions :)
Good questions!
 
1. A good majority of our day is spent using our ENZO research database hunting for malware and adding new detections. Being cloud based and having researchers spread out over the world helps us keep up with all of the new malware that comes in. 
 
2. The most important skill is the ability to learn and adapt - the malware landscape is constantly changing, and we have to change with it in order to keep up. Understanding how malware works and knowing how to spot malicious behaviors vs. legitimate behaviors are also important skills, as well as general Windows troubleshooting skills. Most of us tend to have an IT background that involves manual malware removal. A programming background definitely helps, especially when it comes to the more advanced levels of analysis.  
 
-Dan
 
Hi Dan and thanks for answering my questions!
 
The work of a malware researcher has always been kind of interesting to me.
Is there some more information available about ENZO? I've heard of it sometimes but didn't find any detailed information on how it works.
 
 
Userlevel 6
@ wrote:
To echo what Dan said each of the threat researchers goes about there day slightly differently.
 
I myself am on the community, I do support tickets, Android research, Enzo work, training duties,sample testing and I will talk to customers if needed. Some of the guys on the team do Mac research, some do purely Enzo work, some are exclusively Android, some of the guys do more testing etc. Its depends on your skillset and/or your interests.
 
Since Malware is so varied (on a number of platforms) its very hard to be briliant at everything...not an problem I have of course :D
 
 
 
....gets coat
Hi @ !
I've almost overlooked your response :(
 
It's nice to see that you have many different possibilities at Webroot; of course like you've said it's hard to know and master everything so it makes sense to focus on some parts.
 
Userlevel 7
Badge +56
@ wrote:
Thanks nic and very nice interview Marcus. And by the way Marcus, any fantasy league tips, feel free to slip under my door! ;)
I'm joining his league this year and I've never played before.  So we'll see how I do 🙂
Userlevel 7
Badge +62
@ wrote:
@ wrote:
Sorry I took so long to reply Marcus I just got lost in time! Nice to meet you and see you again ENZO was so cool to see in action when I saw it during my visit! One Question that I forgot to ask what does ENZO stand for?
 
Thanks,
 
Daniel ;)
You'll actually get two different answers to the origins of the name ENZO depending on who you ask. The most common one you'll hear is that it comes from Enzo Ferrari or the Ferrari Enzo model - a fast database named after a fast car.
 
The story I initially heard when we were first in talks with Prevx is a bit different though. ENZO was named after Ensor, a character from the British science fiction series Blake's 7. Ensor was a scientist that built a supercomputer named Orac, and ORAC was the name of the database that preceded ENZO at Prevx.
 
-Dan
Hello Dan! I missed your response Friday and I simply have to say I enjoyed the feedback!
 
Thank you very much!!:D
The Rasberry Pi is an awesome little device and that's a wonderful use for it.  
Userlevel 7
@ wrote:
Marcus is actually out on paternity leave right now, so I'll see if one of the others can jump in and answer the questions.
Odd... he doesn't look pregnant in the picture!
😃

Reply