WAVCi

Eddy Willems' Blog is moving to www.anti-malware.info

2010-09-12T12:04:00.002+02:00

Hi followers and readers,

Please note that this blog is moving from today 12 September 2010 to another part of my website which you can find at http://www.anti-malware.info .

You can subscribe to the feed at http://www.anti-malware.info/feed/ .

Please update your feeds and links please.
I will use the new blog space from now on.

Kind Regards,
Eddy Willems

Could the DLL-hijacking problem be underestimated?

2010-08-26T14:04:00.002+02:00

This is a small copy of the official G Data Blog
Find the full and official version at www.gdatasoftware.com

Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.

After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.

There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won't. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.

As the DLL-hijacking incident has continued to evolve, the scope of the problem has expanded rapidly. Microsoft acknowledged the DLL-hijacking problem on Monday, saying that the problem is a serious one and that the company is still investigating which applications are vulnerable. During the last days, various applications were identified to be susceptible to the problem, with PowerPoint 2010 and Chrome being among the more popular ones so far. The list of exploits of over 33 applications can be found on the Internet and is still growing.

We recommend you to follow Microsoft's guidance and to use a security or anti-virus solution. However, the problem itself may not be underestimated, as it could be heavily misused by cybercriminals in the future. There are already unconfirmed reports about targeted attacks using this technique in several places.

In addition to Microsoft’s published mitigating factors, G Data advises all users to enable the display of file name extensions in your Windows OS to make .dll files identifiable immediately. Microsoft provides manuals for Windows Vista and Windows 7 for this.

The Microsoft LNK / USB worm / rootkit 'issue' will kill WIN XP SP2 and WIN2000 earlier...

2010-07-19T08:34:00.008+02:00

Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.

The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).

The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.

Note also that USB devices are not the only potential vector: network shares and webDAV shares can also be used to distribute malicious .LNKs. Affected platforms (essentially all current Windows versions) are listed in the advisory: it’s likely that there won’t be a patch for XP SP2 or Windows 2000, which have reached the end of their support life.

Microsoft suggest three temporary solutions at this moment:

* disabling Autorun (always a good idea, but not much help in this instance)

* restricting user rights (adherence to the principle of least privilege, i.e. not giving users more privileges than they need)

* blocking SMB connections on the perimeter firewall to reduce the risk from file shares

Microsoft also suggests two workarounds, and describes how to effect them:

* disable the display of shortcuts

* disable the WebClient service

The real problem:

Take it from me: In the long end this lnk problem will kill MS Win2000 and MS Windows XP SP2 earlier as expected as this OS'ses will have no support or critical update anymore except if MS decides to make an exception, however I doubt it!
Also the number of Windows XP SP2 users is still very high... and do you really think that they care or are aware of their 'not' supported OS. Most of them don't even know that they are using Windows XP, 'they use Windows'.

PS: This was my first post after a long time. The reason is that I'm moving my sites and started to refurbish my website. So please, stay tuned ...

This blog has moved

2010-04-24T13:17:00.001+02:00

This blog is now located at http://eddywillems.blogspot.com/.
You will be automatically redirected in 30 seconds or you may click here.

For feed subscribers, please update your feed subscriptions to
http://eddywillems.blogspot.com/feeds/posts/default.

G Data SecurityLabs expands team with Security Evangelist Eddy Willems

2010-02-23T15:15:00.003+01:00

The English and French version of the press release ...

G Data SecurityLabs expands team with Security Evangelist Eddy Willems
Bochum, 19. February 2010

G Data today announces they have a new team member: Security Evangelist Eddy Willems. He will divide his time between the G Data SecurityLabs in Bochum (Germany) and the Benelux team.
The Belgian Willems has been active in the field of IT security for over two decades. In that period, he has worked for influential institutes, such as EICAR, of which he is a co-founder and the director of press and information, several CERT associations, and the organization behind the Wildlist as well as for commercial companies, such as NOXS and Kaspersky Labs Benelux.

In his position of Security Evangelist at G Data, Eddy Willems will form the link between technical complexity and the user. He is responsible for a clear communication of G Data’s SecurityLabs towards the security community, press, distributors, resellers and end users. This means, amongst other things, organizing trainings about products, malware and security, speaking at conferences and consulting associations and companies about security.

Eddy Willems says: “G Data is a professional and dynamic company with high standards. The focus is on a range of top products in which a perfect result and simplicity go hand in hand. This, in my opinion is an exception in the security world, but it is –especially considering the recent explosion of threats- a necessity, now more than ever before. My goal is to, in collaboration with my colleagues, put G Data on the map internationally by representing G Data in numerous national and international security organizations, events and conferences.”

Dirk Hochstrate, Director of G Data: “Eddy Willems is the best expansion of our team we could ever hope for. He has an immense experience in IT security and is a well known persona in the industry. He excels at translating complicated technical terminology into everyday language. We look forward to working with him.”

French version ...

Eddy Willems, Security Evangelist, rejoint G Data Software

Paris, le 22 février 2010 - Eddy Willems, Security Evangelist sera en charge de la communication technique du G Data SecurityLabs et assurera la représentation de l’éditeur de sécurité dans les évènements internationaux.

Eddy Willems, de nationalité belge travaille dans le domaine de la sécurité depuis plus de 20 ans. Durant cette période, il a collaboré avec des instituts influents, tels que l'EICAR, dont il est le cofondateur et le directeur de l'information et de la communication, ou différentes associations CERT. Il a aussi travaillé dans des entités commerciales, telles que NOXS ou Kaspersky Labs Benelux.

En tant que Security Evangelist, Eddy Willems sait mettre à la portée de tous les utilisateurs des technologies de sécurité complexes. Il sera l’interprète des informations du G Data SecurityLabs pour la communauté, la presse, les distributeurs, les revendeurs et les utilisateurs
finaux. Cela se réalisera notamment par l’organisation de formations (produits, problématique de sécurité, etc.) mais aussi par sa participation à des conférences. Il pourra aussi agir en qualité de consultant pour des associations ou des sociétés
privées sur des sujets relatifs à la sécurité.

Eddy Willems : « G Data est une compagnie professionnelle et dynamique avec un niveau d’exigence technique élevé. Sa force repose sur une gamme de produits performants dans lesquels l’efficacité et la simplicité d’utilisation vont de pair. Pour cela, G Data est une exception dans le monde de sécurité, mais c’est aujourd’hui une nécessité, surtout si l’on considère l'explosion des menaces depuis ces dernières années. Mon but est de pousser G Data sur la scène internationale en représentant la société dans de nombreux organismes de sécurité nationaux et internationaux, d’événements et de conférences. »

Dirk Hochstrate, membre du directoire de G Data Software AG : « Eddy Willems est la meilleure recrue que nous puissions espérer pour notre équipe. Il a une immense expérience dans la sécurité et est très connu dans l'industrie. Il excelle dans la traduction de terminologie technique compliquée en langage simple. C’est avec un grand plaisir que nous allons
travailler ensemble. »

A new job, a new episode in my life and my new employer G Data Software.

2010-02-16T10:56:00.008+01:00

This is the official 'Dutch' press release ... The English International version will follow shortly.

G Data Benelux breidt team uit met Security Evangelist Eddy Willems

Amsterdam, 16 februari 2010 – Vanaf vandaag heeft G Data er een nieuw teamlid bij: de Security Evangelist Eddy Willems. Hij zal zijn tijd verdelen over het Benelux-team en het G Data SecurityLab in Bochum, Duitsland.

Willems is al twee decennia actief op het gebied van IT security. In die tijd heeft hij gewerkt voor invloedrijke instituten, zoals EICAR, waarvan hij mede-oprichter en directeur pers en informatie is, verschillende CERT-instellingen en de organisatie achter de Wildlist, als ook bij commerciële ondernemingen, zoals NOXS en Kaspersky Labs Benelux.

Bij G Data zal Eddy Willems als Security Evangelist de link vormen tussen de technische complexiteit van IT security en de gebruiker. Hij is verantwoordelijk voor een heldere communicatie van het G Data SecurityLab naar de security community, pers, distributeurs, resellers en eindgebruikers. In de praktijk komt dit onder andere neer op het organiseren van trainingen over de producten, malware en veiligheid, het spreken op conferenties en het adviseren van instellingen en bedrijven over IT security.

Eddy Willems zegt: “G Data is een professioneel en dynamisch bedrijf met hoge standaarden waar men zich focust op een range van topproducten waarbij perfect resultaat en eenvoudigheid hand in hand gaan. Dat is wat mij betreft een uitzondering in de security-wereld en dit is iets wat we -gezien de recente explosie van bedreigingen- meer dan ooit nodig zullen hebben. Mijn doel is om, samen met mijn collega's, te bouwen aan de zichtbaarheid van het bedrijf in de Benelux en in de hele wereld door G Data te vertegenwoordigen in allerlei nationale en internationale security-organisaties, bij events en op conferenties.”

Jan Van Haver, Country Manager Benelux van G Data: “Eddy Willems is een goede aanwinst voor G Data. Hij heeft een indrukwekkende staat van dienst en weet als geen ander ingewikkelde technische materie te vertalen naar gewone mensentaal. Bovendien heeft hij een goed gevoel voor humor. Ik kijk dus erg uit naar onze samenwerking”.

Over G Data
G Data Software AG is een security-specialist van Duitse origine. G Data ontwikkelde haar eerste antivirus-programma al in 1987 en was daarmee een pionier in Europa. Kwaliteit is een prioriteit voor de onderneming. Als resultaat hiervan heeft G Data in de afgelopen vijf jaar meer testoverwinningen in Europa behaald dan welke andere aanbieder ook. Tot de overwinningen behoort de titel ‘Beste Pakket’, die zowel de Nederlandse Consumentenbond als het Belgische Test Aankoop al drie jaar op rij aan G Data InternetSecurity hebben toegekend.

G Data biedt oplossingen voor consumenten en voor kleine, middelgrote en grote ondernemingen. Het bedrijf is opgericht in 1985 en heeft wereldwijd ongeveer 250 medewerkers. Het hoofdkantoor is gevestigd in Bochum (Duitsland). Meer informatie is te vinden op www.gdatasoftware.com .

Blog Blog Blog ....

2010-02-10T15:40:00.002+01:00

It's time to blog again. I will come up with more blogs and events very soon. Sorry readers for the empty weeks in the past. Just keep your eyes on this place.

20 years with or within the Anti-Virus and Security Industry

2009-12-09T10:47:00.004+01:00

Today it's exactly 20 years ago one of my former managers gave me a diskette which appeared to be having the AIDS information trojan. At that time I was one of the first in the world to get a detection for it and who could reverse the situation from a trojanised machine back to healthy one. It changed my life completely. 2 years later I was one of the founders of EICAR. And it kept going on in the good direction. Look here if you want to see how I changed in 20 years. ;-)

I love what I'm doing. It's my life and I'm one of the few which are not doing it only for the money. During those 20 years I've met a lot of interesting, brilliant minded and enthusiast people. The AV industry itself is also quite special and I still like to work with or inside this industry even after 25 years IT experience (not counting my university and school years). However some people involved are not always what they pretend to be and just do their job. It's just a job for them.
It's not a job for me, it's much more, It's my life.

And take it from me, there is big difference if you're driven by a mentality or principle to do something good for the people, to help the people in the continuous battle against crime or should I better say cybercrime today.

I'm ready for another 20 years. Let's hope I can continue in the same direction.

Security Events and ... where to find Eddy Willems? updated version 2

2009-10-13T16:53:00.009+02:00

It's unbelievable how fast time flies if you're having fun. I've been travelling lately from one event to the other one. I got 3 events in a row on 3 days. During some of the events I speak, give a lecture, keynote or a presentation. A lot of people have asked me in the past to put my agenda on the internet but of course this is something I will not to do because of the security aspect however I will give a small (incomplete) overview of some of the events where I will speak the next weeks:

- 13 October: Kaspersky Lab Ingram roadshow
( http://www.ingram.be )
- 21 October: Kaspersky Lap UK Partner Event
( www.kaspersky.co.uk )
- 22 October: Kaspersky Lab DMAX-Copaco roadshow
( http://www.dmax.be )
- 4-5 November: Infosecurity NL 11:00-11:30u
(Malware testing considerations from Analysts in-the-cloud)
( http://www.infosecurity.nl )
- 22-23 November: Kaspersky Lab Student Conference London
( http://www.kaspersky.com/events )
- 25 November: Securiosity Nijmegen : Nederlandse Universiteiten
Security Event Keynote
( https://www.securiosity.nl )
- 26 November: Kaspersky Lab DCB roadshow
( http://www.dcb.be )

.....

More is coming for HCC NL and another big event in Belgium.
And I possibly forget a couple of other ones.
If you want to book me, it's possible: just contact Kaspersky Lab.

Just updated the agenda with a UK event ... replacing David Emm.

I'm too busy with security events ...

2009-09-15T17:23:00.004+02:00

I will be giving a presentation tomorrow at IDG's in-the-cloud event (Netherlands). Next week I will be in Geneva, Switzerland for my 14th Virus Bulletin conference. This time I will be sponsored by EICAR and I will bring the CFP and the News magazine from EICAR with me. After this I will give a lecture at the CBM masterclass event (Netherlands, 30 September) and the day afterwards I will give another lecture at Nemesys also in the Netherlands... And that's only the beginning. And I'm missing a lot of other events, I just have no time to visit them all. Maybe I should try to split me up in 2 or 3 or maybe a virtual copy of myself. Well that's a future thingy isn't it. Just keep an eye on my Twitter space where you can find some more info, if I have the time for it.
Let's hope I don't forget my birthday in meantime... ;-)

10 Most Known Malware in 2 Decades (Random Order)

2009-09-04T10:45:00.006+02:00

a) Conficker (2008-2009) -- Also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
b) I Love You (2000) -- Who wouldn't open an e-mail with "I Love You" in the subject line? Well, that was the problem. By May 2000, 50 million infections of this worm had been reported. The Pentagon, the CIA, and the British Parliament all had to shut down their e-mail systems in order to purge the threat. I still remember that I was on a customers site when it all started and I was overloaded with press and media attention afterwards.
c) Melissa (1999) -- Melissa was an exotic dancer, and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005.
d) SQL Slammer (2003) -- This fast-moving worm managed to temporarily bring much of the Internet to its knees in January 2003. The threat was so aggressive that it was mistaken by some countries to be an organized attack against them. I was just ordering a fish in a fish-shop that day however I didn't got the time to eat it afterwards ....
e) Nimda (2001) -- A mass-mailing worm that uses multiple methods to spread itself, within 22 minutes, Nimda became the Internet's most widespread worm. The name of the virus came from the reversed spelling of "admin."
f) Code Red (2001) -- Web sites affected by the Code Red worm were defaced by the phrase "Hacked By Chinese!" At its peak, the number of infected hosts reached 359,000.
g) Blaster (2003) -- Blaster is a worm that triggered a payload that launched a denial of service attack against windowsupdate.com, which included the message, "billy gates why do you make this possible? Stop making money and fix your software!!"
h) Sasser (2004) -- This nasty worm spread by exploiting a vulnerable network port, meaning that it could spread without user intervention. Sasser wreaked havoc on everything from The British Coast Guard to Delta Airlines, which had to cancel some flights after its computers became infected.
i) Storm (2007) -- Poor Microsoft, always the popular target. Like Blaster and others before, this worm's payload performed a denial-of-service attack on www.microsoft.com. During Symantec's tests an infected machine was observed sending a burst of almost 1,800 e-mails in a five-minute period.
j) Morris (1988) -- A real oldie: without Morris the current threat "superstars" wouldn't exist. The Morris worm (or Internet worm) was created with innocent intentions. Robert Morris claims that he wrote the worm in an effort to gauge the size of the Internet. Unfortunately, the worm contained an error that caused it to infect computers multiple times, creating a denial of service.

I used the most common known malware names over here and not particular specific Kaspersky Lab or other security vendors names.

Induc ... the Delphi Virus

2009-08-20T13:56:00.002+02:00

Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables. The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu. Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted. The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.
It's also quite interesting to note that Kaspersky Lab was the first to detect this new virus however it's a shame that some media are ignoring this!

Malware growth beyond 30 million soon, 30.000 new threats a day...

2009-08-19T14:48:00.008+02:00

I'm back from my vacation and during the last 3 weeks a lot of things happened:
Koobface got new tricks, Twitter went down, Induc the innovative file infector (Delphi) was found and three people were indicted for stealing 130 million credit cards and other data useful in identity theft. And I was interviewed 4 times on my first working day(VTM (TV), De Morgen, etc..)... However the more real problem comes from the ungoing threat of the creation of new malware. Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger. Kaspersky Lab finds every day over 30.000 new samples. And it's not only us seeing this. Also AV-Test.org has released their findings(see picture).
With more than a million new samples being seen every month, we are now reaching 30 million soon depending how you count the samples. That should clearly illustrate the scale of the malware threat. As the threat continues to grow, so will the system resources needed to protect users from it. How else can users cope up with this threat growth? In my years of experience managing malware signatures, I believe that the only way to go is in the cloud combined with some other new technologies like whitelisting and sandboxing. By using these combined technologies the security world can still cope with the large amount of malware growth combined with good performance. You can find all these new features within the new released Kaspersky Lab Internet Security Suite 2010.

Some advice about Twitter before my vacation ...

2009-07-22T16:52:00.003+02:00

If you use Twitter for this or other purposes, you’re probably aware that the site compresses URLs posted in tweets, usually with bit.ly, as far as I can see. You’re probably well aware that compressed URLs are frequently used by malware authors et al to conceal the true URL. bit.ly addresses this problem by filtering links through Google Safe Browsing, SURBL and SpamCop, which is reassuring, but is unlikely to catch every malicious site. bit.ly also makes available a Preview Plugin for Firefox that allows users to see more information about a site before they click on it. Personally, I prefer the tinyURL.com approach, which is browser-independent. If you go to tinyURL.com, you can enable a setting that will allow you to preview the real link whenever you click on a tinyURL on that particular machine. Alternatively, the person creating a tinyURL can send a version that begins http://preview.tinyurl.com/…
I started using these a while ago, but got a couple of comments from people who didn’t want to see the redirect. However, thinking about it and given the increase in malicious compressed URLs I’ve decided to start doing it again. Not because it will eliminate the problem altogether but because it might at least make people aware that there’s a slightly safer way of doing it without telling them which browser they should be using. If you don’t like the redirect, all you have to do is paste the URL into your browser and delete the "preview." substring that comes after the "http://".

And that's not the only problem about Twitter these days:
There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam. Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'. Kaspersky Lab is detecting the malware as Trojan-Downloader.Win32.CodecPack.iow. Very good as well is that also Twitter itself is doing something about it by informing infected Twitter-accounts and even temporarily disabling them however this only works if they know about it and this can take some time.

I'm ready to start with my vacation now for the next 3 weeks where I will use my Twitter account to give some updates what I'm really doing however be careful and try to be safe on the social internet... it seems to me that the internet is not that socical anymore, isn't it?

Find me at www.twitter.com/EddyWillems!
See you all within a couple of weeks or in case of an emergency maybe earlier, you'll never know.

Malware experts are strange people ...

2009-07-12T11:07:00.005+02:00

This is what I hear sometimes. I must admit that we all sometimes have some strange habits but isn't that normal as a human. I have showed to the public this year a lot of times what a real analyst or expert is doing. In my presentation 'A Virusanalyst in 15 Minutes' I'm showing the real life of an expert which is not always that amazing... shortly you will find on my press page also the original article I wrote about this presentation. It's more or less some kind of whitepaper and a guide how you can do some pre-analysing stuff.
I'm now 2 weeks back from our analyst meeting trip in Dubrovnik and you can find pictures of it at this link of my website. Most of it are some touristic pictures, some pictures are showing some experts in some strange situations. And definitely our 10the Kaspersky Virus Analyst Meeting combined with the press tour was very nice this year!
At least the price for the most strange-humorous picture goes to Michael Molsner(my German-Japanese colleague): a perfect example how practical a malware expert can be!
Michael I own you a pint ...

The fight against Cybercrime.

2009-06-21T11:21:00.005+02:00

I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.
Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.
Watch out!

Elections and a special week...

2009-06-07T11:26:00.002+02:00

It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!

EICAR Conference 2009 Summary (Berlin)

2009-05-24T12:12:00.004+02:00

The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.

If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous Virus Bulletin magazine. I wrote the summary.

Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.

Preparing for Kaspersky Regatta and the EICAR conference...and Twitter

2009-05-06T10:50:00.004+02:00

Life is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.
Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at www.eicar.org
and if you want to come, there are still seats available.
I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.
But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...

And for people who didn't know it yet, you can follow me
on Twitter: www.twitter.com/EddyWillems
I'm inviting you all.

And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.

Kido/Conficker network fear far too exagerated ...

2009-04-19T17:24:00.003+02:00

While analysing Kido network behaviour Kaspersky Lab (my colleagues) has been able to develop an application that helped to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period KL identifeid 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. Of course we always have to be very careful naming numbers so also
this count could be not completely correct ... it shows however that it's definitely not 10 million as some sources reported before.
This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.
You can find more at this link.

I'm getting sick from Twitter worms and Mikey Mooney...

2009-04-19T15:57:00.002+02:00

What's up with Mikey Mooney?
He wrote a series of Twitter worms, got hired, got hacked and released yet another worm last night.
This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."
This variant downloaded additional scripts from runebash.net/xss.js .

The messages it sent were more philosophical in nature:
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.Age is a very high price to pay for maturity. Womp. mikeyy.Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.Money is not the only thing, it's everything. Womp. mikeyy.Success is a relative term. It brings so many relatives. Womp. mikeyy.'Your future depends on your dreams', So go to sleep. Womp. mikeyy.God made relatives; Thank God we can choose our friends.Womp. mikeyy.'Work fascinates me' I can look at it for hours ! Womp. mikeyy.I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.RT!! @spam Watch out for the Mikeyy worm (bit.ly link)FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)Mikeyy worm is back!!! Click here to remove it: (bit.ly link)

So to my opinion, please don't hire him but fire him!

Conficker/Kido starts with upgrade ...

2009-04-09T16:41:00.003+02:00

The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009. You can find a picture on the weblog from Kaspersky Lab.
And this is possibly not the end yet...

Conficker/Kido FAQ (Frequently Asked Questions)...

2009-04-01T14:54:00.004+02:00

Kido spreads via local networks and removable storage media. It penetrates computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft released a patch for in autumn of last year. Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak. Failure to install the patch and to use effective antivirus protection has led to an epidemic: it’s currently estimated that between 5 and 6 million computers which have Internet connectivity are infected with Kido variants.
Several factors made today’s global Kido epidemic possible – neglecting to use antivirus products and the absence of an organization which is responsible for the security of the Internet and which unites and coordinates the efforts of governments and IT security experts.
Epidemics of a similar scale have happened in the past. However, the malicious programs which caused these epidemics did not have the extensive capability which Kido has to evade detection and prevent the disinfection of infected machines.
The third version of Kido is currently spreading on the Internet. This program implements the most sophisticated technologies used by malware authors – it downloads updates for itself from site addresses which are constantly changing; it uses local networks as an additional channel for updates; it uses strong encryption to protect itself; it has sophisticated mechanisms for disabling security services etc.
The third version of Kido updates itself by downloading code from 500 domains. These are chosen from a pool of 50,000 domains which is generated daily. The 500 domains are selected at random and this, together with the large number of domains makes it extremely difficult to monitor the domains used by the malicious program.
Because of this, Kido could become the most powerful cybercriminal tool which is highly resistant to being blocked in the history of the Internet. The gigantic botnet created by the authors of Kido gives cybercriminals the ability to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e. huge spam mailings).
In March there were mass updates to older versions of this malicious program. On 1st April 2009 the Kido botnet will use the approach above to start receiving commands from its creators from 50,000 domains a day; what action the cybercriminals will take subsequently is difficult to predict.

Kaspersky Lab products successfully prevent all versions of Kido from penetrating users’ computers. Recommendations on how to delete the malicious program are available on the Kaspersky Lab technical support site.

Also available:
FAQ of the Kido virus
Audiofragment on the VRT radio about Kido virus (Only in Dutch)
Kaspersky evangelist Eddy Willems at NOS radio news (Dutch only)

We are monitoring constantly the situation.
All press and media will be updated as soon as we have more info.
But I'll personally think that we will not see too much activity today (April 1) but this can change of course any time and definitely any time after April 1...

BTW I'm using Twitter.

Kim Gevaert and Eddy Willems at Infosecurity Belgium 2009

2009-03-29T17:38:00.007+02:00

As promised the Infosecurity Belgium fair was very good for Kaspersky Lab. I got loads of interested people during my 2 presentations and the attendance on the booth was also a success. During the fair Kaspersky Lab also donated a cheque for about 16.000 Euro's to Kim Gevaert for SOS Kinderdorpen.
Here you can find some pictures:

Picture 1:
Me, Kim and Hannes(my colleague from the sales department)

Picture 2:
Kim and Marjon (my colleague from our marketing department)

Cybercrime on the Internet (S.Crimineel on S.Televisie with Eddy Willems)

2009-03-29T12:20:00.004+02:00

A couple of weeks ago I've been interviewed by Marc De Pril from S.Televisie in S.Crimineel, a weekly show which runs in a loop. People who missed it can watch the complete transmission on my iTunes channel or in 3 parts
via my Youtube channel ... and eh oh yes, it's in Dutch (Flemish):

Part 1

Part 2

Part 3

And there comes a follow up next month.

Chinese computer espionage network Ghostnet discovered.

2009-03-29T11:25:00.008+02:00

I've been interviewed this morning by 4 FM and Q-Music Belgium about Ghostnet. This mystery electronic spy network apparently based in China has infiltrated hundreds of computers around the world and stolen files and documents, Canadian researchers have revealed. The network, dubbed GhostNet, appears to target embassies, media groups, NGOs, international organisations, government foreign ministries and the offices of the Dalai Lama, leader of the Tibetan exile movement. GhostNet had invaded 1,295 computers in 103 countries, but it appeared to be most focused on countries in south Asia and south-east Asia, as well as the Dalai Lama's offices in India, Brussels, London and New York. The network continues to infiltrate dozens of new computers each week. Such a pattern, and the fact that the network seemed to be controlled from computers inside China, could suggest that GhostNet was set up or linked to Chinese government espionage agencies. However, the researchers were clear that they had not been able to identify who was behind the network, and said it could be run by private citizens in China or a different country altogether. GhostNet can invade a computer over the internet and penetrate and steal secret files. It can also turn on the cameras and microphones of an infected computer, effectively creating a bug that can monitor what is going inside the room where the computer is. Anyone could be watched and listened to. The researchers said they had been tipped off to the network after having been asked by officials with the Dalai Lama to examine their computers. The officials had been worried that their computers were being infected and monitored by outsiders. The Chinese government regularly attacks the Tibetan exile movement as encouraging separatism and terrorism within China. The researchers found that the computers had succumbed to cyber-attack and that numerous files, including letters and emails, had been stolen. The intruders had also gained control of the electronic mail server of the Dalai Lama's computers.
However the fact that the attacks seems to come from China does not completely prove that the attackers are really coming from China... a problem we will always have in Cyberspace.
More interesting to read at this page and also Mikko's post here.

Please Media and Press don't hype Conficker.c !

2009-03-27T12:53:00.004+01:00

I don’t know for sure what’s going to happen on April 1st, when Conficker (Kido is the Kaspersky Lab's name) is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date. At least machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains. While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. There is always a possibility when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it could have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems). However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV etc ...

Well.. will we see big problems around the first of April?
I personnally don't think so.
Will the internet go down? Of course not...
Maybe it will be biggest April 1st joke we will see this year
but please may I call the media at least not to hype this.

If you're using a Kaspersky product and you patched you're systems you don't need to worry and that's problably the most scary part ... there all still a lot of corporates which don't patch their systems. Will they never learn? That should be the message for the media and press. Kaspersky will come up also with an official statement soon as several other vendors are also doing.
At least all experts and vendors are monitoring the situation.
And like I've said before, please don't hype the situation.

You can find a removal tool at this page.

(I'm writing this at the end of Infosecurity Belgium which was fantastic BTW. I've met hundreds of people, friends and even Kim Gevaert but that's for another blog later.)

Back from CeBIT 2009.

2009-03-08T19:24:00.004+01:00

I'm just back from CeBIT 2009. Kaspersky Lab was present as always with a big booth, loads of interviews and the Russian Disco evening... legendary at CeBIT ... but no official blog (see www.viruslist.com ). Well this year it was maybe a litlle bit different. At least I'm looking forward to next year, to hear one of my interviews(Suisse Radio) or to read/watch/hear the other interviews. ;-)

I love Facebook but ...

2009-02-26T19:30:00.003+01:00

A week ago the company published new terms and conditions for being a Facebook user which included a perpetual retroactive license to use your content nearly anyway they see fit - even after you "delete" your account. Thousands cried foul and there was even a threaten to file a complaint with the FTC. Facebook has since backed down and reverted to its previous user agreement. Nevertheless the issue points out the severe risks of using social networking services - especially Facebook. Some might say that the site operates in a fashion similar to a gigantic information gathering operation that lures people in by offering fancy tools that allow them to exercise the egos to various extremes. Others might just think it's "cool" and a "must-do" sort of thing because their peers expect them participate. The bottom line here is that Facebook has demonstrated a clear intent to leverage you and your content to their own advantage.
So my advice is this: Don't use Facebook too much... But if you can't resist then don't post anything on Facebook that the majority of people don't already know about you. In fact you might consider adopting as part of your company security policy a ban that prohibits employees from mentioning anything about your company in their Facebook profiles. One tiny data leak could be used against you and there'd probably be little if anything you can do about it.

I love Facebook but like everyhting else, don't exagerate and that's exactly what everyone is doing. And I haven't even spoken about the (in)security of possible 'Facebook'-applications and other related security problems.

Adobe Reader/Acrobat JBIG2 Indexing Zero Day Vulnerability.

2009-02-25T09:48:00.003+01:00

I hope you are aware of the 0-day vulnerability currently being actively exploited in Adobe Reader/Acrobat. I initially heard rumours about this 0-day vulnerability on 16th February 2009. Three days later, Adobe confirmed the existence of the 0-day vulnerability and Secunia issued an advisory. Over the last couple of days, I have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it seems that it does not protect against the actual vulnerability. Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.
Bottomline: All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not. I hope that Adobe will be issuing patches very soon.
To be continued ...

Some malware predictions for the next 10 months of 2009.

2009-02-24T09:52:00.003+01:00

A little bit late I know ... but it seems that working for a security vendor takes more time than I thought! ;-)

Just to sum it up in a couple of lines, these are a couple of my own predictions:

. Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. I expect this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email which is already the case today.
. Personalized Threats Speak Your Language. I expect to see the continued expansion of malware in languages other than English like Dutch, etc... Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.
. Malware Targets Consumer Devices. I expect to see increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.
. Security Software Scams. The malware underworld is using mainstream practices in an effort to "sell" security software that is either misleading or outright fraudulent. This trend will continue.
. Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, etc allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.
. More Targeted Phishing and Corporate Blackmailing. Botnets via zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.
. Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.
. Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.
. More Scams Involving Home Businesses. "Legitimate" home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We'll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.
. Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary "from" addresses. This has increased the usability of these services significantly to businesses, but has also increased the "abusability" by spammers.

Eddy Willems in S.Crimineel on S.Televisie

2009-02-20T23:23:00.004+01:00

What a week.. pff.. 5 days looked like 5 minutes, do you know the feeling?
Of course there was a climax with Eugene Kaspersky our CEO, and my boss, coming to the IDC European Security Conference. After a terrific panel session with several other experts and loads of interviews with the press including a very nice one with Kanaal Z we went out for a good diner in the known Beenhouwerstraat in Brussels.
Returning home and zapping to all the tv-channels I realised that not only Eugene was on it (Kanaal Z), I saw myself showing up in S.Crimineel on S.Televisie, a 3 times in a day repeated show about criminality and law in general. A quite long show and interview for about 23 minutes in one long shot taken without cutting. You still can watch the show until next Thursday if you have cable television from Telenet, a known ISP and cable provider in Belgium.
So everybody will at least see somewhere something from Kaspersky! For the people who don't have cable tv or Telenet I will put a link to the show shortly on my site on the press page.
So lets see what the next week will bring after this strange and quick week and of course .. the hacks of the websites from Kaspersky, Bitdefender, F-Secure and Symantec .... but that's another story.

About testing anti-malware products...

2009-02-11T15:23:00.007+01:00

Kaspersky Lab is an enthusiastic supporter of this initiative, and several members of the research team attended the AMTSO meetings already. And AMTSO seems to get there... Recently there was a meeting in Cupertino. Major progress was made on a number of papers I’d say are pretty important: these include not only a glossary, but also papers that discuss such topics as gathering samples, sample validation, in-the-cloud testing, issues with malware creation or modification for testing purposes, and whole product evaluation, and I expect to see quite a few of these finished and approved before the next AMTSO meeting.
Standardization on good practice is good for the industry, of course, and continuing cooperation between the antimalware and testing industries benefits both parties. But if we do this properly, it will be even more beneficial for end-users and prospective and actual customers. Not because what’s good for the industry is good for its customers, but because what we’re aiming for is to make it easier for them to distinguish between good and bad testing.
So this is indeed a good thing protecting everybody from bad testing.
What did you say?
Oh yes I've seen a lot of bad tests in the last 2 decennia...

Kaspersky US Site hacked, so what?

2009-02-10T18:54:00.005+01:00

In the Kaspersky US hack, which was discovered last Saturday, no sensitive or customer data was compromised but to allay concerns about the severity of the problem, Kaspersky Lab has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved. A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack. After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky Lab an email - on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response. Obviously I am of course not happy about this and Kaspersky Lab is in the process of making the review process stricter than it currently is. Kaspersky Lab is doing everything to do the best forensics on this case and to prevent this from ever happening again.

At least some keypoints to remember in this case:
• NO data was compromised and KL hired a 3rd party organization to do an independent audit to confirm this.
• The attack happened on a subsection of the US site with no link to the ecommerce or global site. No KL websites other than the US site was attacked.
• This attack has nothing to do at all with the quality of our products of course!

You can read more about what really happened at the official Kaspersky blog.

Interesting for the more technical reader ... it seems that a variant of the Acunetix tool was used to facilitate the attack.
Isn't that not a 'special' form of promotion? ;-)

And oh yes, I'm a little bit sick today (possibly catched a cold) but I'm using 'Sinutab' to clear up my personal health problem today.
So, does this change me, am I a different person now?
No, I'm still the old good Eddy with all his known skills. (I suppose so)
Do you know what I mean?

A day in the Life of a Kaspersky Lab Security Evangelist...

2009-02-04T21:05:00.003+01:00

A day in the life of an Security Evagelist is sometimes unbelievable overloaded.
Today I answered 150 emails on a total of 479 I've got and the day isn't finished yet. I spoke to a couple of journalists. I traveled to Hilversum in the Netherlands where I'm writing this short blogpiece. I have a hotel just in front of the 'mediapark' where I will have an interview tomorrow with an 'NOS' journalist for the evening TV journal and radio journal about the Shadowbotnet case. Indeed the case comes in a second phase as Friday will be the preview of the real case before coming to 'Justice'. I also arranged today an interview with 'S.televisie' a Telenet Cable channel in Belgium next week where I will be interviewed in the program 'S.Crimineel' about internet crime. Tomorrow in the afternoon I will present 'A Virus Analyst in 15 Minutes?' at IT Security Heliview in Hoevelaken, the Netherlands.
And possibly after that I will travel back home with my car where I will encounter several traffic jams....

And guess what, my Kaspersky Lab anti-malware program is just detecting and blocking an intrusion to my laptop ... just at the end of the end of this blog.
Nice isn't it, working with a not protected internet connection from this hotel.. well at least I know what to do and I'm good protected but is that the case with everyone in this hotel? I don't think so.
This was a normal day in the normal life of a Security Evangelist and there are people who think that I got an easy job.

Kido / Conficker / Downadup is really hard to remove.

2009-01-21T16:47:00.003+01:00

In the last week or so there has been a resurgence in the Kido worm that I first saw in November. This is probably due to the malware authors adding some new propagation methods such as spreading via USB flash drives and Windows file-sharing.
These techniques make it hard to remove from a network, as a single computer unpatched against the Microsoft MS08-67 security vulnerability, is able to reinfect the whole network via file shares. Obviously the best thing you can do is make sure that Microsoft’s patch is in place on every vulnerable computer on your network.

I've been interviewed a dozen times (including some TV journals VRT and VTM) and you can find some of the articles at my press page on my website.
The situation in Belgium and the Netherlands is compared to the rest of the world quite good. So did we all use the MS08-067 patch ASAP in the Benelux?
I hope we will have a better improved(read: less infected) worldwide situation soon...

Net-Worm.Win32.Kido.bt outbreak?

2009-01-14T20:05:00.003+01:00

Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media. The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines. Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft but like aways you must install it and it seems that a lot of people and corporates were too busy with some new year events or happenings and were surprised by this one.
A detailed description of Net-Worm.Win32.Kido.bt and removal instructions are available here.
Several companies in Belgium and the Netherlands have been affected by this worm ... and it's not over yet but I can assure you that we are reaching the levels of a real outbreak and that's really a while ago that we've seen this. A trend to look at and to investigate.

And .. eh BTW .. My Best Wishes for the New Year!
Isn't that a nice start for the new year?

Dangerous eCards in the Wild ... A Merry Christmas to you all!

2008-12-23T15:18:00.003+01:00

Are you really surprised? A couple of days ago I started to receive reports of emails pretending to carry links to holiday cards. These emails contain a link that points to a file named ecard.exe. Of course, this executable is not a seasonal holiday card but malware. The reason this wave of malware has attracted my attention is that it is very similar to the Storm Worm attacks we were seeing last year. Although this attack uses fast-flux to make it harder to trace its web servers and a redirection page very similar to those used by Storm last year, this is not the resurrection of the Storm botnet. What we are observing today is proof that malware authors are learning from each other’s errors and successes. After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success. Most AV vendors are detecting this by now but you'll know that this is definitely not the last malicious eCard we or you will see.
Please just use ordinary plain text mails, it's so much nicer (read 'more intelligent') and it's more effective to my opinion. But am I not saying this every year?

Well at least what I really want to say from my own safe spot in Belgium:
A Merry Christmas to you all!
And that's more or less in plain HTML. ;-)

MS IE patch ready for Security Advisory 961051 (Zero-day exploit) !

2008-12-17T13:35:00.003+01:00

Microsoft Corp. have announced that they are to release an emergency patch for Internet Explorer, in the hope of fixing the security bug that allowed attackers to exploit the IE browser. The critical patch could not come any sooner for the millions of IE users who have been too scared to use the browser. The warning about the bug came last week after Microsoft had no choice but to go public about the exploit code. Hackers are able to hack in to your Windows computer and then hijack Internet Explorer. Microsoft announced that an out-of-cycle patch will be ready at 1 p.m. Eastern time on Wednesday, via Windows Update, Windows Server Update Services and Microsoft Update. The IE update will be labeled “critical,” which is the highest ranking update from Microsoft. So what do you think? Is one week enough these days to patch a 'critical' problem?

Zero-day exploits targeting Internet Explorer vulnerability.

2008-12-16T11:52:00.003+01:00

Microsoft recently expanded their Security Advisory 961051 to include all versions of Internet Explorer. The vulnerability was originally thought to only affect IE7. But is now problematic as well for a whole range of related software ... like IE 5,6,7 and 8... And some other bad news, SQL Injection attacks are being used to hack legitimate websites in order to host these exploits, turning trusted sites into malicious exploit hosts.
There are a number of workarounds that may provide some mitigation if you look at the MS Security Advisory. Other solutions are using other browsers like Firefox or Google Chrome.
And trust me ... this problem is underestimated at this moment.

Back from Moscow with Eugene Kaspersky...

2008-12-11T17:16:00.003+01:00

I'm just back from my trip to Moscow from a marvelous organized Kaspersky Lab related press event and where I also got some other interesting meetings. We got loads of press coverage. Some of them where covered by ZDNet in Belgium and the Netherlands with interviews from me, Eugene Kaspersky and David Emm. If you can read Dutch (or Flemish) please have a look at this page, this one or this one.
Oh yes, BTW on the picture you can see me and Eugene Kaspersky during one of the evening events.

Spam down, spam up, spam down ... time for a trip to Moscow.

2008-11-30T15:15:00.005+01:00

In the world of spam, what goes down must come up. Two weeks after the shutdown of web hosting firm McColo, which saw a two-thirds drop in spam worldwide, spam numbers are creeping up again. Some 450,000 infected computers have been spotted trying to connect to the largest of the networks McColo hosted. McColo served as host to a number of "command and control" centres for botnets, networks of infected computers called bots that send spam and engage in other malicious activities. With the shutdown of McColo, these botnets have been left without a centralised command, and the botnets' owners will be on the hunt for new hosts and bandwidth. The bots will remain infected with the malware that recruited them, and may soon be recruited anew. In combination with the typical spam cycle that sees rises around the Christmas season, it would seem that the scourge of spam will return to its former strengths soon.
It's really like a cat and mouse game, isn't it?

BTW I'm on my way to Moscow for some interesting Kaspersky Lab meetings. This time possibly I'll have one day extra to see at least something more from Moscow compared to my last visits. Time flies, it's nearly about one year ago I joined the Kaspersky team. And I really enjoyed it so far! ;-)

Cyber-bullying advice on CityTalk FM (Liverpool Radio): an interview with Eddy Willems.

2008-11-23T17:11:00.006+01:00

It was bullying-week in the UK and our UK press office asked me to talk about it with CityTalk FM (Liverpool Radio) during their breakfast show.

But do you really know what cyber-bullying is?
Well cyber-bullying (predominantly spelled cyberbullying by many researchers) is when someone repeatedly makes fun of another person online or repeatedly picks on another person through emails or text messages, or uses online forums and postings online intended to harm, damage, humiliate or isolate another person that they don’t like.

We cannot claim to be able to stop cyber-bullying, but we can and should educate those who may be concerned about it (parents, teachers, school children and off course those in the workplace) and offer advice regarding how to stay safe online in order to enjoy the many benefits of Internet usage without the potential dangers. Of course, using Kaspersky Lab Internet security is valuable for anyone that goes online as it helps to prevent ID theft, fraud, online predators as well as programs that may harm the computer. It (well ours certainly) does have some valuable functions that can help parents, teachers and indeed employers to put safeguards in place, however we can also offer some other valuable advise such as:
• Talk to someone you trust about it, like a friend, a teacher or an older relative
• Keep and save any bullying emails, text messages or images you receive
• Make a note of the time and date that messages or images were sent, along with any details you have about the sender
• Try changing your online user ID or nickname
• Change your mobile phone number and only give it out to close friends
• Mobile phone companies and internet service providers can trace bullies, so don’t be afraid of reporting it to them
• Block instant messages from certain people or use mail filters to block emails from specific email addresses
• Don't reply to bullying or threatening text messages or emails – this could make matters worse and lets those carrying out the bullying know that they've found a 'live' phone number or email address
• Report serious bullying, like threats of a physical or sexual nature, to the police

You can find the interview on my WAVCi press page or at CityTalk.FM (breakfast radio with Phil and Kim) or here.

Looking what's happening within malicous PDF's...

2008-11-11T15:12:00.002+01:00

During Infosec.nl as blogged before(my former posting) I will talk about the virus analyst's daily work. One nice tool which could fit in is one of the tools created by Didier Stevens, a friend blogger.
On his blog he describes how he can reconstruct by use of this tool the trial-and-error process of the malware writer by looking at the incremental updates and metadata within the malicous pdf.
Nice reading at this link:
http://blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author/

A virusanalyst in 15 minutes? (at Infosecurity.nl 2008)

2008-11-06T14:51:00.005+01:00

Is it possible to become a virusanalyst in 15 minutes? That's the question which will be answered during my presentation at Infosecurity.nl . If you want to have a look at the daily work of an analyst or want to become one, this is a must!
You can find more info at the website www.infosecurity.nl
I will be also available at the venue in Utrecht
during the 2 days at our booth 08D060.
The case study and presentation will be given in room 9. (14:45-15:15 daily)
A lot of people already registered to attend this presentation, so hurry up if you want to be there!

MS08-067 problems continued ...

2008-11-05T15:53:00.003+01:00

The first reports of a worm capable of exploiting the MS08-067 vulnerability are showing up. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g by Kapsersky Lab. Other names can be used by other AV vendors. (Exploit:Win32/MS08067.gen!A = Microsoft's name)

POC binaries for MS08-067 seen...

2008-10-31T14:40:00.002+01:00

The first Proof of Concept binaries that target the MS08-067 vulnerability have been seen. The payload's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. Let's keep an eye on it ...

EstDomains is not dead yet ...

2008-10-31T14:24:00.003+01:00

The EstDomains story continues. ICANN received a response from EstDomains, and the termination has been stayed.
You can read the details here.
What a good lawyer can do these days isn't it?
What could I say ..., 'postponing of execution' ... I hope.

EstDomains is dead ...

2008-10-30T20:34:00.003+01:00

EstDomains is a domain registrar operating from Estonia. They've been the largest registrar used by online criminals for their domain name registration needs. ICANN has pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars. Most of us first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this new Estonian registrar.
Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.

So this is really good news but it took a long time for ICANN to do this.
Nevertheless ... thank you ICANN.
You can read more at the Blogs from F-Secure and McAfee.

MS08-067 vulnerability could hit us hard if we don't patch.

2008-10-30T20:29:00.003+01:00

Apply the patch referred to in MS08-067 right away, because Trojan horses that take advantage of this security breach are sure to hit us soon. The vulnerability is similar to the hole that was used by the MSBlaster worm, which surfaced on the Internet in 2003. So don't let down your guard. Patch your PC if you haven't already done so, because this exploit is sure to be the focus of malware authors before long.
Since it's only a matter of time until such attacks become widespread, I urge you to reach out to other Windows users you know to ensure that they're protected from this vulnerability — once you've patched your own systems, that is. And oh yes, don't forget to reboot after the patch! A lot of users seems to forget this and this is really needed.

Clickjacking: A security problem for all browsers.

2008-10-29T20:11:00.001+01:00

At the moment of writing most browsers are still susceptible to clickjacking, but you can take steps to reduce the risk. But what is Clickjacking really?

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links. The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in. If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security.
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Clickjacking isn't new. In fact, it dates back to at least 2002 or 2003.
What's new is the range of browser vulnerabilities that make clickjacking possible.
There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. Disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps. And even browsing with JavaScript disabled will not protect against all possible avenues of attack. Most browsers are vulnerable.
Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player. For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.So disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.

Can you stay safe in a clickjacking internet connected world?

Browser and plug-in vendors have joined organizations in describing what you can do to stay safe. Adobe, the Mozilla Foundation and Microsoft has several webpages up describing several precautions or solutions. Even taking all these precautions doesn't guarantee that your system is 100% immune to the new threat. You'll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.
While we're all waiting for vendors to patch their products and when in doubt, ask yourself whether your mother would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

However I stay optimistic. While the threat of attack may be high for the next three to six months, I expects more complete protections to become available within the same timeframe.

A problematic MS remote code execution vulnerability fixed, please update ASAP!

2008-10-24T12:54:00.004+02:00

Yesterday Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and MS have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so MS have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release, you probably have questions about your own organization's risk level, what actions you can take to protect yourself, and why newer platforms are at reduced risk. We hope to answer those questions in this blog post.

Which platforms are at higher risk?

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

For more information about file/printer sharing, visit the following URLs:

- for Vista http://technet.microsoft.com/en-us/library/bb727037.aspx
- for XP http://www.microsoft.com/windowsxp/using/security/learnmore/sp2firewall.mspx

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

How you can protect yourself

You should apply the security update as soon as you can. This is the best way you can protect yourself. While you are testing the update and preparing your deployment process, you may choose to use one or more of the workarounds listed in the security bulletin. ( http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx )

Everyone could become a cyber-criminal? I'm not sure...

2008-10-21T11:15:00.005+02:00

Or in Dutch 'Iedereen kan een cyber-crimineel worden' quoted out of the Standaard, a newspaper in Belgium.
You can find the article here.

Well this is my reaction to this article and I do not completely agree!
The problem lays in our mindset and as long as everybody is not thinking in the correct way we will face indeed a problem. It's something I already told the public back in 2004. The general public and children do not seem to know what computer security is. And it all goes back to what we teach our children and that's the real problem in my opinion. We don't teach children well these times. My research found out that some of them even find the idea of becoming a hacker or a virus writer ‘cool’. Although some families use parental control mechanisms to secure their home computer networks, many children know how to bypass these mechanisms. Generally, it seems that our children’s knowledge of ethical
computer behaviour and good ‘netiquette’ are a long way off target.

And it's not only children anymore these days. This article in 'De Standaard' is a perfect example 'unfortunately'! Was it really necessary to show the real problem to the public and go the press with it? Do you as a reader of this blog still know the line between good and bad on the internet? I doubt it.

A suggestion as to how we may begin to influence students and young people is by using societal control. An example of how this has worked in the past is with the issue of drink-driving. At one time, drinking and driving was a personal choice, but
as society witnessed some of the consequences of the combination of the two activities, we began to pass laws which restricted such behaviour. Initially there was some resistance to these laws – people saw them as an infringement on their rights. However, as the laws became more widely accepted, people began to refuse to drink and drive on the principle that it is ‘wrong’ to do so.
Policy makers and law makers are very aware of this form of societal control. However, they are less aware of the societal structure of ‘cyberspace’, and for this reason there is the danger that the laws they make will not create the desired ethical model, and conversely will create a backlash or revolutionary movement. By taking time to develop realistic policies and effective laws, it is possible we can
avoid such a reaction. The speed with which global electronic communication is
developing has brought with it an enormous benefit to all those fortunate enough to be able to exploit it. However, it has also brought opportunities to those who are willing to abuse it. The way in which it has introduced relative and absolute
anonymity for its users may encourage acts which would otherwise have appeared to be too risky to the perpetrator. Its very nature may encourage various kinds of anti-social activities, ranging from innocent pranks through serious malicious damage to data and individuals, and downright criminal fraud. As a result of the fact that many of its principle users are relatively young, or people who may be impressionable or unprincipled, an ethos has developed in the Internet
community, in which it is ‘cool’ to be an outlaw. Moreover, the inherent power embodied in being able to control the ‘system’ is potentially irresistible.
Resources that would enable us to emphasize and integrate ethical computing behaviour may provide a stabilizing influence. Our computing environments are very vulnerable regarding distribution of information – after all, it is what
they were designed to do. If we want to change people’s behaviour and reduce the
attractiveness of becoming a virus writer or hacker, we must start ethical computer education at a much earlier age. I think the way forward is to recognize the different factors introduced by computer technology – factors we have long
ignored. If we don’t, the technology may ultimately be self-destructive.
But that's not what you always read in the newspapers, isn't it? ;-)

PiggyBacking is not allowed in Belgium.

2008-10-16T20:18:00.002+02:00

During my visit to the Virus Bulletin conference 2008 2 weeks ago a man was arrested in Belgium for using someone else's unsecured Wifi connection to get on the Internet. (More details in Dutch available here).
The case is interesting because the only thing this guy did was use the connection to get onto the Internet - what we call Wifi "piggybacking," or logging on to someone's open 802.11b/g/n network without their knowledge or permission. And quite a lot fo countries (such as the UK and Belgium) have laws making this illegal. Stealing Wifi Internet access may feel like a victimless crime, but it's wrong nonetheless. You could be depriving ISPs of revenue. Furthermore if you've hopped onto your next door neighbors' wireless broadband connection to illegally download movies and music from the Internet, chances are that you are also slowing down their Internet access and impacting on their download limit. From a security point of view, if someone can access your network, they can misuse that network, and (potentially) the computers on it. And Belgian law enforcement want to make an example of the man arrested last week. So to stay on the right side of the law, do yourself a favour: don't go using anyone else's network without permission. And make sure that your network and router are secured - you may be ethical, but that doesn't mean that everyone else is.

If you want to read more about this, please read also my posting from 10 October at the weblog from Kaspersky Lab.

Eugene Kaspersky and David Perry working for ESET?

2008-10-10T15:18:00.002+02:00

Of course they are not! This is just one of the many pictures I've taken during the Virus Bulletin Conference 2008 in Ottawa. It was my 13the VB in a row! And again everybody was overloaded with good presentations ranging from the definition of Cybercrime via Russian spam and botnets to phishing related to the recent worldwide 'bank-problem'. You always can find an interesting subject and if you didn't the networking possibilities are nearly endless. Kaspersky Lab, the company I am working for, was present with 3 speakers and a large team of delegates.

You can see my colleagues Costin Raiu, Roel Schouwenberg and me in the second picture.

You can find my pictures from VB 2008 at this link.
You can even find older pictures from some older events as well over there.

I also put up a movie from the event online at my iTunes and YouTube Channels:

And there are Kaspersky Lab (Internet Security Suite 2009) prices for the first 5 correct answers...

On my way to the VB conference ...

2008-09-28T18:15:00.002+02:00

Indeed I'm on my way to the the VB conference in Ottawa, Canada. WOW ... This is my number 13 of all the Virus Bulletin conferences. I've been attending since 1996 (Brighton, UK) and I can assure you that this is the best conference if you are in the anti-malware industry. You can find more from the conference itself at the VB website. As always I will post some pictures over here afterwards or during the conference. And BTW if you're not there, you're either sick or dead or you just don't belong to that part of the industry. It's simple as that! ;-)

GeenStijl and GeenCommentaar: 0/10 ..Unethical in every aspect!

2008-09-23T19:43:00.005+02:00

It's been a bit of a bumpy ride on the Dutch part of the internet over the last couple of days. One blog - www.geencommentaar.nl - decided to set up something I like to call a 'web 2.0 honeypot' in the form of a petition. The idea behind this was to attract the attention of the biggest blog in the Netherlands - www.geenstijl.nl - and get GeenStijl readers to comment. GeenCommentaar logged the IP addresses of users who made offensive comments on the blog and created a database. (A lot of the offensive comments came from GeenStijl users). Other bloggers could then check the database to see if a particular IP address had been tagged as offensive. Supposedly the idea behind this was to make life easy for other site/ blog owners, by offering an automatic way to filter out (probably) unwanted comments/ content. When GeenStijl realized what was happening, they responded with a vengeance by adding a piece of Javascript to their page. This meant when anyone visited the GeenStijl site, a random IP address was generated, and the GeenCommentaar database would be queried to see if the IP address had been tagged as offensive. All of this was done automatically and without visitors to the site knowing anything about it.
The result? GeenCommentaar's server couldn't handle the load; as well as GeenCommentaar getting hit, some other sites running on the same server were overloaded. In addition to the obvious ethical objections, both the parties involved are breaking the law.
BTW Kaspersky Lab added detection for this DDoS script as Trojan-Clicker.JS.Small.p .

If you want to read more about it
please look at my colleague Roel's comment at
Kaspersky Virus Analyst's Diary
or read my own comments in Dutch at webwereld.nl
A lot of people seems not to think anymore about what seems to be good or bad on the internet. They just act and play like 'criminal' children without notice! Unbelievable!
Well ... at least their names are well chosen: no comment with no style.

Back from Govcert.nl 2008

2008-09-21T17:38:00.002+02:00

I'm just back from the Govcert.nl Symposium 2008 in Rotterdam. It's very interesting to watch how much money the Government of the Netherlands can invest in such kind of events. Most other events are heavily sponsored to make such events possible ... Congrats to Govcert.nl and very well done however if you are a real pro or an anti-virus/malware insider it was not that inspiring. I loved however the key note speeches and especially the 'no press allowed' presentation of the arrests made by the joint efforts of the NHCU and FBI. The case which you can find more background of in my former postings (see August) and which I was also involved in. You still can find the full programme details at http://www.govcert.nl/symposium .

Goodie Security Picture of the Month

2008-09-07T16:09:00.003+02:00

Busy weeks for me ... yes a lot of business and a lot of events to attend to that's what was happening the past weeks. From now I will post a picture from all these events on my blog. Last week we got two nice launching events for our Kaspersky Hosted Security Solution in the Netherlands and Belgium organised by 2 of our distributors. The week before I attended a BBQ event at Copaco Belgium. This week I will attend and speak at the L-Sec Security Conference on Friday. You can have a look at the other speakers on their website at http://www.lsec.be . I will present: 'A Virus Analyst in 15 Minutes?' .

Further on I was cleaning up a little bit my attic where I found a lot of old and newer security goodies (the free give-aways at conferences). So from now on I am going to use the good ones after I throwed away some other rubbish. For this job I got the wonderful help from a Symantec display box. On the picture you can see how you could use it in a creative way. ;-)
BTW It's just coincidence that I used a Symantec 'box' for it.
Other display boxes are also quite good.
This time this picture becomes the Security Goodie of the month!

Kaspersky Lab helps Dutch police dismantle Shadow botnet.

2008-08-13T15:06:00.002+02:00

FYI: This was the press release which I spoke about in my former blog posting.

The Dutch High Tech Crime Unit identified a large botnet when they arrested a 19 year old Dutch man last week. The Unit asked Kaspersky Lab, a leading developer of secure content management solutions, to provide the victims with instructions on how to neutralize the malware on their systems; neutralizing the malware ultimately brings down the botnet. This is an excellent example of the close co-operation which exists between the antivirus industry and law enforcement.

At the request of the Dutch police, Kaspersky Lab created detailed instructions on how to remove the malware. The Dutch police have pointed victims towards a page on the Kaspersky Lab website which contains the removal instructions, and also to a website which gives victims the opportunity to make a formal complaint to the police. Eddy Willems, Security Evangelist with Kaspersky Lab Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime. A spokesperson for the Public Prosecution Service agrees: “The Public Prosecution Service and the police worked together with Kaspersky Lab on this case with full contentment”.

The so-called Shadow botnet is made up of around 100,000 infected machines from all over the world. A botnet is a collection of computers infected with malware which are then linked into a network. The infected machines can be controlled remotely (without their owners' knowledge or consent) and used by criminals to send spam, attack websites, or steal confidential data such as credit card numbers.

Last week the Dutch police arrested a 19 year old Dutch man for selling this botnet to a Brazilian who was also arrested. The arrests were the result of an operation conducted by the High Tech Crime Unit and the FBI.

If you think you're a victim
If you think your computer is part of the botnet, please follow the removal instructions at www.kaspersky.com/shadowbot. However, the removal instructions only apply to the malware which has been used to create the botnet. Eddy Willems warns: “These programs may have downloaded additional malware to computers which were part of the botnet. So users should make sure they perform a full scan of their machine using an up-to-date antivirus solution." If you have Kaspersky® Internet Security or Kaspersky® Anti-Virus running on your computer, you do not need to follow the instructions, as the software will automatically detect and delete the malware.

I'm back!

2008-08-13T14:49:00.003+02:00

Is Eddy Willems dead? How can we reach Eddy?
Several people sent me some emails because they were worried about what happened to Eddy.... he's not blogging anymore.
Well there are some good reasons why you didn't hear from me ...
First of all I was terribly sick with fever sometimes higher than 39,5 C. A duo biological Salmonella bacteria infected me seriously and I was several weeks out. And it was also very bad timing: it just happened before the main Kaspersky event of the year! This was possibly the first conference or event I'm missing within 20 years time.
However I recovered quite well and just afterwards my vacation period was popping up meaning ... no worries, no calls, no media. That's possibly what you think.
You are of course wrong because I even did a few interviews and two television interviews during my vacation.
Both of them can be viewed at my press page from my site.

Starting from today I'm starting again blogging and there is more reason than you think .. a lot of things already happened going from a Kaspersky press release together with the Natinional High Tech Crime Unit of the Dutch police to the bizar race-to-zero creation and test case!
A case I already spoke about to the press some months ago.

Kaspersky Lab Benelux goes sailing ...

2008-06-25T17:40:00.003+02:00

More or less without words ...

Each distributor got their own boat and there was a race between them ...

And DCB, our new Belgian distributor, won the race!

BTW I was part of the 'press boat' and took all these pictures.
;-)

GPCode.ak solution in another way ...

2008-06-15T16:47:00.002+02:00

Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. Please have a look at the blog's posting from my colleague Vitaly at Kaspersky's Viruslist Blog from 13 June 2008.
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)

Typosquatting in Belgium on the rise.

2008-06-15T15:17:00.003+02:00

Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.

China hacking into US computers more realistic than China attacking Belgium!

2008-06-12T09:58:00.002+02:00

You could read the following on the net just a few hours ago: Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. You can find more at
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.

Assistance needed for cracking GPCode.ak ...

2008-06-10T11:57:00.003+02:00

Our office just launched the following press release following the recent problems with a new GPCode variant. See more at www.viruslist.com .

"Kaspersky Lab, announces the Stop Gpcode, an international initiative against the blackmailing virus Gpcode which emerged last week.
The objective of the initiative is to factor (‘crack’) the RSA-1024 key used in Virus.Win32.Gpcode.ak – the latest version of the dangerous Gpcode blackmailer virus. The signature for Virus.Win32.Gpcode.ak was added to Kaspersky Lab antivirus databases on June 4, 2008.
Kaspersky Lab invites all cryptography experts, as well as governmental and research institutions, other antivirus vendors and independent researchers to join the efforts to solve this problem. The company is prepared to provide any additional information at its disposal and is open to dialog with all experts wishing to participate in the Stop Gpcode initiative.
To coordinate the activity of all participants of the initiative, a special Stop Gpcode forum has been created. "This is the first time in the security history that such an initiative is appearing. Let us hope that this could become a good example of perfect international cooperation. However we must not overestimate this possible solution: a backup in combination with optimal security and good malware protection is still the best solution for a lot of problems, also in the future." says Eddy Willems, Security Evangelist at Kaspersky Lab Benelux.
Virus.Win32.Gpcode.ak
Gpcode.ak encrypts files with different extensions by using a RSA encryption algorithm with a 1024 bits key. After encrypting, the virus changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.
The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660. The task of ‘cracking’ the RSA-1024 key is an extremely complicated cryptographic problem. Eddy Willems confirms this: “To crack the key at least 15 million computers have to be running for one year.”."

Of course it's clear that this is just an interesting initiative and I really hope it could be realistic in the near future but of course it's not so easy as it seems.
Nevertheless such initiatives haven't been seen in the past and I think it's time that vendors could work together in a better way then before but is that not another harder question. Could this be even more unrealistic? What do you think?

Kaspersky Lab Benelux 5 years old!

2008-06-01T15:00:00.002+02:00

This weekend we celebrated our fifth 'local office Kaspersky Lab' anniversary with a sleepover in a nice hotel in Valkenburg near Maastricht(NL). If you look at the picture you can find all employers including me on the picture which was given to our COO Dick Gehéniau.

May 2008: Web site compromises record month!

2008-06-01T14:06:00.002+02:00

Here are the highlights of the notable Web site compromises I have seen in the past month:

May 2 - One Year Later, Italian Job Still Working Overtime

It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.

May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign

Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.

A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.

May 10 - More of The Same: Another Half Million Web Sites Compromised

Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.

May 19 - Chinese Weekend Compromise

Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.

May 19 - More Weekend Compromises Reach Other Shores

Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.

May 21 - It’s Not Over: Asian Sites Injected with Nasty Code

Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.

May 22 - Malicious Domains Found in Compromised Japanese Sites

The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.

And I'm not even talking about thousand other websites which were defaced in nearly every country of the world even in Belgium (eg. VTM Broadcast site) ... it's definitely not a good sign and trend.

A lot of XSS methods seems to be used as will in those or a lot of other compromises.

XSS has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.
XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.
XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.
The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of us don’t have).

Back from EICAR ...

2008-05-20T18:57:00.002+02:00

I'm back from EICAR for a week now and it seems that I'm so terribly busy that I could not do a nice writeup about the EICAR conference ... well be patient and have a look at Virus Bulletin magazine June issue where I will publish a conference report. Just a this moment my Belgian friend blogger Didier Stevens was blogging about our EICAR test file. He really likes to play with it in a lot of ways. Now he seems to be publishing a PDF document with an embedded EICAR test file (eicar.txt). This PDF document has also an annotation with a JavaScript action linked to it. Clicking the annotation will export the embedded eicar.txt file to a temporary folder and launch the default editor for .txt files.
eicar.pdf contains only ASCII characters, so you can use Notepad to see what he did. He asks you also to guess what he did... read more at
http://blog.didierstevens.com/2008/05/20/quickpost-eicarpdf/ .

EICAR 2008, Laval, France: A success!

2008-05-05T18:17:00.002+02:00

Our first day of the EICAR conference at Laval is nearly finished, we got a lot of attendees, terrific papers and good food. Well we are in France, isn't it. People who thought that this conference was not going to happen were wrong. If you're not here at this moment, you miss a lot! I will try to do a writeup of this conference very shortly, I hope. I'm now ready to go to our gala dinner at the nice old castle which you can find in the picture.

China attacking Belgium ??

2008-05-02T10:19:00.006+02:00

I just was disturbed by a message on the radio this morning, being back in Belgium for just one day to make me ready for our EICAR conference in France. So I heard several newspapers refering to possible cyberattacks coming from China to some Belgium governmental institutions. Hmmmm, is this real? Why just stating this now to the public?
So a lot of rumour on the radio and the newspapers (De Tijd, GVA, but the statements I've heard from our Minister Jo Vandeurzen (Ministry of Justice, CD&V)) are the exact things, even the exact words I've said to some personal friends in the past...
But is it true? Well there is one thing for sure: I'm seeing a lot more malware coming from China compared to one year ago, but explaining that we are under attack is over the top. Of course this an investigation. But is there no continuing investigation going on all the time by the AV industry? What do you think? We just let everything pass without doing anything... of course not: So every AV company has is own research and indeed we see an ongoing growth of this kind of malware. Can we speak about a targetted attack to Belgium or some other countries? I don't think so, well at least not at this moment as I write this blog, and above all it's very difficult to pinpoint and state that this is coming from China as tracking down such kind of malware and attacks are harder than you think.
I'm not saying that we don't have to be careful and that we don't have to do some research about these things, of course not, I'm even helping in such kind of investigations in the AV industry.
I'm still wondering why this came up just at this moment? Could it have something to do with the strange(read bad) situation of our government at this moment? Maybe CD&V wanted to come up with some different subject to conceal the real problems of the Belgian government at this moment?
I don't know, I'm not a politician, I'm an anti-malware expert. At least the real problem, more malware coming from China, is not new to me and is a real threat today!
And also Belgium could be very interesting for some foreign countries as we got a lot of interesting parties having their office in Belgium: European Commission, NATO, etc ... so could that be the real reason of the possible attacks?

During writing of this blog VRT Radio magazine 'Vandaag' called me about this and will do a live interview with me at Radio 1 after 17:00 today.

Another viruswriting contest ... oh no, not again!

2008-04-28T13:46:00.005+02:00

There will be a new contest at the Defcon hacker conference this August: Called Race-to-Zero, the contest will invite Defcon hackers to find new ways of beating antivirus software. Contestants will get some sample virus code that they must modify and try to sneak past the antivirus products. Awards will be given for "Most elegant obfuscation", "Dirtiest hack of an obfuscation", "Comedy value" and "Most deserving of beer"... The contest was announced Friday. The contest organizers say that they're trying to help computer users understand just how much effort is required to skirt antivirus products. The Race-to-Zero sponsors hope to present the contest results during Defcon. The contest is not organized by Defcon, but is one of the unofficial events that the show's organizers have encouraged attendees to arrange. Defcon runs Aug. 8 to Aug. 10 at the Riviera Hotel & Casino in Las Vegas.
To my opinion this is very unethical, it's like creating new samples of a biological virus and that's something you also try not to do, isn't it. And actually, encouraging people to do this as a contest is really over the top. It's also encouraging people all over the world to create or even change viruses! It's all in the (wrong) mindset of a lot of people these days! Let's hope we can still educate and 'evangelise' the people in the good direction otherwhise the future could be much worse than we think. I predict that a lot of AV and security vendors will have a lot of comment on this topic during the next weeks!

Preparing for the EICAR conference 2008 in Laval, France

2008-04-27T13:42:00.002+02:00

I'm preparing myself to go to the EICAR conference this year, however just before it, I will have a stop at the AMTSO meeting in Amsterdam(Netherlands). You can find more info about both conferences or organisations at http://www.eicar.org and http://www.amtso.org
Let's hope that we got interesting results at the AMTSO meeting where the industry wants to improve the malware-tests.
I heard as well a lot of gossip about our nice EICAR conference. Will it go on or not this year, was for instance one of the questions... well I can assure you ... It will go on and the place seems to be more beautiful than everybody thinks at this moment.

The most secure table at the Data News Award Gala 2008.

2008-04-27T13:38:00.004+02:00

Last Thursday I was at the Data News Awards Gala event. About 13 awards were given to the most innovative or interesting companies for the past year. During the breaks we listened to some nice live music from Sophie or Gunther Neefs. CISCO got the award for the best security company of the year. It's stupid that there was no award for the most secure table. That should have been our table ... we got us (Kaspersky Lab), Apple and Guy Kindermans, the security journalist from DataNews, at our table. You can find more at the Data News website.

'Kraken' exagerated but beware of the Storm codec ...

2008-04-09T20:23:00.005+02:00

There's recently been quite much written about a botnet of spam trojans named Kraken.
There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most AV vendors in the industry have been wondering about the numbers, which seem to be exagerated when taking a look at received samples. Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business again. Several sites offer what looks like a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, meaning users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on these sites, users are required to download the so-called Storm Codec in order to view the said video.... Correct: the codec is called Storm Codec.
Users are advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore ... but do you think that any user knows this?

Polinka Banking Trojan and my Russian Moscow visit...

2008-04-06T11:55:00.005+02:00

There's been a banking trojan spam run in four European countries this weekend. One of the targeted countries seems to be The Netherlands. The mails claim to be from a nice looking Russian student girl looking for a sex partner or just a friend. The mail urges the recipient to check her photos at a site called livejournalhelper.cn (in China). Unfortunately, the site only has thumbnails on Ms. Polinka's pictures; when you try to view them in larger size you get an error message of a missing plug-in which you'd need to see the pictures. The plug-in is a man-in-the-middle banking trojan...

Oh yes talking about Russia ... some people asked me to put a link on my site to the Russian TV interview with RBK TV for their Cnews magazine during my lecture at the Moscow CSO Security Summit. So it's up now and you can find it over here or at my press page. There were several interesting speakers like Eugene Kaspersky (my boss) from Kaspersky Lab and Mikko Hyppönen from F-Secure.

Pictures ... Infosecurity BE and CSO Summit Moscow 2008

2008-03-30T14:08:00.007+02:00

Some people asked me to show the pictures from the past
Infosecurity fair in Belgium which was a success BTW...

Jean-Marie Pfaff and Eddy Willems (me)

My ex-NOXS-Westcon Security colleagues ...

And like I told you in one of my former blogs I just returned now from a trip to Moscow and Munich where I gave a lecture ( see www.fort-ross.ru )about the new trends in Security. RBK-TV Russian Business TV made an item from my lecture for the Cnews magazine.

Targeted attacks against Pro-Tibet groups.

2008-03-24T17:46:00.005+01:00

"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions. This cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization. But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. The exploit silently runs a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used in various targeted attacks. The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.

Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo has also been restricted.

But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities. The cyberattacks directed at Tibetan organizations are similarly the actions of Chinese hackers motivated by nationalism, without national direction.

The massive cyberattack on Estonia last year, in response to Estonia's decision to move a Russian war memorial, presents an analogous situation.

It seems that situations like this are becoming a trend ... another example of a targeted malware attack."

Eddy at the CSO Summit in Moscow

Happy Easter .. from Moscow.

2008-03-23T18:05:00.002+01:00

I'm ready to go to Moscow as I'm speaking at the Russian Moscow CSO Summit. Afterwards I'm again on the road to my Kaspersky colleagues in Germany ... a busy week you see and definitely different compared to the holiday period for a lot of other people. I'm still waiting to see my picture with Jean-Marie Pfaff at our Kaspersky site. Stay tuned!

Security vendor websites under attack!

2008-03-16T11:01:00.002+01:00

Earlier this week, part of the Trend Micro's public online Virus Encyclopedia (VE) was altered via external hacking. The redirect placed on the site didn’t work properly so nobody visiting the hacked pages was at risk of infection. In response to this incident, they shut down the VE for several hours, patched the systems, removed the inserted code, and brought it back to life again. This incident was part of a wider attack on security web sites around the world. In my opinion this is a bad sign as it demonstrates that a lot of hacking is being tried to deface or at least to alter the websites of the 'good' guys. I can assure you that I saw last month several hack-attacks on other very well known security sites. I will not go into detail which other sites have been attacked. I've seen this happening in the past but never on such a scale as this time. Do you have any idea why this is happening now? Does it have anything to do with CEBIT or the upcoming 'InfoSecurity' fairs?

Back from CeBIT 2008.

2008-03-09T15:55:00.004+01:00

CeBIT 2008 was a nice success for Kaspersky Lab, with a lot of people rushing to our booth to get a copy of Eugene’s latest book called ‘Malware’. The picture gives you also an idea about the amount of people we got at our traditional Russian disco evening. I think that mostly every visitor from CeBIT walked by our booth that night. You can find more at the official Kaspersky Blog at www.viruslist.com at this link and also at several other newslinks on the internet.

A busy month coming up!

2008-03-02T10:30:00.004+01:00

Indeed, I'm just preparing to go to the CEBIT 2008 where I wil have several interviews together with my colleagues, and that's just the beginning as we have Infosecurity 2008 Belgium (19-20 March) as well coming up very shortly. At the end of March(24-25) I will be speaking at a Russian event called the CSO Summit in Moscow. You can find more at the CSO Summit 2008 website.

CAPTCHA's are not 100% safe anymore...

2008-03-02T10:23:00.002+01:00

Spammers have started circumventing the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system used by Google’s email service, Gmail. The Gmail-CAPTCHA attack is quite complicated since it uses two compromised hosts in its attempts to break into the Google CAPTCHA system. The first host attempts to extract a copy of the CAPTCHA image in bitmap format then attempts to break the code. In case it fails, a second host uses the same image, but breaks it down into segments then sends it as a portable image or graphic file. Segmentation is the only task where humans still outperform bots, but it is steadily gaining attention and focus among spammers and bot herders. The popularity of Google makes it difficult to track spammers among the millions of users across the globe. This further makes Google’s domains highly unlikely to get blacklisted. Although breaking the Google CAPTCHA is of a very low percentage as of yet, I cannot deny that it works. We can expect more innovations in the future, and far more effective and creative ways of dealing with bots should definitely be in the to-do lists of email service providers as well.

Friendly worms, oh no not again?!

2008-02-20T19:28:00.003+01:00

The New Scientist article on the Microsoft research "friendly worms" paper excited more annoyance than admiration everywhere in the research community and far abroad. It gives you a completely different dimension however when you really read the actual paper which can be found at MS. While it does refer to malware from time to time to illustrate distribution models, it’s several levels of abstraction away from the self-distributing patch mechanism that New Scientist seems to think it’s about. Of course I don’t know what the researchers in question said directly to New Scientist. So to my opinion this is all a little bit too exagerated ... something like a storm in a teacup. Or maybe the New Scientist journalists were hungry to use a flashy 'headline' because it attracts people ... well at least they succeeded in that way. The article is being (mis)used everywhere in the world maybe even by this Blog.

Of course the industry including myself hates the idea of unnecessary replicative code with a passion. While a self-replicating program can, in principle, do anything a non-replicating program can do, no-one has yet found a job that has to be done by a worm. The history of malware is littered with replicative programs that caused more damage than the writer ever intended because he failed to take into account every possible scenario that could arise.

An interesting read is definitely Vesselin Botchev's paper.
I really love this paper and it blows away everything. ;-)

To my opinion there is no such thing as a good worm, all malware in general are bad and it's the task from the security industry to protect you against it and not to write them .... pffff, and this was not the first time I've said this ... you will see that this problem or let me say this 'misunderstanding' will pop up again in the future unfortunately.

Kaspersky Lab appoints Eddy Willems as Security Evangelist

2008-02-20T09:19:00.003+01:00

As promised the press release with below some interesting press articles after the release ...

" ’s-Hertogenbosch, February 12 2008 - Kaspersky Lab, a leading developer of secure content Management solutions, has employed Eddy Willems as Security Evangelist on February 1st 2008.

Eddy Willems is assigned to the virus analysts of Kaspersky Lab Worldwide however he will concentrate specifically on the Benelux. Together with several other external experts he will be globally responsible for a good communication and also for giving a statement of the contemporary and future security related problems to the press, distributors, resellers and end users.

Willems takes an active part in the IT-security business for more than 18 years and that’s why he gained experience and established an excellent reputation for himself in this branch. So he was employed as an Anti-Malware Technology Expert at NOXS Belgium, a Westcon Group Company, he also is well-known for being co-founder and Director Information and Press of the EICAR organization (European Institute for Computer Anti-Virus Research). In addition to his work as a Senior Consultant with large companies he was active as an antivirus researcher, Wildlist reporter, security trainer and speaker during various international security conferences. Also the Belgian government has several times made an appeal to his expertise. One of his recent projects included a good attempt at introducing ‘safe ICT-behaviour and application’, within primary education, so computer crime will be driven back.

Eddy Willems about his recent position: “Kaspersky Lab can be defined as a strong dynamic company with high standard and innovative technical solutions. With present IT threats and the explosion of new malware these characteristics are of great significance for an outstanding Anti-Virus and Internet Security Vendor. What appeals to me is the fact that Kaspersky will absolutely be committed to stay focussed on the content security market and will not buy at random and fix solutions by sticking, but will remain experts in Secure Content Threat Management (SCTM). Solutions are being reinforced with global and efficient infrastructure of support for both the channel and the end users”.

Dick Geheniau, Managing Director of Kaspersky Lab Benelux agrees with Willems: “For the last couple of years we notice a strong increase in our turnover in commercial as well as governmental business. Our Certified Partners are well trained for this purpose and yet at any time they can make an appeal to experts like Eddy Willems and Roel Schouwenberg. Companies and institutions who will get off to a good start with Kaspersky Security solution will immediately get access to the unique ‘Early Alert Service’ and access to Kaspersky’s global team of experts”."

See the press articles at my press page:
Datanews, It Professional, VNU net, Channelweb, etc ...

A new job, a new life or not?

2008-02-12T16:17:00.001+01:00

Two weeks without nothing on my blog is nearly impossible but this time I had to stay on the side ... however just when the press release about my move to my new job was nearly ready, the press itself arrived at my frontdoor to do an interview with me about the exponential growth of the malware we saw the last months. The newspaper 'Het Nieuwsblad/Gentenaar' published this at their frontpage yesterday.
If you want you can find the full article here.
I got some radio interviews (4Fm,Qmusic and Radio 2)in the early mornings about this problem as well... with my early morning voice (more later at my press page).

And oh yes .... I'm working now for Kaspersky Lab Benelux as Security Evangelist and will be working together with the analyst team from Kaspersky Lab worldwide to spread the security 'word', if you know what I mean. Of course my focus will be on the Benelux market.
I will publish one of the next days the press release here, so you can read the official words about it yourself.

BTW did you know that I started my first day in Moscow with me doing already a presentation in front of my new colleagues. I can assure you this gives you special vibes. :-)

Leaving NOXS - Westcon ...

2008-01-25T14:03:00.000+01:00

Dear blog readers,

Today I'm leaving NOXS after 11 years.
I can assure you that this gives me a strange feeling.
I thank all my colleagues at Data Alert/NOXS/Westcon
in the past years for the nice experience.

However, I stay within the anti-virus/malware industry. I am going to a vendor.
There will be a small silence on this blog for a week or so. After this period there will be a press release stating where I've started to work and what I will do in the near future.

What do you think? Any idea?

Viruses in the picture (frames) !

2008-01-24T20:03:00.000+01:00

Best Buy Co. Inc. sold digital picture frames during the holidays that harbored malicious code able to spread to any connected Windows PC. It is not recalling the frames, however. A limited number of the 10 inch digital frames sold under its in-house Insignia brand were contaminated with a computer virus during the manufacturing process, according to a notice posted on the Insignia site last weekend. Best Buy did not specify the number of virus-loaded frames that had ended up in customers' hands, but said in a second notice that it is continuing to investigate this problem.
This incident shows again the infection possibilities on every kind of device which has memory built-in. This will become a larger problem in the future. My advice: Please scan always everything you buy ... or at least always have your anti-virus in the background running!

Valentine's Zhelatin-Storm.

2008-01-16T21:07:00.000+01:00

Yesterday I started receiving another wave of Storm/Zhelatin e-mails, this time exploiting our love: you got it, Storm/Zhelatin started exploiting Valentine’s Day.
The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address. Once a user visits the web site he is served with a nice web page with a picture of a Valentine hart in the middle and a link to download an executable – same as with previous versions. So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment. So we can say again .. the story continues.

Storm is Phishing!

2008-01-10T15:31:00.000+01:00

There is another twist in the Storm-Zhelatin story; it is being used to host phishing sites. The gang behind this prolific malware has registered domain names similar those used by well known banks such as Barclays and Halifax. They are directing web requests to these rogue domain names toward computers infected with Storm. The infected computers serve a fake login page and will steal the user name and password of any visitor. Following some sources like F-secure, it seems that somebody is now using machines infected with and controlled by Storm to run phishing scams. I haven't seen this before.

New MBR Rootkit is using an old technique.

2008-01-10T15:16:00.000+01:00

Over the past month, a new type of malicious software has emerged, using a decades-old technique to hide itself from anti-virus software. The malware installs itself on the first part of the computer's hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it.

The first interesting part is the timeline:

Aug 1, 2005 - eEye publishes PoC code
http://research.eeye.com/html/tools/RT20060801-7.html
Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
Dec. 12, 2007 – First known attacks installing MBR code
about 1,800 users infected in four days.
Dec. 19, 2007 - Second wave of attacks installing MBR code
about 3,000 users infected in four days
Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
http://www2.gmer.net/mbr/
Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

Microsoft JVM ByteVerify (MS03-011)
Microsoft MDAC (MS06-014) (two versions)
Microsoft Internet Explorer Vector Markup Language (MS06-055)
Microsoft XML CoreServices (MS06-071)
But that can change at any moment to something more recent.

Malicious software that infected the master boot record was common during the MS-DOS era, but it has not been used much in attacks in recent years.
The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!

The iPhone and a trojan!

2008-01-08T14:58:00.000+01:00

What did I told you about a year ago ... malware would be coming for the iPhone and ... what appereared several days ago ... indeed a trojan for unlocked iPhones. The trojan installation package seems to be contain false application installation information that causes third party applications to be removed if the trojan is uninstalled from the iPhone. I saw warnings about the trojan at http://www.modmyifone.com/ in thread http://www.modmyifone.com/forums/showthread.php?t=24323.
The malicious package was taken offline soon after the discovery of this low-risk threat over the weekend.
This only shows us a normal security related problem with an iPhone. Be aware that this is just the beginning... It's still strange that we didn't saw too much problems (yes I know, we got a few) with Windows mobile based phones until now, isn't it?

EICAR and the smallest webserver in the world.

2008-01-07T19:54:00.001+01:00

I just was made aware that my colleague blogger Didier Stevens created a very small webserver including our EICAR-test file.
You can find and watch what he did at
http://blog.didierstevens.com/2007/12/18/pocket-eicar-test-file-server/

I must say that this is the weirdest thing I've seen which have been done with the EICAR-test file. Nice isn't it!

If you want more info about the EICAR-test file you can go to the EICAR website.
The file is used to find out if your anti-virus or anti-spyware program is working without having to use a real virus or malware.

Four in 10 SMBs are not secure!

2008-01-02T20:18:00.000+01:00

Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach. The survey, conducted by eMediaUSA on behalf of GFI Software, given to 455 IT executives from U.S. based small and medium sized businesses (SMBs). Further results on the survey can be found at http://www.gfi.com/documents/rv/smbsurvey.pdf more details on this release can be obtained on this URL http://www.gfi.com/news/en/smbsurvey1.htm

And this is not only in the US. I got the same reports over here in Belgium and the Netherlands, something I found out about 9 months ago and it has not changed in between...

Happy New Year!

2007-12-31T11:36:00.000+01:00

Be very careful as the Storm Worm keeps spreading his word and email messages.
In fact, it may be a good idea to be suspicious of any email arriving in your inbox that wishes you New Year’s greetings, especially if it asks you to click on a link to retrieve it. What makes these malware domains difficult to take down is the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their “window of opportunity” due to registrar operation hours during the end-of-year holiday. And a lot of registrars are just closed for the next 7 to 10 days. Ten or more days of availability — at the very least — will more than likely contribute to these criminals building an even larger botnet.
Nevertheless A Happy New Year from me to you all and ...
stay tuned as 2008 will bring again other things to look at ... also for me. ;-)

Bhutto Assassination Malware ...

2007-12-28T16:23:00.000+01:00

Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as some AV and security companies discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir”. These sites attempt to infect users who want to know more about the unfortunate incident. One of the sites in question has an embedded malicious JavaScript redirect. The malicious script downloads a Trojan which in turn downloads more malicious files. There is even a host of other news sites and blogs taking advantage of this news. The malicious JavaScript is also embedded in other Web sites with a wide scope of topics and interests. There are many other sites that have been possibly compromised including MSN, BlogSpot, etc. Most AV products are detecting these files as malware already however but like always, be aware that it could go wrong somewhere.
It's a shame that such things happen on the back of other shocking news facts.

Storm is Back!

2007-12-25T11:37:00.000+01:00

After 2 very quiet months the Storm gang seems to be back in business.
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-) http://merry christmasdude.com/

But that's not all ... I also saw another zipped sample sent straight to one of my honeypots with a subject 'Merry Christmas' and an infected 'ecard.zip' attached!

Be very carefull these days as scanners are less updated and the infected samples can pass easily!!

A Merry Christmas to you all!

2007: A year of threats across several technologies.

2007-12-16T16:47:00.000+01:00

The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications. I wrote for Virus Bulletin magazine a comment article about this which has just been published in the December issue. You can read the full article at my press page or at the Virus Bulletin magazine site or via this link.
I'm looking forward to the new year as this will bring some new opportunities for me. I will give you more info soon.

Attention with e-cards!

2007-12-09T16:48:00.000+01:00

It is the season to be wary. Sadly, malware authors are quick to seize on current events to cloak their social engineering attacks -- which typically involve tricking people into clicking on a malicious link or visiting a malicious Web page -- in an aura of legitimacy. So it seams again that the holiday season brings a surge in holiday-oriented scams as already new malware oriented e-cards started to appear.
Some of these e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer. With the Xmas bells starting to ring, the first incidents started to appear already. While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. ;-)

So in short, don't send fancy e-cards, just use plain text messages! They are much safer and to my opinion much nicer ... If everybody would do this, it could create at least a little bit a more safer internet.

EICAR Call for Papers, Laval (France)

2007-12-02T16:29:00.001+01:00

17th EICAR Annual Conference

IT Security is facing a paradigm shift
New threats and more subtle methods of attack require
different approaches and solutions

The 17th Annual EICAR Conference to be held from 3 May to 6 May 2008 in Laval, France brings together experts from industry, government, military, law enforcement, academia, research and end-users to examine and discuss new research and development in anti-virus, malware, e-security, e-forensics and Information and Communications Technology (ICT) Management
The main theme EICAR 2008 conference will be devoted to Malware and Virtualization. The new malware threats which have recently emerged with virtualization (e.g. SubVirt and BluePill malware) represent a huge and complex challenge to current detection capabilities. With virtualization, malware detection is bound to undergo a major revolution. The aim of EICAR
2008 conference is to gather computer virology experts (researchers, AV industry people...) to think about the best technical or non-technical solution in order to fight against virtualization-based malware.

This call for papers invites the submission of full papers and abstracts on one or more topics that may include but are not restricted to:
* Virtualisation and its Risks
* Malware and Virtualisation
* Malicious code and its side effects
* Viruses and worms
* Vulnerabilities and Software Bugs
* Spam and Phishing
* Spyware
* e-Crime and e-Forensics
* Information Assurance
* Ethical and Moral Aspects of Malware Writing
* Identity Management
* ICT Security and Policy Management
* Intrusion Detection and Prevention
* Human aspects of INFOSEC
* Awareness and Education
* Cryptography and Steganography
* Legal, Privacy and Social Issues of ICT Security
* IT Governance and Compliance
* Cyber Terrorism

The conference committee is seeking submissions of papers for oral presentation at the conference in two major categories:
* Peer reviewed papers - these papers will be selected on
basis of blind peer review by members of the program
committee and other independent reviewers (where necessary).
Case studies, research in progress and full research papers
will be considered for the inclusion in the conference
program. There is no definitive word limit fo
the submissions; however, it is anticipated that submissions
will be between 3500 and 5500 words. The program committee
will not accept research proposals for submission to
the conference.
* Other papers - these papers will not be peer reviewed,
however due to the considerable interest in the conference
in the previous years these papers will also be selected
by the program committee. This category covers corporate
papers, best practices, new technologies, policy issues etc
and the conference committee are eager to obtain submissions
from industry, government and other sectors for this category.
However, marketing papers will not be accepted for
the conference.

The conference committee can accept only limited number of papers in each category and the acceptance ratio in the past few years was about 30-40% of submitted papers only. All accepted papers will be published in electronic form on the Conference CD-ROM and peer reviewed papers only will be published in the printed version of the EICAR Conference Proceedings (book with ISBN). The best papers will be published in a special issue of the Journal in Computer Virology, a research journal published by Springer Verlag.

Submission deadlines:
Peer reviewed papers (in full) due 20 January 2008 Other papers (non reviewed - abstracts) due 20 December 2007

Full CFP is available at
http://conference.eicar.org/