tag:blogger.com,1999:blog-82344502024-03-08T05:43:53.469+01:00WAVCiThis is the original Eddy Willems WeBlog which is dedicated to my Anti-Virus work and research, my family, friends and colleagues all over the world. I try to give you a different general look at the Anti-Virus and Security world! This Blog is not reflecting the ideas of my recent employer nor EICAR nor my former employers. You can find my full website at www.wavci.com or www.anti-malware.info .Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comBlogger459125tag:blogger.com,1999:blog-8234450.post-53850261448863990742010-09-12T12:04:00.002+02:002010-09-12T12:12:15.619+02:00Eddy Willems' Blog is moving to www.anti-malware.infoHi followers and readers,<br /><br />Please note that this blog is moving from today 12 September 2010 to another part of my website which you can find at <a href="http://www.anti-malware.info">http://www.anti-malware.info</a> .<br /><br />You can subscribe to the feed at <a href="http://www.anti-malware.info/feed/">http://www.anti-malware.info/feed/</a> .<br /><br />Please update your feeds and links please.<br />I will use the new blog space from now on.<br /><br />Kind Regards,<br />Eddy WillemsEddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-79251575842002178172010-08-26T14:04:00.002+02:002010-08-26T14:09:39.324+02:00Could the DLL-hijacking problem be underestimated?This is a small copy of the official G Data Blog<br />Find the full and official version at <a href="http://blog.gdatasoftware.com/index.php?id=6478&tx_ttnews[tt_news]=1745&tx_ttnews[backPid]=6478&cHash=cff5e8301434aa629223caa3ee31a85c ">www.gdatasoftware.com</a> <br /><br />Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application. <br /><br />After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices. <br /><br />There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won't. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility. <br /><br />As the DLL-hijacking incident has continued to evolve, the scope of the problem has expanded rapidly. Microsoft acknowledged the DLL-hijacking problem on Monday, saying that the problem is a serious one and that the company is still investigating which applications are vulnerable. During the last days, various applications were identified to be susceptible to the problem, with PowerPoint 2010 and Chrome being among the more popular ones so far. The list of exploits of over 33 applications can be found on the Internet and is still growing. <br /><br />We recommend you to follow Microsoft's guidance and to use a security or anti-virus solution. However, the problem itself may not be underestimated, as it could be heavily misused by cybercriminals in the future. There are already unconfirmed reports about targeted attacks using this technique in several places. <br /><br />In addition to Microsoft’s published mitigating factors, G Data advises all users to enable the display of file name extensions in your Windows OS to make .dll files identifiable immediately. Microsoft provides manuals for Windows Vista and Windows 7 for this.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-9255095727297739392010-07-19T08:34:00.008+02:002010-07-19T09:48:19.784+02:00The Microsoft LNK / USB worm / rootkit 'issue' will kill WIN XP SP2 and WIN2000 earlier...Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx">advisory</a>.<br /><br />The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx">here</a> and also listed by CVE as CVE-2010-2568.<br />The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library). <br /><br />The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.<br /><br />Note also that USB devices are not the only potential vector: network shares and webDAV shares can also be used to distribute malicious .LNKs. Affected platforms (essentially all current Windows versions) are listed in the advisory: it’s likely that there won’t be a patch for XP SP2 or Windows 2000, which have reached the end of their support life.<br /><br />Microsoft suggest three temporary solutions at this moment:<br /><br />* disabling Autorun (always a good idea, but not much help in this instance)<br /><br />* restricting user rights (adherence to the principle of least privilege, i.e. not giving users more privileges than they need)<br /><br />* blocking SMB connections on the perimeter firewall to reduce the risk from file shares<br /><br />Microsoft also suggests two workarounds, and describes how to effect them:<br /><br />* disable the display of shortcuts<br /><br />* disable the WebClient service<br /><br />The real problem:<br /><br />Take it from me: In the long end this lnk problem will kill MS Win2000 and MS Windows XP SP2 earlier as expected as this OS'ses will have no support or critical update anymore except if MS decides to make an exception, however I doubt it! <br />Also the number of Windows XP SP2 users is still very high... and do you really think that they care or are aware of their 'not' supported OS. Most of them don't even know that they are using Windows XP, 'they use Windows'.<br /><br />PS: This was my first post after a long time. The reason is that I'm moving my sites and started to refurbish my website. So please, stay tuned ...Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-10923298075728716542010-04-24T13:17:00.001+02:002010-04-24T13:22:48.114+02:00This blog has moved<br /> This blog is now located at http://eddywillems.blogspot.com/.<br /> You will be automatically redirected in 30 seconds or you may click <a href='http://eddywillems.blogspot.com/'>here</a>.<br /><br /> For feed subscribers, please update your feed subscriptions to<br /> http://eddywillems.blogspot.com/feeds/posts/default.<br /> Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-69100040432236343002010-02-23T15:15:00.003+01:002010-02-23T15:59:33.697+01:00G Data SecurityLabs expands team with Security Evangelist Eddy WillemsThe English and French version of the press release ...<br /><br />G Data SecurityLabs expands team with Security Evangelist Eddy Willems<br />Bochum, 19. February 2010<br /><br />G Data today announces they have a new team member: Security Evangelist Eddy Willems. He will divide his time between the G Data SecurityLabs in Bochum (Germany) and the Benelux team.<br />The Belgian Willems has been active in the field of IT security for over two decades. In that period, he has worked for influential institutes, such as EICAR, of which he is a co-founder and the director of press and information, several CERT associations, and the organization behind the Wildlist as well as for commercial companies, such as NOXS and Kaspersky Labs Benelux. <br /><br />In his position of Security Evangelist at G Data, Eddy Willems will form the link between technical complexity and the user. He is responsible for a clear communication of G Data’s SecurityLabs towards the security community, press, distributors, resellers and end users. This means, amongst other things, organizing trainings about products, malware and security, speaking at conferences and consulting associations and companies about security. <br /><br />Eddy Willems says: “G Data is a professional and dynamic company with high standards. The focus is on a range of top products in which a perfect result and simplicity go hand in hand. This, in my opinion is an exception in the security world, but it is –especially considering the recent explosion of threats- a necessity, now more than ever before. My goal is to, in collaboration with my colleagues, put G Data on the map internationally by representing G Data in numerous national and international security organizations, events and conferences.” <br /><br />Dirk Hochstrate, Director of G Data: “Eddy Willems is the best expansion of our team we could ever hope for. He has an immense experience in IT security and is a well known persona in the industry. He excels at translating complicated technical terminology into everyday language. We look forward to working with him.”<br /><br /><br />French version ...<br /><br />Eddy Willems, Security Evangelist, rejoint G Data Software<br /><br />Paris, le 22 février 2010 - Eddy Willems, Security Evangelist sera en charge de la communication technique du G Data SecurityLabs et assurera la représentation de l’éditeur de sécurité dans les évènements internationaux. <br /><br />Eddy Willems, de nationalité belge travaille dans le domaine de la sécurité depuis plus de 20 ans. Durant cette période, il a collaboré avec des instituts influents, tels que l'EICAR, dont il est le cofondateur et le directeur de l'information et de la communication, ou différentes associations CERT. Il a aussi travaillé dans des entités commerciales, telles que NOXS ou Kaspersky Labs Benelux. <br /><br />En tant que Security Evangelist, Eddy Willems sait mettre à la portée de tous les utilisateurs des technologies de sécurité complexes. Il sera l’interprète des informations du G Data SecurityLabs pour la communauté, la presse, les distributeurs, les revendeurs et les utilisateurs <br />finaux. Cela se réalisera notamment par l’organisation de formations (produits, problématique de sécurité, etc.) mais aussi par sa participation à des conférences. Il pourra aussi agir en qualité de consultant pour des associations ou des sociétés <br />privées sur des sujets relatifs à la sécurité. <br /><br />Eddy Willems : « G Data est une compagnie professionnelle et dynamique avec un niveau d’exigence technique élevé. Sa force repose sur une gamme de produits performants dans lesquels l’efficacité et la simplicité d’utilisation vont de pair. Pour cela, G Data est une exception dans le monde de sécurité, mais c’est aujourd’hui une nécessité, surtout si l’on considère l'explosion des menaces depuis ces dernières années. Mon but est de pousser G Data sur la scène internationale en représentant la société dans de nombreux organismes de sécurité nationaux et internationaux, d’événements et de conférences. » <br /><br />Dirk Hochstrate, membre du directoire de G Data Software AG : « Eddy Willems est la meilleure recrue que nous puissions espérer pour notre équipe. Il a une immense expérience dans la sécurité et est très connu dans l'industrie. Il excelle dans la traduction de terminologie technique compliquée en langage simple. C’est avec un grand plaisir que nous allons <br />travailler ensemble. »Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-5963972216589992552010-02-16T10:56:00.008+01:002010-02-16T11:46:25.174+01:00A new job, a new episode in my life and my new employer G Data Software.This is the official 'Dutch' press release ... The English International version will follow shortly.<br /><br />G Data Benelux breidt team uit met Security Evangelist Eddy Willems<br /> <br />Amsterdam, 16 februari 2010 – Vanaf vandaag heeft G Data er een nieuw teamlid bij: de Security Evangelist Eddy Willems. Hij zal zijn tijd verdelen over het Benelux-team en het G Data SecurityLab in Bochum, Duitsland.<br /><br />Willems is al twee decennia actief op het gebied van IT security. In die tijd heeft hij gewerkt voor invloedrijke instituten, zoals EICAR, waarvan hij mede-oprichter en directeur pers en informatie is, verschillende CERT-instellingen en de organisatie achter de Wildlist, als ook bij commerciële ondernemingen, zoals NOXS en Kaspersky Labs Benelux. <br /><br />Bij G Data zal Eddy Willems als Security Evangelist de link vormen tussen de technische complexiteit van IT security en de gebruiker. Hij is verantwoordelijk voor een heldere communicatie van het G Data SecurityLab naar de security community, pers, distributeurs, resellers en eindgebruikers. In de praktijk komt dit onder andere neer op het organiseren van trainingen over de producten, malware en veiligheid, het spreken op conferenties en het adviseren van instellingen en bedrijven over IT security.<br /><br />Eddy Willems zegt: “G Data is een professioneel en dynamisch bedrijf met hoge standaarden waar men zich focust op een range van topproducten waarbij perfect resultaat en eenvoudigheid hand in hand gaan. Dat is wat mij betreft een uitzondering in de security-wereld en dit is iets wat we -gezien de recente explosie van bedreigingen- meer dan ooit nodig zullen hebben. Mijn doel is om, samen met mijn collega's, te bouwen aan de zichtbaarheid van het bedrijf in de Benelux en in de hele wereld door G Data te vertegenwoordigen in allerlei nationale en internationale security-organisaties, bij events en op conferenties.”<br /><br />Jan Van Haver, Country Manager Benelux van G Data: “Eddy Willems is een goede aanwinst voor G Data. Hij heeft een indrukwekkende staat van dienst en weet als geen ander ingewikkelde technische materie te vertalen naar gewone mensentaal. Bovendien heeft hij een goed gevoel voor humor. Ik kijk dus erg uit naar onze samenwerking”. <br /><br /> <br />Over G Data<br />G Data Software AG is een security-specialist van Duitse origine. G Data ontwikkelde haar eerste antivirus-programma al in 1987 en was daarmee een pionier in Europa. Kwaliteit is een prioriteit voor de onderneming. Als resultaat hiervan heeft G Data in de afgelopen vijf jaar meer testoverwinningen in Europa behaald dan welke andere aanbieder ook. Tot de overwinningen behoort de titel ‘Beste Pakket’, die zowel de Nederlandse Consumentenbond als het Belgische Test Aankoop al drie jaar op rij aan G Data InternetSecurity hebben toegekend.<br /><br />G Data biedt oplossingen voor consumenten en voor kleine, middelgrote en grote ondernemingen. Het bedrijf is opgericht in 1985 en heeft wereldwijd ongeveer 250 medewerkers. Het hoofdkantoor is gevestigd in Bochum (Duitsland). Meer informatie is te vinden op <a href="http://www.gdatasoftware.com">www.gdatasoftware.com</a> .Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-10153695206834012312010-02-10T15:40:00.002+01:002010-02-10T15:42:56.025+01:00Blog Blog Blog ....It's time to blog again. I will come up with more blogs and events very soon. Sorry readers for the empty weeks in the past. Just keep your eyes on this place.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-20085856495213044962009-12-09T10:47:00.004+01:002009-12-09T11:27:13.354+01:0020 years with or within the Anti-Virus and Security IndustryToday it's exactly 20 years ago one of my former managers gave me a diskette which appeared to be having the AIDS information trojan. At that time I was one of the first in the world to get a detection for it and who could reverse the situation from a trojanised machine back to healthy one. It changed my life completely. 2 years later I was one of the founders of EICAR. And it kept going on in the good direction. Look <a href="http://www.wavci.com/media/vtm8912b.wmv">here</a> if you want to see how I changed in 20 years. ;-)<br /><br />I love what I'm doing. It's my life and I'm one of the few which are not doing it only for the money. During those 20 years I've met a lot of interesting, brilliant minded and enthusiast people. The AV industry itself is also quite special and I still like to work with or inside this industry even after 25 years IT experience (not counting my university and school years). However some people involved are not always what they pretend to be and just do their job. It's just a job for them.<br />It's not a job for me, it's much more, It's my life.<br /><br />And take it from me, there is big difference if you're driven by a mentality or principle to do something good for the people, to help the people in the continuous battle against crime or should I better say cybercrime today.<br /><br />I'm ready for another 20 years. Let's hope I can continue in the same direction.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-19682041234984255852009-10-13T16:53:00.009+02:002009-10-16T16:57:26.995+02:00Security Events and ... where to find Eddy Willems? updated version 2It's unbelievable how fast time flies if you're having fun. I've been travelling lately from one event to the other one. I got 3 events in a row on 3 days. During some of the events I speak, give a lecture, keynote or a presentation. A lot of people have asked me in the past to put my agenda on the internet but of course this is something I will not to do because of the security aspect however I will give a small (incomplete) overview of some of the events where I will speak the next weeks:<br /><br />- 13 October: Kaspersky Lab Ingram roadshow <br />( <a href="http://www.ingram.be">http://www.ingram.be</a> ) <br />- 21 October: Kaspersky Lap UK Partner Event<br />( <a href="http://www.kaspersky.co.uk/partner-conference">www.kaspersky.co.uk</a> )<br />- 22 October: Kaspersky Lab DMAX-Copaco roadshow <br />( <a href="http://www.dmax.be">http://www.dmax.be</a> )<br />- 4-5 November: Infosecurity NL 11:00-11:30u<br />(Malware testing considerations from Analysts in-the-cloud)<br />( <a href="http://www.infosecurity.nl">http://www.infosecurity.nl</a> )<br />- 22-23 November: Kaspersky Lab Student Conference London <br />( <a href="http://www.kaspersky.com/events">http://www.kaspersky.com/events</a> )<br />- 25 November: Securiosity Nijmegen : Nederlandse Universiteiten<br />Security Event Keynote<br />( <a href="https://www.securiosity.nl">https://www.securiosity.nl</a> ) <br />- 26 November: Kaspersky Lab DCB roadshow <br />( <a href="http://www.dcb.be">http://www.dcb.be</a> )<br /><br />.....<br /><br />More is coming for HCC NL and another big event in Belgium.<br />And I possibly forget a couple of other ones.<br />If you want to book me, it's possible: just contact Kaspersky Lab.<br /><br />Just updated the agenda with a UK event ... replacing David Emm.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-84278639520310023512009-09-15T17:23:00.004+02:002009-09-15T17:34:29.375+02:00I'm too busy with security events ...I will be giving a presentation tomorrow at IDG's in-the-cloud event (Netherlands). Next week I will be in Geneva, Switzerland for my 14th Virus Bulletin conference. This time I will be sponsored by EICAR and I will bring the CFP and the News magazine from EICAR with me. After this I will give a lecture at the CBM masterclass event (Netherlands, 30 September) and the day afterwards I will give another lecture at Nemesys also in the Netherlands... And that's only the beginning. And I'm missing a lot of other events, I just have no time to visit them all. Maybe I should try to split me up in 2 or 3 or maybe a virtual copy of myself. Well that's a future thingy isn't it. Just keep an eye on my Twitter space where you can find some more info, if I have the time for it. <br />Let's hope I don't forget my birthday in meantime... ;-)Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-90095885081145733462009-09-04T10:45:00.006+02:002009-09-04T10:59:52.312+02:0010 Most Known Malware in 2 Decades (Random Order)a) Conficker (2008-2009) -- Also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.<br />b) I Love You (2000) -- Who wouldn't open an e-mail with "I Love You" in the subject line? Well, that was the problem. By May 2000, 50 million infections of this worm had been reported. The Pentagon, the CIA, and the British Parliament all had to shut down their e-mail systems in order to purge the threat. I still remember that I was on a customers site when it all started and I was overloaded with press and media attention afterwards.<br />c) Melissa (1999) -- Melissa was an exotic dancer, and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005. <br />d) SQL Slammer (2003) -- This fast-moving worm managed to temporarily bring much of the Internet to its knees in January 2003. The threat was so aggressive that it was mistaken by some countries to be an organized attack against them. I was just ordering a fish in a fish-shop that day however I didn't got the time to eat it afterwards ....<br />e) Nimda (2001) -- A mass-mailing worm that uses multiple methods to spread itself, within 22 minutes, Nimda became the Internet's most widespread worm. The name of the virus came from the reversed spelling of "admin." <br />f) Code Red (2001) -- Web sites affected by the Code Red worm were defaced by the phrase "Hacked By Chinese!" At its peak, the number of infected hosts reached 359,000. <br />g) Blaster (2003) -- Blaster is a worm that triggered a payload that launched a denial of service attack against windowsupdate.com, which included the message, "billy gates why do you make this possible? Stop making money and fix your software!!" <br />h) Sasser (2004) -- This nasty worm spread by exploiting a vulnerable network port, meaning that it could spread without user intervention. Sasser wreaked havoc on everything from The British Coast Guard to Delta Airlines, which had to cancel some flights after its computers became infected. <br />i) Storm (2007) -- Poor Microsoft, always the popular target. Like Blaster and others before, this worm's payload performed a denial-of-service attack on www.microsoft.com. During Symantec's tests an infected machine was observed sending a burst of almost 1,800 e-mails in a five-minute period. <br />j) Morris (1988) -- A real oldie: without Morris the current threat "superstars" wouldn't exist. The Morris worm (or Internet worm) was created with innocent intentions. Robert Morris claims that he wrote the worm in an effort to gauge the size of the Internet. Unfortunately, the worm contained an error that caused it to infect computers multiple times, creating a denial of service.<br /><br />I used the most common known malware names over here and not particular specific Kaspersky Lab or other security vendors names.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-8779960578027086302009-08-20T13:56:00.002+02:002009-08-20T13:59:53.595+02:00Induc ... the Delphi VirusVirus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables. The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu. Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted. The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.<br />It's also quite interesting to note that Kaspersky Lab was the first to detect this new virus however it's a shame that some media are ignoring this!Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-49756704264053250032009-08-19T14:48:00.008+02:002009-08-19T15:40:14.137+02:00Malware growth beyond 30 million soon, 30.000 new threats a day...<a href="http://www.anti-malware.info/weblog/uploaded_images/avtestgr-794271.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 320px; height: 139px;" src="http://www.anti-malware.info/weblog/uploaded_images/avtestgr-794267.jpg" border="0" alt="" /></a>I'm back from my vacation and during the last 3 weeks a lot of things happened:<br />Koobface got new tricks, Twitter went down, Induc the innovative file infector (Delphi) was found and three people were indicted for stealing 130 million credit cards and other data useful in identity theft. And I was interviewed 4 times on my first working day(VTM (TV), De Morgen, etc..)... However the more real problem comes from the ungoing threat of the creation of new malware. Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger. Kaspersky Lab finds every day over 30.000 new samples. And it's not only us seeing this. Also AV-Test.org has released their findings(see picture). <br />With more than a million new samples being seen every month, we are now reaching 30 million soon depending how you count the samples. That should clearly illustrate the scale of the malware threat. As the threat continues to grow, so will the system resources needed to protect users from it. How else can users cope up with this threat growth? In my years of experience managing malware signatures, I believe that the only way to go is in the cloud combined with some other new technologies like whitelisting and sandboxing. By using these combined technologies the security world can still cope with the large amount of malware growth combined with good performance. You can find all these new features within the new released Kaspersky Lab Internet Security Suite 2010.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-20892187461498986852009-07-22T16:52:00.003+02:002009-07-22T17:08:13.424+02:00Some advice about Twitter before my vacation ...If you use Twitter for this or other purposes, you’re probably aware that the site compresses URLs posted in tweets, usually with bit.ly, as far as I can see. You’re probably well aware that compressed URLs are frequently used by malware authors et al to conceal the true URL. bit.ly addresses this problem by filtering links through Google Safe Browsing, SURBL and SpamCop, which is reassuring, but is unlikely to catch every malicious site. bit.ly also makes available a Preview Plugin for Firefox that allows users to see more information about a site before they click on it. Personally, I prefer the tinyURL.com approach, which is browser-independent. If you go to tinyURL.com, you can enable a setting that will allow you to preview the real link whenever you click on a tinyURL on that particular machine. Alternatively, the person creating a tinyURL can send a version that begins http://preview.tinyurl.com/… <br />I started using these a while ago, but got a couple of comments from people who didn’t want to see the redirect. However, thinking about it and given the increase in malicious compressed URLs I’ve decided to start doing it again. Not because it will eliminate the problem altogether but because it might at least make people aware that there’s a slightly safer way of doing it without telling them which browser they should be using. If you don’t like the redirect, all you have to do is paste the URL into your browser and delete the "preview." substring that comes after the "http://".<br /><br />And that's not the only problem about Twitter these days:<br />There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam. Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'. Kaspersky Lab is detecting the malware as Trojan-Downloader.Win32.CodecPack.iow. Very good as well is that also Twitter itself is doing something about it by informing infected Twitter-accounts and even temporarily disabling them however this only works if they know about it and this can take some time.<br /><br />I'm ready to start with my vacation now for the next 3 weeks where I will use my Twitter account to give some updates what I'm really doing however be careful and try to be safe on the social internet... it seems to me that the internet is not that socical anymore, isn't it?<br /><br />Find me at <a href="http://www.twitter.com/EddyWillems">www.twitter.com/EddyWillems</a>!<br />See you all within a couple of weeks or in case of an emergency maybe earlier, you'll never know.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-5336734741625673692009-07-12T11:07:00.005+02:002009-07-12T11:28:00.873+02:00Malware experts are strange people ...<a href="http://www.anti-malware.info/weblog/uploaded_images/tn_27062009-132050IMG2428-716699.JPG"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://www.anti-malware.info/weblog/uploaded_images/tn_27062009-132050IMG2428-716697.JPG" border="0" alt="" /></a>This is what I hear sometimes. I must admit that we all sometimes have some strange habits but isn't that normal as a human. I have showed to the public this year a lot of times what a real analyst or expert is doing. In my presentation 'A Virusanalyst in 15 Minutes' I'm showing the real life of an expert which is not always that amazing... shortly you will find on my press page also the original article I wrote about this presentation. It's more or less some kind of whitepaper and a guide how you can do some pre-analysing stuff.<br />I'm now 2 weeks back from our analyst meeting trip in Dubrovnik and you can find pictures of it at this <a href="http://www.wavci.com/albums/2009KLVAS10">link</a> of my website. Most of it are some touristic pictures, some pictures are showing some experts in some strange situations. And definitely our 10the Kaspersky Virus Analyst Meeting combined with the press tour was very nice this year!<br />At least the price for the most strange-humorous picture goes to Michael Molsner(my German-Japanese colleague): a perfect example how practical a malware expert can be!<br />Michael I own you a pint ...Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-2315524390717245752009-06-21T11:21:00.005+02:002009-06-21T11:37:08.388+02:00The fight against Cybercrime.I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.<br />Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.<br />Watch out!Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-11869948181943185202009-06-07T11:26:00.002+02:002009-06-07T11:35:33.520+02:00Elections and a special week...It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-35377603957090808932009-05-24T12:12:00.004+02:002009-05-24T12:28:34.260+02:00EICAR Conference 2009 Summary (Berlin)<a href="http://www.anti-malware.info/weblog/uploaded_images/10052009-122612IMG2235-755143.JPG"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://www.anti-malware.info/weblog/uploaded_images/10052009-122612IMG2235-755141.JPG" border="0" alt="" /></a>The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.<br /><br />If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous <a href="http://www.virusbtn.com">Virus Bulletin</a> magazine. I wrote the summary.<br /><br />Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-88742423976580333902009-05-06T10:50:00.004+02:002009-05-06T11:13:13.892+02:00Preparing for Kaspersky Regatta and the EICAR conference...and TwitterLife is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.<br />Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at <a href="http://www.eicar.org">www.eicar.org</a> <br />and if you want to come, there are still seats available.<br />I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.<br />But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...<br /><br />And for people who didn't know it yet, you can follow me<br />on Twitter: <a href="http://www.twitter.com/EddyWillems">www.twitter.com/EddyWillems</a><br />I'm inviting you all.<br /><br />And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-64189151908267842532009-04-19T17:24:00.003+02:002009-04-19T18:45:23.043+02:00Kido/Conficker network fear far too exagerated ...While analysing Kido network behaviour Kaspersky Lab (my colleagues) has been able to develop an application that helped to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period KL identifeid 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. Of course we always have to be very careful naming numbers so also<br />this count could be not completely correct ... it shows however that it's definitely not 10 million as some sources reported before.<br />This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants. <br />You can find more at this <a href="http://www.viruslist.com/en/weblog?weblogid=208187675">link</a>.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-33442508961414797802009-04-19T15:57:00.002+02:002009-04-19T15:59:49.053+02:00I'm getting sick from Twitter worms and Mikey Mooney...What's up with Mikey Mooney? <br />He wrote a series of Twitter worms, got hired, got hacked and released yet another worm last night.<br />This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."<br />This variant downloaded additional scripts from runebash.net/xss.js .<br /><br />The messages it sent were more philosophical in nature:<br />Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.Age is a very high price to pay for maturity. Womp. mikeyy.Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.Money is not the only thing, it's everything. Womp. mikeyy.Success is a relative term. It brings so many relatives. Womp. mikeyy.'Your future depends on your dreams', So go to sleep. Womp. mikeyy.God made relatives; Thank God we can choose our friends.Womp. mikeyy.'Work fascinates me' I can look at it for hours ! Womp. mikeyy.I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.RT!! @spam Watch out for the Mikeyy worm (bit.ly link)FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)Mikeyy worm is back!!! Click here to remove it: (bit.ly link)<br /><br />So to my opinion, please don't hire him but fire him!Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-76492192523533943482009-04-09T16:41:00.003+02:002009-04-09T16:52:57.324+02:00Conficker/Kido starts with upgrade ...The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate. <br />In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.<br />This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting. <br />One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009. You can find a picture on the <a href="http://www.viruslist.com/en/weblog?weblogid=208187654">weblog from Kaspersky Lab</a>.<br />And this is possibly not the end yet...Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-81776938959532763812009-04-01T14:54:00.004+02:002009-04-01T15:09:31.388+02:00Conficker/Kido FAQ (Frequently Asked Questions)...Kido spreads via local networks and removable storage media. It penetrates computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft released a patch for in autumn of last year. Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak. Failure to install the patch and to use effective antivirus protection has led to an epidemic: it’s currently estimated that between 5 and 6 million computers which have Internet connectivity are infected with Kido variants. <br />Several factors made today’s global Kido epidemic possible – neglecting to use antivirus products and the absence of an organization which is responsible for the security of the Internet and which unites and coordinates the efforts of governments and IT security experts. <br />Epidemics of a similar scale have happened in the past. However, the malicious programs which caused these epidemics did not have the extensive capability which Kido has to evade detection and prevent the disinfection of infected machines. <br />The third version of Kido is currently spreading on the Internet. This program implements the most sophisticated technologies used by malware authors – it downloads updates for itself from site addresses which are constantly changing; it uses local networks as an additional channel for updates; it uses strong encryption to protect itself; it has sophisticated mechanisms for disabling security services etc. <br />The third version of Kido updates itself by downloading code from 500 domains. These are chosen from a pool of 50,000 domains which is generated daily. The 500 domains are selected at random and this, together with the large number of domains makes it extremely difficult to monitor the domains used by the malicious program. <br />Because of this, Kido could become the most powerful cybercriminal tool which is highly resistant to being blocked in the history of the Internet. The gigantic botnet created by the authors of Kido gives cybercriminals the ability to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e. huge spam mailings). <br />In March there were mass updates to older versions of this malicious program. On 1st April 2009 the Kido botnet will use the approach above to start receiving commands from its creators from 50,000 domains a day; what action the cybercriminals will take subsequently is difficult to predict. <br /><br />Kaspersky Lab products successfully prevent all versions of Kido from penetrating users’ computers. Recommendations on how to delete the malicious program are available on the Kaspersky Lab technical support site. <br /><br />Also available:<br /><a href="http://www.kaspersky.com/technews?id=203038750">FAQ of the Kido virus</a><br /><a href="http://www.radio1.be/programmas/vandaag/1-aprilvirus-maar-geen-grap">Audiofragment on the VRT radio about Kido virus (Only in Dutch)</a><br /><a href="http://player.nos.nl/index.php/media/play/tcmid/tcm:5-498764/">Kaspersky evangelist Eddy Willems at NOS radio news (Dutch only)</a> <br /><br />We are monitoring constantly the situation.<br />All press and media will be updated as soon as we have more info.<br />But I'll personally think that we will not see too much activity today (April 1) but this can change of course any time and definitely any time after April 1...<br /><br />BTW I'm using <a href="http://twitter.com/EddyWillems">Twitter</a>.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-40504496245461560742009-03-29T17:38:00.007+02:002009-03-29T18:13:00.562+02:00Kim Gevaert and Eddy Willems at Infosecurity Belgium 2009As promised the Infosecurity Belgium fair was very good for Kaspersky Lab. I got loads of interested people during my 2 presentations and the attendance on the booth was also a success. During the fair Kaspersky Lab also donated a cheque for about 16.000 Euro's to <a href="http://en.wikipedia.org/wiki/Kim_Gevaert">Kim Gevaert</a> for <a href="http://www.sos-kinderdorpen.be">SOS Kinderdorpen</a>.<br />Here you can find some pictures:<br /><br />Picture 1:<br />Me, Kim and Hannes(my colleague from the sales department)<br /><a href="http://www.anti-malware.info/weblog/uploaded_images/IMG_2644-713788.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 213px; height: 320px;" src="http://www.anti-malware.info/weblog/uploaded_images/IMG_2644-713784.jpg" border="0" alt="" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Picture 2:<br />Kim and Marjon (my colleague from our marketing department)<br /><a href="http://www.anti-malware.info/weblog/uploaded_images/IMG_2648-748625.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 320px; height: 213px;" src="http://www.anti-malware.info/weblog/uploaded_images/IMG_2648-748622.jpg" border="0" alt="" /></a>Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.comtag:blogger.com,1999:blog-8234450.post-89469459184581868492009-03-29T12:20:00.004+02:002009-03-29T12:31:30.869+02:00Cybercrime on the Internet (S.Crimineel on S.Televisie with Eddy Willems)A couple of weeks ago I've been interviewed by Marc De Pril from S.Televisie in S.Crimineel, a weekly show which runs in a loop. People who missed it can watch the complete transmission on <a href="http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=255580492">my iTunes channel</a> or in 3 parts <br />via my Youtube channel ... and eh oh yes, it's in Dutch (Flemish):<br /><br />Part 1<br /><object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/ITojJTe_g8E&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/ITojJTe_g8E&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object><br /><br />Part 2<br /><object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/5-L1M56Qwls&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/5-L1M56Qwls&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object><br /><br />Part 3<br /><object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/qkaLXEaCP-s&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/qkaLXEaCP-s&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object><br /><br />And there comes a follow up next month.Eddy Willemshttp://www.blogger.com/profile/15790576694672259907noreply@blogger.com