Monday, April 28, 2008

Another viruswriting contest ... oh no, not again!

There will be a new contest at the Defcon hacker conference this August: Called Race-to-Zero, the contest will invite Defcon hackers to find new ways of beating antivirus software. Contestants will get some sample virus code that they must modify and try to sneak past the antivirus products. Awards will be given for "Most elegant obfuscation", "Dirtiest hack of an obfuscation", "Comedy value" and "Most deserving of beer"... The contest was announced Friday. The contest organizers say that they're trying to help computer users understand just how much effort is required to skirt antivirus products. The Race-to-Zero sponsors hope to present the contest results during Defcon. The contest is not organized by Defcon, but is one of the unofficial events that the show's organizers have encouraged attendees to arrange. Defcon runs Aug. 8 to Aug. 10 at the Riviera Hotel & Casino in Las Vegas.
To my opinion this is very unethical, it's like creating new samples of a biological virus and that's something you also try not to do, isn't it. And actually, encouraging people to do this as a contest is really over the top. It's also encouraging people all over the world to create or even change viruses! It's all in the (wrong) mindset of a lot of people these days! Let's hope we can still educate and 'evangelise' the people in the good direction otherwhise the future could be much worse than we think. I predict that a lot of AV and security vendors will have a lot of comment on this topic during the next weeks!

Sunday, April 27, 2008

Preparing for the EICAR conference 2008 in Laval, France

I'm preparing myself to go to the EICAR conference this year, however just before it, I will have a stop at the AMTSO meeting in Amsterdam(Netherlands). You can find more info about both conferences or organisations at and
Let's hope that we got interesting results at the AMTSO meeting where the industry wants to improve the malware-tests.
I heard as well a lot of gossip about our nice EICAR conference. Will it go on or not this year, was for instance one of the questions... well I can assure you ... It will go on and the place seems to be more beautiful than everybody thinks at this moment.

The most secure table at the Data News Award Gala 2008.

Last Thursday I was at the Data News Awards Gala event. About 13 awards were given to the most innovative or interesting companies for the past year. During the breaks we listened to some nice live music from Sophie or Gunther Neefs. CISCO got the award for the best security company of the year. It's stupid that there was no award for the most secure table. That should have been our table ... we got us (Kaspersky Lab), Apple and Guy Kindermans, the security journalist from DataNews, at our table. You can find more at the Data News website.

Wednesday, April 09, 2008

'Kraken' exagerated but beware of the Storm codec ...

There's recently been quite much written about a botnet of spam trojans named Kraken.
There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most AV vendors in the industry have been wondering about the numbers, which seem to be exagerated when taking a look at received samples. Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business again. Several sites offer what looks like a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, meaning users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on these sites, users are required to download the so-called Storm Codec in order to view the said video.... Correct: the codec is called Storm Codec.
Users are advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore ... but do you think that any user knows this?

Sunday, April 06, 2008

Polinka Banking Trojan and my Russian Moscow visit...

There's been a banking trojan spam run in four European countries this weekend. One of the targeted countries seems to be The Netherlands. The mails claim to be from a nice looking Russian student girl looking for a sex partner or just a friend. The mail urges the recipient to check her photos at a site called (in China). Unfortunately, the site only has thumbnails on Ms. Polinka's pictures; when you try to view them in larger size you get an error message of a missing plug-in which you'd need to see the pictures. The plug-in is a man-in-the-middle banking trojan...

Oh yes talking about Russia ... some people asked me to put a link on my site to the Russian TV interview with RBK TV for their Cnews magazine during my lecture at the Moscow CSO Security Summit. So it's up now and you can find it over here or at my press page. There were several interesting speakers like Eugene Kaspersky (my boss) from Kaspersky Lab and Mikko Hyppönen from F-Secure.