Wednesday, July 25, 2007

Press Interviews: Knack and RTBF.

I was interviewed Monday by the RTBF concerning the Harry Potter attacks, a USB-stick based worm and a Trojan. They showed it yesterday on the 13 hours-journal.
And like I told you earlier in this Blog this was just the beginning
of a busy summer ... meaning ... I also was interviewed by Ingrid Van Daele from Knack magazine (see my Blog at 1 July 2007). They just published it today (Wednesday). It's what they call their 'Cybercrime' dossier. I do like it very much as it shows several security people with different views. The article starts with a view on a small chat I got just before the interview with a viruswriter called 'Halsten'. He was the only one who reacted on my question if somebody was interested in talking with a journalist.
Nevertheless both interviews are completely different. I even did the RTBF interview for TrendMicro. If I have the permission both will be uploaded to my press page at .

Tuesday, July 24, 2007

Spam, Excel and Zip, a new trend.

Several days ago I started noticing email messages on my spam-honeypots that carry ZIP-packed Excel files. When opened, these Excel files are using pump-and-dump schemes that spam mails are now notorious for. Using ZIP-files as a carrier of malicious files is already a known routine of many malware families like Bagle. Using ZIP as carrier or as part of a spam scheme, however, is quite new and may be a social engineering tactic more than anything else. The fact that the email arrives as an Excel file packed in ZIP may have more to do with an attempt to lend credence to a stock-related email at a time when authorities are seriously running after pump-and-dump spammers. That the spammer choose Excel, an application usually associated with accounting and money, may not be a coincidence as well.

Wednesday, July 18, 2007

New Wavci Lab Broadcast: Problems related to anti-virus and anti-malware testing!

I just launched my third WAVCi lab broadcast.
You can find this posting at .
Alternatively you can also watch it over here:

The item this time:
Problems related to anti-virus and anti-malware testing!
You can subscribe and view the complete channel at .
If you want to download this Vodcast in mp4 format(Ipod)
you can do this via the link .
If you have iTunes installed you can watch
via the WAVCi iTunes channel .
Oh yes, the dogs which you can hear sometimes are not mine!
Don't hesitate to send your reactions to my podcast mailbox.

Tuesday, July 17, 2007

10 Years at NOXS!

10 Years already working for NOXS ... that's a real record isn't it? Well officially... it's now 16 years in the security and AV industry, 10 1/2 years for NOXS and 23 years in IT.
I got congratulations from NOXS and my colleagues together with a 10 inch digital photo frame, USB stick and a weekend-for-two.
Thank you all!
And it seems that it's not only my hair which is changing color these days. Have a look at this nicely prepared cartoon...
And that's not all, I got a second job description now: Technical Account Manager Open Security Training. It's joining my 'Anti-Malware Technology Expert' title. What does it mean? More work obviously, more Open Security Training (open = vendor neutral eg. CEH, CISSP) related work .

BTW if you want to view my last comment on the iPhone you can find it at my press page and look at the television interviews.
Later this week I will be posting my new Vodcast.

Thursday, July 12, 2007

Something interesting from Microsoft!

The official Version 1 of the Microsoft Malware Protection Center Portal is now live.
You can check it out here:
Some of the features are:
- Access to the MS malware encyclopedia.
- Download the MS antivirus and/or antispyware signatures.
- Threat and Potentially Unwanted Software Telemetry.
- Tools and Resources.
- Microsoft Security Intelligence Report.
- Blogs, etc ...
And last but not least a Sample Submission feature!

Nice at least, what we could find at every anti-virus or malware vendor homepage for years is something we can find now also at Microsoft. For me Microsoft has changed his status now into a normal anti-malware vendor. It took them a while.

Tuesday, July 10, 2007

An interesting MS Windows File Protection feature?

A small week out of the office put me by coincidence in front of an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.
Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself. One of the functions inside disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully. Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll. Microsoft provide such APIs possibly to update system files and install the patches but it also provide an easy way for the malware to infect the system. Nice feature isn't it?
Well .. like I've told you before in one of these blogs .. this is just the beginning of the new malware era. We'll definitely see more like these in the near future.

Sunday, July 01, 2007

Vacation: It started with a ... journalist.

I just started my one week vacation. I will normally stay at home, do some small stuff and prepare for my larger vacation period later this summer. I also took a half day off to drive my son to a lanparty called 'FOM' at Sint Niklaas. Guess what ... I nearly not made it: a journalist from VTM (Belgian Commercial Broadcast TV station) called me to do an interview about the just launched iPhone ... and that was the beginning at Friday afternoon. Yesterday Saturday, a journalist and a photographer took my time to discuss a new upcoming article in the magazine 'Knack'. And you think I could lay on my back for a week in my garden with a nice cocktail. It's hard to have several 'days off'. And I don't think that this is all ...