Thursday, May 31, 2007
The last two days I was visiting Amsterdam for a consultancy job. I visited as well the HQ of McAfee Netherlands to have a good chat with my friends George Doukatelis and Marius van Oers. When I arrived at my hotel I was asking for a wireless internet connection. 'It's not a problem' told the receptionist. 'It will cost you 5 Euro's for each hour as it was not included in the price of your room.' I rejected and wanted to find out if I could find maybe some other open connections. You guessed it: over 50 connections could be found at my hotel room with about 25 open (unprotected) wireless connections. So the internet connection was very cheap for me or my company... well I didn't try anything bad of course ... but it's indeed terrible. I tried to walk up on the street where I did find loads of other open connections. It seems that Amsterdam is not only well known for the openess about sex but also for the wide open wireless connections: the real hacker's paradise in my opinion. In the evening I went to a nice Michelin Guide recommended restaurant (see picture) with fair prices. I must say that I personally also recommend this good restaurant to anybody visiting Amsterdam. It's called 'Het TuynHuys' and it's located at the Reguliersdwarsstraat 28. And you can even pickup over there open wireless connections...sigh.
Tuesday, May 22, 2007
iTunes WAVCi channel opens!
Hi Blogreaders and YouTube watchers,
Several people asked me to make my vodcasts available via iTunes.
Well it's done! You can sign up to my iTunes channel
at the following link.
Or of course you could just try a search
on my name, WAVCi or malware at iTunes
and you will find the official
'WAVCi Lab Security Cast with Eddy Willems'.
Please send all your feedback to the podcast email address
mentioned during the broadcasts.
Several people asked me to make my vodcasts available via iTunes.
Well it's done! You can sign up to my iTunes channel
at the following link.
Or of course you could just try a search
on my name, WAVCi or malware at iTunes
and you will find the official
'WAVCi Lab Security Cast with Eddy Willems'.
Please send all your feedback to the podcast email address
mentioned during the broadcasts.
Sunday, May 20, 2007
My second YouTube broadcast is launched!
I just launched my second WAVCi lab broadcast at
YouTube. You can find this posting at
http://www.youtube.com/watch?v=T7vqdcDstOs .
The item this time:
Targeted malware attacks are underestimated.
You can subscribe and view the complete channel at
http://www.youtube.com/WAVCI .
The broadcast is dedicated to anti-malware, viruses and
security. It is created in a different way compared to
other security broadcasts.
The whole broadcast depends also on what you want. So please
send your reactions to the mailbox I'm mentioning during
the broadcast. It's you who decide what I will do with
the broadcast in the future.
If you want to download this Vodcast in mp4 format(Ipod)
you can do this via the link (26 MB)
http://www.wavci.com/podcast/wavcilab2.mp4 .
Next time I will have a very controversial item to discuss, stay tuned!
And don't hesitate to send your reactions to my podcast mailbox.
YouTube. You can find this posting at
http://www.youtube.com/watch?v=T7vqdcDstOs .
The item this time:
Targeted malware attacks are underestimated.
You can subscribe and view the complete channel at
http://www.youtube.com/WAVCI .
The broadcast is dedicated to anti-malware, viruses and
security. It is created in a different way compared to
other security broadcasts.
The whole broadcast depends also on what you want. So please
send your reactions to the mailbox I'm mentioning during
the broadcast. It's you who decide what I will do with
the broadcast in the future.
If you want to download this Vodcast in mp4 format(Ipod)
you can do this via the link (26 MB)
http://www.wavci.com/podcast/wavcilab2.mp4 .
Next time I will have a very controversial item to discuss, stay tuned!
And don't hesitate to send your reactions to my podcast mailbox.
Thursday, May 17, 2007
Targeted attacks are underestimated and not only in Belgium!
Two days ago, I launched this to the press:
"NOXS Press Release (May 15 2007) : Targeted attacks are underestimated in Belgium.
Targeted spyware attacks found in the neighborhood of a well known shopping area in Brussels,Belgium
Eddy Willems, Anti-Malware Technology Expert NOXS, recently found out that some companies in the neighborhood of a well known shopping area in Brussels have been constantly under attack. Several tens of new and at that moment undetectable trojans, spyware and botnets were found in two companies. Willems continues: ‘ If people and companies are not changing their mindset from reactive to proactive we will have more problems than before compared to the mass-mailing worm years. In this particular case the companies were picked out as targets because they got old security solutions in place. This is a growing problem. ’
It can be seen that across most industry sectors, virus attacks have diminished, with only a few notable exceptions. The reason for this is that the attack profile has shifted considerably in the past 12 months. Gone are the days of the large scale mass-mailed virus outbreaks such as MyDoom and Sobig, belying the trend towards more small-scale targeted attacks.
These attacks are typically for the purposes of industrial espionage or intellectual property theft. In the last year the scope of these attacks has widened considerably, especially targeting small to medium sized businesses that are often the weaker link in a much larger supply chain. Throughout the last months NOXS continued to observe an increase in the level of sophistication in the nature of the targeted attacks facing businesses worldwide. Each targeted attack is very much tailored to particular needs in terms of which exploit is used, the social engineering techniques employed as well as which source IPs are used and what the targets will be. The number of low-level targeted attacks against businesses will continue to rise throughout the year, reaching levels of as many as 20 such attacks per day worldwide. These new kind of attacks are using one or two specifically crafted emails send out to one or two users inside the targeted company. By opening the email the user is mostly redirected to a new website which is using several exploits to trigger a download of a new backdoor to the user’s pc. After this the companies network is wide open to the other new created malware and spyware which can be dropped to the pc’s. The companies network at that moment can be used to target other companies networks, send out spam, gathering information and private data which will be misused again in future attacks. The value of the private information from a small to medium sized business is sometimes worth ten thousands of Euro’s which is high compared to the low investments for creation of the new malware.
The real problem however is to find these attacks as early as possible by some proactive approaches like Intrusion Prevention and other intelligent blocking techniques. Otherwise those newly created malware will be used in some attacks to other companies before they will be detected by the patterns of the anti-malware vendors. And this is problematic as the honey pots from the anti-malware or anti-virus vendors will not detect these in an early stage. A lot of companies are underestimating these new problems and are just continuing using old anti-virus technologies as their main protection. Traditional anti-virus solutions that are signature-based provide a reactive approach and require signature updates to be effective, providing little or no defense from these kinds of often unique targeted attacks, which may only be sent to one or two targets. Studies have shown that the typical time for signatures to appear for targeted trojans is still several weeks or even months. Companies need to realize that they cannot rely solely on traditional reactive methods and need to be proactive in their approach."
What do you think? Was the media capable of picking this up? Caused this the 'so needed warning' to the public?
Of course it did not, because it's just a small problem for two small companies... at least that's what was visible. When will people and media learn that even small things could be quite problematic for everyone. I predict hereby that this kind of attacks will becoming more and more problematic as small business are definitely not using the best protection and even this statement is an understatement.
You can find the original press release at the Belgium NOXS 'Expert News page' which you can find at
http://www.noxs.be .
And it's not the first time that such things appear. After publishing I got a reaction from a reader of my 'NOXS Expert News' Maarten Van Horenbeeck who saw the same things happening as well.
He wrote something about it at his website:
http://www.daemon.be/maarten/targetedattacks.html
So it's like I told you: Targeted attacks are underestimated in Belgium. They are a problem worldwide! When will this stop?
"NOXS Press Release (May 15 2007) : Targeted attacks are underestimated in Belgium.
Targeted spyware attacks found in the neighborhood of a well known shopping area in Brussels,Belgium
Eddy Willems, Anti-Malware Technology Expert NOXS, recently found out that some companies in the neighborhood of a well known shopping area in Brussels have been constantly under attack. Several tens of new and at that moment undetectable trojans, spyware and botnets were found in two companies. Willems continues: ‘ If people and companies are not changing their mindset from reactive to proactive we will have more problems than before compared to the mass-mailing worm years. In this particular case the companies were picked out as targets because they got old security solutions in place. This is a growing problem. ’
It can be seen that across most industry sectors, virus attacks have diminished, with only a few notable exceptions. The reason for this is that the attack profile has shifted considerably in the past 12 months. Gone are the days of the large scale mass-mailed virus outbreaks such as MyDoom and Sobig, belying the trend towards more small-scale targeted attacks.
These attacks are typically for the purposes of industrial espionage or intellectual property theft. In the last year the scope of these attacks has widened considerably, especially targeting small to medium sized businesses that are often the weaker link in a much larger supply chain. Throughout the last months NOXS continued to observe an increase in the level of sophistication in the nature of the targeted attacks facing businesses worldwide. Each targeted attack is very much tailored to particular needs in terms of which exploit is used, the social engineering techniques employed as well as which source IPs are used and what the targets will be. The number of low-level targeted attacks against businesses will continue to rise throughout the year, reaching levels of as many as 20 such attacks per day worldwide. These new kind of attacks are using one or two specifically crafted emails send out to one or two users inside the targeted company. By opening the email the user is mostly redirected to a new website which is using several exploits to trigger a download of a new backdoor to the user’s pc. After this the companies network is wide open to the other new created malware and spyware which can be dropped to the pc’s. The companies network at that moment can be used to target other companies networks, send out spam, gathering information and private data which will be misused again in future attacks. The value of the private information from a small to medium sized business is sometimes worth ten thousands of Euro’s which is high compared to the low investments for creation of the new malware.
The real problem however is to find these attacks as early as possible by some proactive approaches like Intrusion Prevention and other intelligent blocking techniques. Otherwise those newly created malware will be used in some attacks to other companies before they will be detected by the patterns of the anti-malware vendors. And this is problematic as the honey pots from the anti-malware or anti-virus vendors will not detect these in an early stage. A lot of companies are underestimating these new problems and are just continuing using old anti-virus technologies as their main protection. Traditional anti-virus solutions that are signature-based provide a reactive approach and require signature updates to be effective, providing little or no defense from these kinds of often unique targeted attacks, which may only be sent to one or two targets. Studies have shown that the typical time for signatures to appear for targeted trojans is still several weeks or even months. Companies need to realize that they cannot rely solely on traditional reactive methods and need to be proactive in their approach."
What do you think? Was the media capable of picking this up? Caused this the 'so needed warning' to the public?
Of course it did not, because it's just a small problem for two small companies... at least that's what was visible. When will people and media learn that even small things could be quite problematic for everyone. I predict hereby that this kind of attacks will becoming more and more problematic as small business are definitely not using the best protection and even this statement is an understatement.
You can find the original press release at the Belgium NOXS 'Expert News page' which you can find at
http://www.noxs.be .
And it's not the first time that such things appear. After publishing I got a reaction from a reader of my 'NOXS Expert News' Maarten Van Horenbeeck who saw the same things happening as well.
He wrote something about it at his website:
http://www.daemon.be/maarten/targetedattacks.html
So it's like I told you: Targeted attacks are underestimated in Belgium. They are a problem worldwide! When will this stop?
Sunday, May 13, 2007
Is Google preparing to police the internet?
I was still sleeping this morning when suddenly my mobile phone was ringing. It was the news service of radiostations Q-Music and 4FM calling me. They wanted my reaction concerning Google in spidering and labeling the sites as bad and good: their upcoming approach against malware-spreading. You can read more about this at this blog just below this article and you can listen to the short interview at my press page on my website or at this link.
Oh yes .. it's in Dutch of course.
Oh yes .. it's in Dutch of course.
Wednesday, May 09, 2007
Google's upcoming drive-by download approach ...
Blogreader Jonatan Van Hove sent me an interesting link about Google's upcoming
security approach at Nicholas Carr's Blog 'Rough Type':
http://www.roughtype.com/archives/2007/05/driveby_malware.php
Increasingly worried by the use of conventional web sites to distribute the viruses that turn innocent PCs into botnet "zombies," Google appears to be readying a plan to police the web. If the plan goes forward, Google will use new software to automatically identify compromised web pages in its database and label them as "potentially harmful" in its search results. Because being labeled as suspicious by Google could devastate a site's traffic, the move would raise the security stakes for site owners dramatically. A recent Google study, led by Provos, a Google security specialist, discovered "around 450,000 web pages that launched drive-by downloads of malicious programs. Another 700,000 pages launched downloads of suspicious software. More than two-thirds of the malicious programs identified were those that infected computers with bot software or programs that collected data on banking transactions and emailed it to a temporary email account." Anything that makes people wary of visiting web sites or clicking on links stands as a big threat to Google's business. It's not surprising, then, that the company has a unit investigating the dissemination of malware through the web. The paper that Provos and four of his Google colleagues have written on the subject, The Ghost in the Browser, explains how Google is preparing to respond to the threat by incorporating an automated security analysis into its routine spidering and indexing of sites.
What do I think about it ... well ... it's basically a good idea however
1) It's not completely new as McAfee (SiteAdvisor) and TrendMicro (TrendProtect) for instance are already using this approach more or less.
2) It will possibly only work if you search with Google and you have a dozen of other search engines like MS Live Search.
3) It will not be foolproof as it could be easily circumvented (Oh yes it can and it will be!)
So actually it's re-inventing the wheel again. At least it will help of course in the global approach. Don't listen however to Provos statement: "The firewall is dead." in the article. If he really said this than he is possibly wrong cited by the journalist or he really don't know anything about real security.
security approach at Nicholas Carr's Blog 'Rough Type':
http://www.roughtype.com/archives/2007/05/driveby_malware.php
Increasingly worried by the use of conventional web sites to distribute the viruses that turn innocent PCs into botnet "zombies," Google appears to be readying a plan to police the web. If the plan goes forward, Google will use new software to automatically identify compromised web pages in its database and label them as "potentially harmful" in its search results. Because being labeled as suspicious by Google could devastate a site's traffic, the move would raise the security stakes for site owners dramatically. A recent Google study, led by Provos, a Google security specialist, discovered "around 450,000 web pages that launched drive-by downloads of malicious programs. Another 700,000 pages launched downloads of suspicious software. More than two-thirds of the malicious programs identified were those that infected computers with bot software or programs that collected data on banking transactions and emailed it to a temporary email account." Anything that makes people wary of visiting web sites or clicking on links stands as a big threat to Google's business. It's not surprising, then, that the company has a unit investigating the dissemination of malware through the web. The paper that Provos and four of his Google colleagues have written on the subject, The Ghost in the Browser, explains how Google is preparing to respond to the threat by incorporating an automated security analysis into its routine spidering and indexing of sites.
What do I think about it ... well ... it's basically a good idea however
1) It's not completely new as McAfee (SiteAdvisor) and TrendMicro (TrendProtect) for instance are already using this approach more or less.
2) It will possibly only work if you search with Google and you have a dozen of other search engines like MS Live Search.
3) It will not be foolproof as it could be easily circumvented (Oh yes it can and it will be!)
So actually it's re-inventing the wheel again. At least it will help of course in the global approach. Don't listen however to Provos statement: "The firewall is dead." in the article. If he really said this than he is possibly wrong cited by the journalist or he really don't know anything about real security.
Monday, May 07, 2007
Drive-by downloads in a different perspective
Drive-by downloading is a catch-all name for software downloaded on your computer without your knowledge or intervention. Drive-by downloading is different than phishing, which misleads users by using authentic-appearing sites that deceive users into entering sensitive information, and different than pop-ups, which fool users into agreeing to download software. Drive-by downloads sneak onto computers without the user’s knowledge or permission.
Some of the most common drive-by download carriers are songs from free music share sites, free screensavers, etc. Many of these install spyware that monitors your surfing habits, and then displays pop-ups that match your habits. For example, if you invest a good chunk of your Internet time cruising sport sites, the spyware detects this, and it could then splash sporting apparel ads on your monitor.
And it's a real problem ... Didier Stevens a friend-blogger did a test which he blogged today at
http://didierstevens.wordpress.com/
What did he do?
Well he's been running a Google Adwords campaign for 6 months now as an experiment…
He bought the drive-by-download.info domain. He set up a web server to display a simple page saying “Thank you for your visit!” and to log each request. That’s all. He wanted to be absolutely clear about this: no malware or other scripts/code were ever hosted on this server. No PCs were harmed in this experiment.
He started a Google Adwords campaign with several combinations of the words “drive by download”, etc ... He designed his ad to make it suspicious, but even then it was accepted by Google without problem and he got no complaints to date. And many users clicked on it.
I am not surprised by this.
Of course this is just 'normal human behaviour', isn't it.
The human mind is like that, even if you think it could be harmful you will be testing it. So why worry about it.
Well at least there are free solutions like McAfee's SiteAdvisor ( http://www.mcafee.com ) or TrendMicro's TrendProtect ( http://www.trendsecure.com ) which are giving you indications to your surfing habits. Of course these are not foolproof but at least they give you a possible solution. The only problem: Not everybody is using those new techniques and some of us think that such tools are just annoying. Shame on you!
Some of the most common drive-by download carriers are songs from free music share sites, free screensavers, etc. Many of these install spyware that monitors your surfing habits, and then displays pop-ups that match your habits. For example, if you invest a good chunk of your Internet time cruising sport sites, the spyware detects this, and it could then splash sporting apparel ads on your monitor.
And it's a real problem ... Didier Stevens a friend-blogger did a test which he blogged today at
http://didierstevens.wordpress.com/
What did he do?
Well he's been running a Google Adwords campaign for 6 months now as an experiment…
He bought the drive-by-download.info domain. He set up a web server to display a simple page saying “Thank you for your visit!” and to log each request. That’s all. He wanted to be absolutely clear about this: no malware or other scripts/code were ever hosted on this server. No PCs were harmed in this experiment.
He started a Google Adwords campaign with several combinations of the words “drive by download”, etc ... He designed his ad to make it suspicious, but even then it was accepted by Google without problem and he got no complaints to date. And many users clicked on it.
I am not surprised by this.
Of course this is just 'normal human behaviour', isn't it.
The human mind is like that, even if you think it could be harmful you will be testing it. So why worry about it.
Well at least there are free solutions like McAfee's SiteAdvisor ( http://www.mcafee.com ) or TrendMicro's TrendProtect ( http://www.trendsecure.com ) which are giving you indications to your surfing habits. Of course these are not foolproof but at least they give you a possible solution. The only problem: Not everybody is using those new techniques and some of us think that such tools are just annoying. Shame on you!
Sunday, May 06, 2007
The EICAR conference problems ...
As everything was normal this year I should have been at the EICAR conference today in Budapest. However due to unforeseen reasons the EICAR conference was cancelled this year. The majority of the papers are already published on-line by Springer and the printed version is being finalised. Here is the text as it will be published very shortly:
"Letter from the EICAR Chairman:
The EICAR Annual Conference is an event that has had its place in the Information Security world for quite a long time with an ambitious program and a long standing reputation for quality and top class presentations on the edge of research and technology. The preparations for the 2007 program have reached the final stage with the support of a great number of volunteers, all well recognised experts in the world of IT security and dedicated to the success of this year's conference. Unfortunately, due to internal administrative issues affecting EICAR's financial liquidity, EICAR was forced to cancel the 2007 conference to avoid further financial commitments that would be necessary for successful conference. In an attempt to confine the damage as much as possible the EICAR Board is following the proposal of its Scientific Director and Program Chair, Vlasti Broucek, and appreciates the help of Eric Filiol (editor-in-chief) to get at least the academic papers published this way. I would like to thank those who have submitted papers for presentation at our conference and can assure that the whole Board is committed to work hard on making the next EICAR conference again a successful event.
Rainer Fahs
Chairman of the Board
EICAR"
If you want to know more about the exact EICAR situation you can always email me and I will give you a honest and up-to-date answer.
"Letter from the EICAR Chairman:
The EICAR Annual Conference is an event that has had its place in the Information Security world for quite a long time with an ambitious program and a long standing reputation for quality and top class presentations on the edge of research and technology. The preparations for the 2007 program have reached the final stage with the support of a great number of volunteers, all well recognised experts in the world of IT security and dedicated to the success of this year's conference. Unfortunately, due to internal administrative issues affecting EICAR's financial liquidity, EICAR was forced to cancel the 2007 conference to avoid further financial commitments that would be necessary for successful conference. In an attempt to confine the damage as much as possible the EICAR Board is following the proposal of its Scientific Director and Program Chair, Vlasti Broucek, and appreciates the help of Eric Filiol (editor-in-chief) to get at least the academic papers published this way. I would like to thank those who have submitted papers for presentation at our conference and can assure that the whole Board is committed to work hard on making the next EICAR conference again a successful event.
Rainer Fahs
Chairman of the Board
EICAR"
If you want to know more about the exact EICAR situation you can always email me and I will give you a honest and up-to-date answer.