Sunday, March 29, 2009

Kim Gevaert and Eddy Willems at Infosecurity Belgium 2009

As promised the Infosecurity Belgium fair was very good for Kaspersky Lab. I got loads of interested people during my 2 presentations and the attendance on the booth was also a success. During the fair Kaspersky Lab also donated a cheque for about 16.000 Euro's to Kim Gevaert for SOS Kinderdorpen.
Here you can find some pictures:

Picture 1:
Me, Kim and Hannes(my colleague from the sales department)

















Picture 2:
Kim and Marjon (my colleague from our marketing department)

Cybercrime on the Internet (S.Crimineel on S.Televisie with Eddy Willems)

A couple of weeks ago I've been interviewed by Marc De Pril from S.Televisie in S.Crimineel, a weekly show which runs in a loop. People who missed it can watch the complete transmission on my iTunes channel or in 3 parts
via my Youtube channel ... and eh oh yes, it's in Dutch (Flemish):

Part 1


Part 2


Part 3


And there comes a follow up next month.

Chinese computer espionage network Ghostnet discovered.

I've been interviewed this morning by 4 FM and Q-Music Belgium about Ghostnet. This mystery electronic spy network apparently based in China has infiltrated hundreds of computers around the world and stolen files and documents, Canadian researchers have revealed. The network, dubbed GhostNet, appears to target embassies, media groups, NGOs, international organisations, government foreign ministries and the offices of the Dalai Lama, leader of the Tibetan exile movement. GhostNet had invaded 1,295 computers in 103 countries, but it appeared to be most focused on countries in south Asia and south-east Asia, as well as the Dalai Lama's offices in India, Brussels, London and New York. The network continues to infiltrate dozens of new computers each week. Such a pattern, and the fact that the network seemed to be controlled from computers inside China, could suggest that GhostNet was set up or linked to Chinese government espionage agencies. However, the researchers were clear that they had not been able to identify who was behind the network, and said it could be run by private citizens in China or a different country altogether. GhostNet can invade a computer over the internet and penetrate and steal secret files. It can also turn on the cameras and microphones of an infected computer, effectively creating a bug that can monitor what is going inside the room where the computer is. Anyone could be watched and listened to. The researchers said they had been tipped off to the network after having been asked by officials with the Dalai Lama to examine their computers. The officials had been worried that their computers were being infected and monitored by outsiders. The Chinese government regularly attacks the Tibetan exile movement as encouraging separatism and terrorism within China. The researchers found that the computers had succumbed to cyber-attack and that numerous files, including letters and emails, had been stolen. The intruders had also gained control of the electronic mail server of the Dalai Lama's computers.
However the fact that the attacks seems to come from China does not completely prove that the attackers are really coming from China... a problem we will always have in Cyberspace.
More interesting to read at this page and also Mikko's post here.

Friday, March 27, 2009

Please Media and Press don't hype Conficker.c !

I don’t know for sure what’s going to happen on April 1st, when Conficker (Kido is the Kaspersky Lab's name) is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date. At least machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains. While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. There is always a possibility when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it could have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems). However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV etc ...

Well.. will we see big problems around the first of April?
I personnally don't think so.
Will the internet go down? Of course not...
Maybe it will be biggest April 1st joke we will see this year
but please may I call the media at least not to hype this.

If you're using a Kaspersky product and you patched you're systems you don't need to worry and that's problably the most scary part ... there all still a lot of corporates which don't patch their systems. Will they never learn? That should be the message for the media and press. Kaspersky will come up also with an official statement soon as several other vendors are also doing.
At least all experts and vendors are monitoring the situation.
And like I've said before, please don't hype the situation.

You can find a removal tool at this page.

(I'm writing this at the end of Infosecurity Belgium which was fantastic BTW. I've met hundreds of people, friends and even Kim Gevaert but that's for another blog later.)

Sunday, March 08, 2009

Back from CeBIT 2009.

I'm just back from CeBIT 2009. Kaspersky Lab was present as always with a big booth, loads of interviews and the Russian Disco evening... legendary at CeBIT ... but no official blog (see www.viruslist.com ). Well this year it was maybe a litlle bit different. At least I'm looking forward to next year, to hear one of my interviews(Suisse Radio) or to read/watch/hear the other interviews. ;-)