WAVCi

The fight against Cybercrime.

2009-06-21T11:21:00.005+02:00

I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.
Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.
Watch out!

Elections and a special week...

2009-06-07T11:26:00.002+02:00

It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!

EICAR Conference 2009 Summary (Berlin)

2009-05-24T12:12:00.004+02:00

The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.

If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous Virus Bulletin magazine. I wrote the summary.

Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.

Preparing for Kaspersky Regatta and the EICAR conference...and Twitter

2009-05-06T10:50:00.004+02:00

Life is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.
Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at www.eicar.org
and if you want to come, there are still seats available.
I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.
But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...

And for people who didn't know it yet, you can follow me
on Twitter: www.twitter.com/EddyWillems
I'm inviting you all.

And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.

Kido/Conficker network fear far too exagerated ...

2009-04-19T17:24:00.003+02:00

While analysing Kido network behaviour Kaspersky Lab (my colleagues) has been able to develop an application that helped to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period KL identifeid 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. Of course we always have to be very careful naming numbers so also
this count could be not completely correct ... it shows however that it's definitely not 10 million as some sources reported before.
This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.
You can find more at this link.

I'm getting sick from Twitter worms and Mikey Mooney...

2009-04-19T15:57:00.002+02:00

What's up with Mikey Mooney?
He wrote a series of Twitter worms, got hired, got hacked and released yet another worm last night.
This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."
This variant downloaded additional scripts from runebash.net/xss.js .

The messages it sent were more philosophical in nature:
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.Age is a very high price to pay for maturity. Womp. mikeyy.Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.Money is not the only thing, it's everything. Womp. mikeyy.Success is a relative term. It brings so many relatives. Womp. mikeyy.'Your future depends on your dreams', So go to sleep. Womp. mikeyy.God made relatives; Thank God we can choose our friends.Womp. mikeyy.'Work fascinates me' I can look at it for hours ! Womp. mikeyy.I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.RT!! @spam Watch out for the Mikeyy worm (bit.ly link)FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)Mikeyy worm is back!!! Click here to remove it: (bit.ly link)

So to my opinion, please don't hire him but fire him!

Conficker/Kido starts with upgrade ...

2009-04-09T16:41:00.003+02:00

The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009. You can find a picture on the weblog from Kaspersky Lab.
And this is possibly not the end yet...

Conficker/Kido FAQ (Frequently Asked Questions)...

2009-04-01T14:54:00.004+02:00

Kido spreads via local networks and removable storage media. It penetrates computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft released a patch for in autumn of last year. Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak. Failure to install the patch and to use effective antivirus protection has led to an epidemic: it’s currently estimated that between 5 and 6 million computers which have Internet connectivity are infected with Kido variants.
Several factors made today’s global Kido epidemic possible – neglecting to use antivirus products and the absence of an organization which is responsible for the security of the Internet and which unites and coordinates the efforts of governments and IT security experts.
Epidemics of a similar scale have happened in the past. However, the malicious programs which caused these epidemics did not have the extensive capability which Kido has to evade detection and prevent the disinfection of infected machines.
The third version of Kido is currently spreading on the Internet. This program implements the most sophisticated technologies used by malware authors – it downloads updates for itself from site addresses which are constantly changing; it uses local networks as an additional channel for updates; it uses strong encryption to protect itself; it has sophisticated mechanisms for disabling security services etc.
The third version of Kido updates itself by downloading code from 500 domains. These are chosen from a pool of 50,000 domains which is generated daily. The 500 domains are selected at random and this, together with the large number of domains makes it extremely difficult to monitor the domains used by the malicious program.
Because of this, Kido could become the most powerful cybercriminal tool which is highly resistant to being blocked in the history of the Internet. The gigantic botnet created by the authors of Kido gives cybercriminals the ability to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e. huge spam mailings).
In March there were mass updates to older versions of this malicious program. On 1st April 2009 the Kido botnet will use the approach above to start receiving commands from its creators from 50,000 domains a day; what action the cybercriminals will take subsequently is difficult to predict.

Kaspersky Lab products successfully prevent all versions of Kido from penetrating users’ computers. Recommendations on how to delete the malicious program are available on the Kaspersky Lab technical support site.

Also available:
FAQ of the Kido virus
Audiofragment on the VRT radio about Kido virus (Only in Dutch)
Kaspersky evangelist Eddy Willems at NOS radio news (Dutch only)

We are monitoring constantly the situation.
All press and media will be updated as soon as we have more info.
But I'll personally think that we will not see too much activity today (April 1) but this can change of course any time and definitely any time after April 1...

BTW I'm using Twitter.

Kim Gevaert and Eddy Willems at Infosecurity Belgium 2009

2009-03-29T17:38:00.007+02:00

As promised the Infosecurity Belgium fair was very good for Kaspersky Lab. I got loads of interested people during my 2 presentations and the attendance on the booth was also a success. During the fair Kaspersky Lab also donated a cheque for about 16.000 Euro's to Kim Gevaert for SOS Kinderdorpen.
Here you can find some pictures:

Picture 1:
Me, Kim and Hannes(my colleague from the sales department)

Picture 2:
Kim and Marjon (my colleague from our marketing department)

Cybercrime on the Internet (S.Crimineel on S.Televisie with Eddy Willems)

2009-03-29T12:20:00.004+02:00

A couple of weeks ago I've been interviewed by Marc De Pril from S.Televisie in S.Crimineel, a weekly show which runs in a loop. People who missed it can watch the complete transmission on my iTunes channel or in 3 parts
via my Youtube channel ... and eh oh yes, it's in Dutch (Flemish):

Part 1

Part 2

Part 3

And there comes a follow up next month.

Chinese computer espionage network Ghostnet discovered.

2009-03-29T11:25:00.008+02:00

I've been interviewed this morning by 4 FM and Q-Music Belgium about Ghostnet. This mystery electronic spy network apparently based in China has infiltrated hundreds of computers around the world and stolen files and documents, Canadian researchers have revealed. The network, dubbed GhostNet, appears to target embassies, media groups, NGOs, international organisations, government foreign ministries and the offices of the Dalai Lama, leader of the Tibetan exile movement. GhostNet had invaded 1,295 computers in 103 countries, but it appeared to be most focused on countries in south Asia and south-east Asia, as well as the Dalai Lama's offices in India, Brussels, London and New York. The network continues to infiltrate dozens of new computers each week. Such a pattern, and the fact that the network seemed to be controlled from computers inside China, could suggest that GhostNet was set up or linked to Chinese government espionage agencies. However, the researchers were clear that they had not been able to identify who was behind the network, and said it could be run by private citizens in China or a different country altogether. GhostNet can invade a computer over the internet and penetrate and steal secret files. It can also turn on the cameras and microphones of an infected computer, effectively creating a bug that can monitor what is going inside the room where the computer is. Anyone could be watched and listened to. The researchers said they had been tipped off to the network after having been asked by officials with the Dalai Lama to examine their computers. The officials had been worried that their computers were being infected and monitored by outsiders. The Chinese government regularly attacks the Tibetan exile movement as encouraging separatism and terrorism within China. The researchers found that the computers had succumbed to cyber-attack and that numerous files, including letters and emails, had been stolen. The intruders had also gained control of the electronic mail server of the Dalai Lama's computers.
However the fact that the attacks seems to come from China does not completely prove that the attackers are really coming from China... a problem we will always have in Cyberspace.
More interesting to read at this page and also Mikko's post here.

Please Media and Press don't hype Conficker.c !

2009-03-27T12:53:00.004+01:00

I don’t know for sure what’s going to happen on April 1st, when Conficker (Kido is the Kaspersky Lab's name) is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date. At least machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains. While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. There is always a possibility when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it could have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems). However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV etc ...

Well.. will we see big problems around the first of April?
I personnally don't think so.
Will the internet go down? Of course not...
Maybe it will be biggest April 1st joke we will see this year
but please may I call the media at least not to hype this.

If you're using a Kaspersky product and you patched you're systems you don't need to worry and that's problably the most scary part ... there all still a lot of corporates which don't patch their systems. Will they never learn? That should be the message for the media and press. Kaspersky will come up also with an official statement soon as several other vendors are also doing.
At least all experts and vendors are monitoring the situation.
And like I've said before, please don't hype the situation.

You can find a removal tool at this page.

(I'm writing this at the end of Infosecurity Belgium which was fantastic BTW. I've met hundreds of people, friends and even Kim Gevaert but that's for another blog later.)

Back from CeBIT 2009.

2009-03-08T19:24:00.004+01:00

I'm just back from CeBIT 2009. Kaspersky Lab was present as always with a big booth, loads of interviews and the Russian Disco evening... legendary at CeBIT ... but no official blog (see www.viruslist.com ). Well this year it was maybe a litlle bit different. At least I'm looking forward to next year, to hear one of my interviews(Suisse Radio) or to read/watch/hear the other interviews. ;-)

I love Facebook but ...

2009-02-26T19:30:00.003+01:00

A week ago the company published new terms and conditions for being a Facebook user which included a perpetual retroactive license to use your content nearly anyway they see fit - even after you "delete" your account. Thousands cried foul and there was even a threaten to file a complaint with the FTC. Facebook has since backed down and reverted to its previous user agreement. Nevertheless the issue points out the severe risks of using social networking services - especially Facebook. Some might say that the site operates in a fashion similar to a gigantic information gathering operation that lures people in by offering fancy tools that allow them to exercise the egos to various extremes. Others might just think it's "cool" and a "must-do" sort of thing because their peers expect them participate. The bottom line here is that Facebook has demonstrated a clear intent to leverage you and your content to their own advantage.
So my advice is this: Don't use Facebook too much... But if you can't resist then don't post anything on Facebook that the majority of people don't already know about you. In fact you might consider adopting as part of your company security policy a ban that prohibits employees from mentioning anything about your company in their Facebook profiles. One tiny data leak could be used against you and there'd probably be little if anything you can do about it.

I love Facebook but like everyhting else, don't exagerate and that's exactly what everyone is doing. And I haven't even spoken about the (in)security of possible 'Facebook'-applications and other related security problems.

Adobe Reader/Acrobat JBIG2 Indexing Zero Day Vulnerability.

2009-02-25T09:48:00.003+01:00

I hope you are aware of the 0-day vulnerability currently being actively exploited in Adobe Reader/Acrobat. I initially heard rumours about this 0-day vulnerability on 16th February 2009. Three days later, Adobe confirmed the existence of the 0-day vulnerability and Secunia issued an advisory. Over the last couple of days, I have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it seems that it does not protect against the actual vulnerability. Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.
Bottomline: All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not. I hope that Adobe will be issuing patches very soon.
To be continued ...

Some malware predictions for the next 10 months of 2009.

2009-02-24T09:52:00.003+01:00

A little bit late I know ... but it seems that working for a security vendor takes more time than I thought! ;-)

Just to sum it up in a couple of lines, these are a couple of my own predictions:

. Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. I expect this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email which is already the case today.
. Personalized Threats Speak Your Language. I expect to see the continued expansion of malware in languages other than English like Dutch, etc... Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.
. Malware Targets Consumer Devices. I expect to see increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.
. Security Software Scams. The malware underworld is using mainstream practices in an effort to "sell" security software that is either misleading or outright fraudulent. This trend will continue.
. Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, etc allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.
. More Targeted Phishing and Corporate Blackmailing. Botnets via zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.
. Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.
. Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.
. More Scams Involving Home Businesses. "Legitimate" home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We'll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.
. Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary "from" addresses. This has increased the usability of these services significantly to businesses, but has also increased the "abusability" by spammers.

Eddy Willems in S.Crimineel on S.Televisie

2009-02-20T23:23:00.004+01:00

What a week.. pff.. 5 days looked like 5 minutes, do you know the feeling?
Of course there was a climax with Eugene Kaspersky our CEO, and my boss, coming to the IDC European Security Conference. After a terrific panel session with several other experts and loads of interviews with the press including a very nice one with Kanaal Z we went out for a good diner in the known Beenhouwerstraat in Brussels.
Returning home and zapping to all the tv-channels I realised that not only Eugene was on it (Kanaal Z), I saw myself showing up in S.Crimineel on S.Televisie, a 3 times in a day repeated show about criminality and law in general. A quite long show and interview for about 23 minutes in one long shot taken without cutting. You still can watch the show until next Thursday if you have cable television from Telenet, a known ISP and cable provider in Belgium.
So everybody will at least see somewhere something from Kaspersky! For the people who don't have cable tv or Telenet I will put a link to the show shortly on my site on the press page.
So lets see what the next week will bring after this strange and quick week and of course .. the hacks of the websites from Kaspersky, Bitdefender, F-Secure and Symantec .... but that's another story.

About testing anti-malware products...

2009-02-11T15:23:00.007+01:00

Kaspersky Lab is an enthusiastic supporter of this initiative, and several members of the research team attended the AMTSO meetings already. And AMTSO seems to get there... Recently there was a meeting in Cupertino. Major progress was made on a number of papers I’d say are pretty important: these include not only a glossary, but also papers that discuss such topics as gathering samples, sample validation, in-the-cloud testing, issues with malware creation or modification for testing purposes, and whole product evaluation, and I expect to see quite a few of these finished and approved before the next AMTSO meeting.
Standardization on good practice is good for the industry, of course, and continuing cooperation between the antimalware and testing industries benefits both parties. But if we do this properly, it will be even more beneficial for end-users and prospective and actual customers. Not because what’s good for the industry is good for its customers, but because what we’re aiming for is to make it easier for them to distinguish between good and bad testing.
So this is indeed a good thing protecting everybody from bad testing.
What did you say?
Oh yes I've seen a lot of bad tests in the last 2 decennia...

Kaspersky US Site hacked, so what?

2009-02-10T18:54:00.005+01:00

In the Kaspersky US hack, which was discovered last Saturday, no sensitive or customer data was compromised but to allay concerns about the severity of the problem, Kaspersky Lab has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved. A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack. After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky Lab an email - on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response. Obviously I am of course not happy about this and Kaspersky Lab is in the process of making the review process stricter than it currently is. Kaspersky Lab is doing everything to do the best forensics on this case and to prevent this from ever happening again.

At least some keypoints to remember in this case:
• NO data was compromised and KL hired a 3rd party organization to do an independent audit to confirm this.
• The attack happened on a subsection of the US site with no link to the ecommerce or global site. No KL websites other than the US site was attacked.
• This attack has nothing to do at all with the quality of our products of course!

You can read more about what really happened at the official Kaspersky blog.

Interesting for the more technical reader ... it seems that a variant of the Acunetix tool was used to facilitate the attack.
Isn't that not a 'special' form of promotion? ;-)

And oh yes, I'm a little bit sick today (possibly catched a cold) but I'm using 'Sinutab' to clear up my personal health problem today.
So, does this change me, am I a different person now?
No, I'm still the old good Eddy with all his known skills. (I suppose so)
Do you know what I mean?

A day in the Life of a Kaspersky Lab Security Evangelist...

2009-02-04T21:05:00.003+01:00

A day in the life of an Security Evagelist is sometimes unbelievable overloaded.
Today I answered 150 emails on a total of 479 I've got and the day isn't finished yet. I spoke to a couple of journalists. I traveled to Hilversum in the Netherlands where I'm writing this short blogpiece. I have a hotel just in front of the 'mediapark' where I will have an interview tomorrow with an 'NOS' journalist for the evening TV journal and radio journal about the Shadowbotnet case. Indeed the case comes in a second phase as Friday will be the preview of the real case before coming to 'Justice'. I also arranged today an interview with 'S.televisie' a Telenet Cable channel in Belgium next week where I will be interviewed in the program 'S.Crimineel' about internet crime. Tomorrow in the afternoon I will present 'A Virus Analyst in 15 Minutes?' at IT Security Heliview in Hoevelaken, the Netherlands.
And possibly after that I will travel back home with my car where I will encounter several traffic jams....

And guess what, my Kaspersky Lab anti-malware program is just detecting and blocking an intrusion to my laptop ... just at the end of the end of this blog.
Nice isn't it, working with a not protected internet connection from this hotel.. well at least I know what to do and I'm good protected but is that the case with everyone in this hotel? I don't think so.
This was a normal day in the normal life of a Security Evangelist and there are people who think that I got an easy job.

Kido / Conficker / Downadup is really hard to remove.

2009-01-21T16:47:00.003+01:00

In the last week or so there has been a resurgence in the Kido worm that I first saw in November. This is probably due to the malware authors adding some new propagation methods such as spreading via USB flash drives and Windows file-sharing.
These techniques make it hard to remove from a network, as a single computer unpatched against the Microsoft MS08-67 security vulnerability, is able to reinfect the whole network via file shares. Obviously the best thing you can do is make sure that Microsoft’s patch is in place on every vulnerable computer on your network.

I've been interviewed a dozen times (including some TV journals VRT and VTM) and you can find some of the articles at my press page on my website.
The situation in Belgium and the Netherlands is compared to the rest of the world quite good. So did we all use the MS08-067 patch ASAP in the Benelux?
I hope we will have a better improved(read: less infected) worldwide situation soon...

Net-Worm.Win32.Kido.bt outbreak?

2009-01-14T20:05:00.003+01:00

Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media. The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines. Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft but like aways you must install it and it seems that a lot of people and corporates were too busy with some new year events or happenings and were surprised by this one.
A detailed description of Net-Worm.Win32.Kido.bt and removal instructions are available here.
Several companies in Belgium and the Netherlands have been affected by this worm ... and it's not over yet but I can assure you that we are reaching the levels of a real outbreak and that's really a while ago that we've seen this. A trend to look at and to investigate.

And .. eh BTW .. My Best Wishes for the New Year!
Isn't that a nice start for the new year?

Dangerous eCards in the Wild ... A Merry Christmas to you all!

2008-12-23T15:18:00.003+01:00

Are you really surprised? A couple of days ago I started to receive reports of emails pretending to carry links to holiday cards. These emails contain a link that points to a file named ecard.exe. Of course, this executable is not a seasonal holiday card but malware. The reason this wave of malware has attracted my attention is that it is very similar to the Storm Worm attacks we were seeing last year. Although this attack uses fast-flux to make it harder to trace its web servers and a redirection page very similar to those used by Storm last year, this is not the resurrection of the Storm botnet. What we are observing today is proof that malware authors are learning from each other’s errors and successes. After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success. Most AV vendors are detecting this by now but you'll know that this is definitely not the last malicious eCard we or you will see.
Please just use ordinary plain text mails, it's so much nicer (read 'more intelligent') and it's more effective to my opinion. But am I not saying this every year?

Well at least what I really want to say from my own safe spot in Belgium:
A Merry Christmas to you all!
And that's more or less in plain HTML. ;-)

MS IE patch ready for Security Advisory 961051 (Zero-day exploit) !

2008-12-17T13:35:00.003+01:00

Microsoft Corp. have announced that they are to release an emergency patch for Internet Explorer, in the hope of fixing the security bug that allowed attackers to exploit the IE browser. The critical patch could not come any sooner for the millions of IE users who have been too scared to use the browser. The warning about the bug came last week after Microsoft had no choice but to go public about the exploit code. Hackers are able to hack in to your Windows computer and then hijack Internet Explorer. Microsoft announced that an out-of-cycle patch will be ready at 1 p.m. Eastern time on Wednesday, via Windows Update, Windows Server Update Services and Microsoft Update. The IE update will be labeled “critical,” which is the highest ranking update from Microsoft. So what do you think? Is one week enough these days to patch a 'critical' problem?

Zero-day exploits targeting Internet Explorer vulnerability.

2008-12-16T11:52:00.003+01:00

Microsoft recently expanded their Security Advisory 961051 to include all versions of Internet Explorer. The vulnerability was originally thought to only affect IE7. But is now problematic as well for a whole range of related software ... like IE 5,6,7 and 8... And some other bad news, SQL Injection attacks are being used to hack legitimate websites in order to host these exploits, turning trusted sites into malicious exploit hosts.
There are a number of workarounds that may provide some mitigation if you look at the MS Security Advisory. Other solutions are using other browsers like Firefox or Google Chrome.
And trust me ... this problem is underestimated at this moment.