WAVCi

Security Events and ... where to find Eddy Willems? updated version 2

2009-10-13T16:53:00.009+02:00

It's unbelievable how fast time flies if you're having fun. I've been travelling lately from one event to the other one. I got 3 events in a row on 3 days. During some of the events I speak, give a lecture, keynote or a presentation. A lot of people have asked me in the past to put my agenda on the internet but of course this is something I will not to do because of the security aspect however I will give a small (incomplete) overview of some of the events where I will speak the next weeks:

- 13 October: Kaspersky Lab Ingram roadshow
( http://www.ingram.be )
- 21 October: Kaspersky Lap UK Partner Event
( www.kaspersky.co.uk )
- 22 October: Kaspersky Lab DMAX-Copaco roadshow
( http://www.dmax.be )
- 4-5 November: Infosecurity NL 11:00-11:30u
(Malware testing considerations from Analysts in-the-cloud)
( http://www.infosecurity.nl )
- 22-23 November: Kaspersky Lab Student Conference London
( http://www.kaspersky.com/events )
- 25 November: Securiosity Nijmegen : Nederlandse Universiteiten
Security Event Keynote
( https://www.securiosity.nl )
- 26 November: Kaspersky Lab DCB roadshow
( http://www.dcb.be )

.....

More is coming for HCC NL and another big event in Belgium.
And I possibly forget a couple of other ones.
If you want to book me, it's possible: just contact Kaspersky Lab.

Just updated the agenda with a UK event ... replacing David Emm.

I'm too busy with security events ...

2009-09-15T17:23:00.004+02:00

I will be giving a presentation tomorrow at IDG's in-the-cloud event (Netherlands). Next week I will be in Geneva, Switzerland for my 14th Virus Bulletin conference. This time I will be sponsored by EICAR and I will bring the CFP and the News magazine from EICAR with me. After this I will give a lecture at the CBM masterclass event (Netherlands, 30 September) and the day afterwards I will give another lecture at Nemesys also in the Netherlands... And that's only the beginning. And I'm missing a lot of other events, I just have no time to visit them all. Maybe I should try to split me up in 2 or 3 or maybe a virtual copy of myself. Well that's a future thingy isn't it. Just keep an eye on my Twitter space where you can find some more info, if I have the time for it.
Let's hope I don't forget my birthday in meantime... ;-)

10 Most Known Malware in 2 Decades (Random Order)

2009-09-04T10:45:00.006+02:00

a) Conficker (2008-2009) -- Also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
b) I Love You (2000) -- Who wouldn't open an e-mail with "I Love You" in the subject line? Well, that was the problem. By May 2000, 50 million infections of this worm had been reported. The Pentagon, the CIA, and the British Parliament all had to shut down their e-mail systems in order to purge the threat. I still remember that I was on a customers site when it all started and I was overloaded with press and media attention afterwards.
c) Melissa (1999) -- Melissa was an exotic dancer, and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005.
d) SQL Slammer (2003) -- This fast-moving worm managed to temporarily bring much of the Internet to its knees in January 2003. The threat was so aggressive that it was mistaken by some countries to be an organized attack against them. I was just ordering a fish in a fish-shop that day however I didn't got the time to eat it afterwards ....
e) Nimda (2001) -- A mass-mailing worm that uses multiple methods to spread itself, within 22 minutes, Nimda became the Internet's most widespread worm. The name of the virus came from the reversed spelling of "admin."
f) Code Red (2001) -- Web sites affected by the Code Red worm were defaced by the phrase "Hacked By Chinese!" At its peak, the number of infected hosts reached 359,000.
g) Blaster (2003) -- Blaster is a worm that triggered a payload that launched a denial of service attack against windowsupdate.com, which included the message, "billy gates why do you make this possible? Stop making money and fix your software!!"
h) Sasser (2004) -- This nasty worm spread by exploiting a vulnerable network port, meaning that it could spread without user intervention. Sasser wreaked havoc on everything from The British Coast Guard to Delta Airlines, which had to cancel some flights after its computers became infected.
i) Storm (2007) -- Poor Microsoft, always the popular target. Like Blaster and others before, this worm's payload performed a denial-of-service attack on www.microsoft.com. During Symantec's tests an infected machine was observed sending a burst of almost 1,800 e-mails in a five-minute period.
j) Morris (1988) -- A real oldie: without Morris the current threat "superstars" wouldn't exist. The Morris worm (or Internet worm) was created with innocent intentions. Robert Morris claims that he wrote the worm in an effort to gauge the size of the Internet. Unfortunately, the worm contained an error that caused it to infect computers multiple times, creating a denial of service.

I used the most common known malware names over here and not particular specific Kaspersky Lab or other security vendors names.

Induc ... the Delphi Virus

2009-08-20T13:56:00.002+02:00

Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables. The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu. Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted. The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.
It's also quite interesting to note that Kaspersky Lab was the first to detect this new virus however it's a shame that some media are ignoring this!

Malware growth beyond 30 million soon, 30.000 new threats a day...

2009-08-19T14:48:00.008+02:00

I'm back from my vacation and during the last 3 weeks a lot of things happened:
Koobface got new tricks, Twitter went down, Induc the innovative file infector (Delphi) was found and three people were indicted for stealing 130 million credit cards and other data useful in identity theft. And I was interviewed 4 times on my first working day(VTM (TV), De Morgen, etc..)... However the more real problem comes from the ungoing threat of the creation of new malware. Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger. Kaspersky Lab finds every day over 30.000 new samples. And it's not only us seeing this. Also AV-Test.org has released their findings(see picture).
With more than a million new samples being seen every month, we are now reaching 30 million soon depending how you count the samples. That should clearly illustrate the scale of the malware threat. As the threat continues to grow, so will the system resources needed to protect users from it. How else can users cope up with this threat growth? In my years of experience managing malware signatures, I believe that the only way to go is in the cloud combined with some other new technologies like whitelisting and sandboxing. By using these combined technologies the security world can still cope with the large amount of malware growth combined with good performance. You can find all these new features within the new released Kaspersky Lab Internet Security Suite 2010.

Some advice about Twitter before my vacation ...

2009-07-22T16:52:00.003+02:00

If you use Twitter for this or other purposes, you’re probably aware that the site compresses URLs posted in tweets, usually with bit.ly, as far as I can see. You’re probably well aware that compressed URLs are frequently used by malware authors et al to conceal the true URL. bit.ly addresses this problem by filtering links through Google Safe Browsing, SURBL and SpamCop, which is reassuring, but is unlikely to catch every malicious site. bit.ly also makes available a Preview Plugin for Firefox that allows users to see more information about a site before they click on it. Personally, I prefer the tinyURL.com approach, which is browser-independent. If you go to tinyURL.com, you can enable a setting that will allow you to preview the real link whenever you click on a tinyURL on that particular machine. Alternatively, the person creating a tinyURL can send a version that begins http://preview.tinyurl.com/…
I started using these a while ago, but got a couple of comments from people who didn’t want to see the redirect. However, thinking about it and given the increase in malicious compressed URLs I’ve decided to start doing it again. Not because it will eliminate the problem altogether but because it might at least make people aware that there’s a slightly safer way of doing it without telling them which browser they should be using. If you don’t like the redirect, all you have to do is paste the URL into your browser and delete the "preview." substring that comes after the "http://".

And that's not the only problem about Twitter these days:
There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam. Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'. Kaspersky Lab is detecting the malware as Trojan-Downloader.Win32.CodecPack.iow. Very good as well is that also Twitter itself is doing something about it by informing infected Twitter-accounts and even temporarily disabling them however this only works if they know about it and this can take some time.

I'm ready to start with my vacation now for the next 3 weeks where I will use my Twitter account to give some updates what I'm really doing however be careful and try to be safe on the social internet... it seems to me that the internet is not that socical anymore, isn't it?

Find me at www.twitter.com/EddyWillems!
See you all within a couple of weeks or in case of an emergency maybe earlier, you'll never know.

Malware experts are strange people ...

2009-07-12T11:07:00.005+02:00

This is what I hear sometimes. I must admit that we all sometimes have some strange habits but isn't that normal as a human. I have showed to the public this year a lot of times what a real analyst or expert is doing. In my presentation 'A Virusanalyst in 15 Minutes' I'm showing the real life of an expert which is not always that amazing... shortly you will find on my press page also the original article I wrote about this presentation. It's more or less some kind of whitepaper and a guide how you can do some pre-analysing stuff.
I'm now 2 weeks back from our analyst meeting trip in Dubrovnik and you can find pictures of it at this link of my website. Most of it are some touristic pictures, some pictures are showing some experts in some strange situations. And definitely our 10the Kaspersky Virus Analyst Meeting combined with the press tour was very nice this year!
At least the price for the most strange-humorous picture goes to Michael Molsner(my German-Japanese colleague): a perfect example how practical a malware expert can be!
Michael I own you a pint ...

The fight against Cybercrime.

2009-06-21T11:21:00.005+02:00

I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.
Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.
Watch out!

Elections and a special week...

2009-06-07T11:26:00.002+02:00

It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!

EICAR Conference 2009 Summary (Berlin)

2009-05-24T12:12:00.004+02:00

The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.

If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous Virus Bulletin magazine. I wrote the summary.

Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.

Preparing for Kaspersky Regatta and the EICAR conference...and Twitter

2009-05-06T10:50:00.004+02:00

Life is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.
Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at www.eicar.org
and if you want to come, there are still seats available.
I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.
But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...

And for people who didn't know it yet, you can follow me
on Twitter: www.twitter.com/EddyWillems
I'm inviting you all.

And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.

Kido/Conficker network fear far too exagerated ...

2009-04-19T17:24:00.003+02:00

While analysing Kido network behaviour Kaspersky Lab (my colleagues) has been able to develop an application that helped to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period KL identifeid 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. Of course we always have to be very careful naming numbers so also
this count could be not completely correct ... it shows however that it's definitely not 10 million as some sources reported before.
This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.
You can find more at this link.

I'm getting sick from Twitter worms and Mikey Mooney...

2009-04-19T15:57:00.002+02:00

What's up with Mikey Mooney?
He wrote a series of Twitter worms, got hired, got hacked and released yet another worm last night.
This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."
This variant downloaded additional scripts from runebash.net/xss.js .

The messages it sent were more philosophical in nature:
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.Age is a very high price to pay for maturity. Womp. mikeyy.Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.Money is not the only thing, it's everything. Womp. mikeyy.Success is a relative term. It brings so many relatives. Womp. mikeyy.'Your future depends on your dreams', So go to sleep. Womp. mikeyy.God made relatives; Thank God we can choose our friends.Womp. mikeyy.'Work fascinates me' I can look at it for hours ! Womp. mikeyy.I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.RT!! @spam Watch out for the Mikeyy worm (bit.ly link)FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)Mikeyy worm is back!!! Click here to remove it: (bit.ly link)

So to my opinion, please don't hire him but fire him!

Conficker/Kido starts with upgrade ...

2009-04-09T16:41:00.003+02:00

The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009. You can find a picture on the weblog from Kaspersky Lab.
And this is possibly not the end yet...

Conficker/Kido FAQ (Frequently Asked Questions)...

2009-04-01T14:54:00.004+02:00

Kido spreads via local networks and removable storage media. It penetrates computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft released a patch for in autumn of last year. Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak. Failure to install the patch and to use effective antivirus protection has led to an epidemic: it’s currently estimated that between 5 and 6 million computers which have Internet connectivity are infected with Kido variants.
Several factors made today’s global Kido epidemic possible – neglecting to use antivirus products and the absence of an organization which is responsible for the security of the Internet and which unites and coordinates the efforts of governments and IT security experts.
Epidemics of a similar scale have happened in the past. However, the malicious programs which caused these epidemics did not have the extensive capability which Kido has to evade detection and prevent the disinfection of infected machines.
The third version of Kido is currently spreading on the Internet. This program implements the most sophisticated technologies used by malware authors – it downloads updates for itself from site addresses which are constantly changing; it uses local networks as an additional channel for updates; it uses strong encryption to protect itself; it has sophisticated mechanisms for disabling security services etc.
The third version of Kido updates itself by downloading code from 500 domains. These are chosen from a pool of 50,000 domains which is generated daily. The 500 domains are selected at random and this, together with the large number of domains makes it extremely difficult to monitor the domains used by the malicious program.
Because of this, Kido could become the most powerful cybercriminal tool which is highly resistant to being blocked in the history of the Internet. The gigantic botnet created by the authors of Kido gives cybercriminals the ability to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e. huge spam mailings).
In March there were mass updates to older versions of this malicious program. On 1st April 2009 the Kido botnet will use the approach above to start receiving commands from its creators from 50,000 domains a day; what action the cybercriminals will take subsequently is difficult to predict.

Kaspersky Lab products successfully prevent all versions of Kido from penetrating users’ computers. Recommendations on how to delete the malicious program are available on the Kaspersky Lab technical support site.

Also available:
FAQ of the Kido virus
Audiofragment on the VRT radio about Kido virus (Only in Dutch)
Kaspersky evangelist Eddy Willems at NOS radio news (Dutch only)

We are monitoring constantly the situation.
All press and media will be updated as soon as we have more info.
But I'll personally think that we will not see too much activity today (April 1) but this can change of course any time and definitely any time after April 1...

BTW I'm using Twitter.

Kim Gevaert and Eddy Willems at Infosecurity Belgium 2009

2009-03-29T17:38:00.007+02:00

As promised the Infosecurity Belgium fair was very good for Kaspersky Lab. I got loads of interested people during my 2 presentations and the attendance on the booth was also a success. During the fair Kaspersky Lab also donated a cheque for about 16.000 Euro's to Kim Gevaert for SOS Kinderdorpen.
Here you can find some pictures:

Picture 1:
Me, Kim and Hannes(my colleague from the sales department)

Picture 2:
Kim and Marjon (my colleague from our marketing department)

Cybercrime on the Internet (S.Crimineel on S.Televisie with Eddy Willems)

2009-03-29T12:20:00.004+02:00

A couple of weeks ago I've been interviewed by Marc De Pril from S.Televisie in S.Crimineel, a weekly show which runs in a loop. People who missed it can watch the complete transmission on my iTunes channel or in 3 parts
via my Youtube channel ... and eh oh yes, it's in Dutch (Flemish):

Part 1

Part 2

Part 3

And there comes a follow up next month.

Chinese computer espionage network Ghostnet discovered.

2009-03-29T11:25:00.008+02:00

I've been interviewed this morning by 4 FM and Q-Music Belgium about Ghostnet. This mystery electronic spy network apparently based in China has infiltrated hundreds of computers around the world and stolen files and documents, Canadian researchers have revealed. The network, dubbed GhostNet, appears to target embassies, media groups, NGOs, international organisations, government foreign ministries and the offices of the Dalai Lama, leader of the Tibetan exile movement. GhostNet had invaded 1,295 computers in 103 countries, but it appeared to be most focused on countries in south Asia and south-east Asia, as well as the Dalai Lama's offices in India, Brussels, London and New York. The network continues to infiltrate dozens of new computers each week. Such a pattern, and the fact that the network seemed to be controlled from computers inside China, could suggest that GhostNet was set up or linked to Chinese government espionage agencies. However, the researchers were clear that they had not been able to identify who was behind the network, and said it could be run by private citizens in China or a different country altogether. GhostNet can invade a computer over the internet and penetrate and steal secret files. It can also turn on the cameras and microphones of an infected computer, effectively creating a bug that can monitor what is going inside the room where the computer is. Anyone could be watched and listened to. The researchers said they had been tipped off to the network after having been asked by officials with the Dalai Lama to examine their computers. The officials had been worried that their computers were being infected and monitored by outsiders. The Chinese government regularly attacks the Tibetan exile movement as encouraging separatism and terrorism within China. The researchers found that the computers had succumbed to cyber-attack and that numerous files, including letters and emails, had been stolen. The intruders had also gained control of the electronic mail server of the Dalai Lama's computers.
However the fact that the attacks seems to come from China does not completely prove that the attackers are really coming from China... a problem we will always have in Cyberspace.
More interesting to read at this page and also Mikko's post here.

Please Media and Press don't hype Conficker.c !

2009-03-27T12:53:00.004+01:00

I don’t know for sure what’s going to happen on April 1st, when Conficker (Kido is the Kaspersky Lab's name) is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date. At least machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains. While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. There is always a possibility when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it could have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems). However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV etc ...

Well.. will we see big problems around the first of April?
I personnally don't think so.
Will the internet go down? Of course not...
Maybe it will be biggest April 1st joke we will see this year
but please may I call the media at least not to hype this.

If you're using a Kaspersky product and you patched you're systems you don't need to worry and that's problably the most scary part ... there all still a lot of corporates which don't patch their systems. Will they never learn? That should be the message for the media and press. Kaspersky will come up also with an official statement soon as several other vendors are also doing.
At least all experts and vendors are monitoring the situation.
And like I've said before, please don't hype the situation.

You can find a removal tool at this page.

(I'm writing this at the end of Infosecurity Belgium which was fantastic BTW. I've met hundreds of people, friends and even Kim Gevaert but that's for another blog later.)

Back from CeBIT 2009.

2009-03-08T19:24:00.004+01:00

I'm just back from CeBIT 2009. Kaspersky Lab was present as always with a big booth, loads of interviews and the Russian Disco evening... legendary at CeBIT ... but no official blog (see www.viruslist.com ). Well this year it was maybe a litlle bit different. At least I'm looking forward to next year, to hear one of my interviews(Suisse Radio) or to read/watch/hear the other interviews. ;-)

I love Facebook but ...

2009-02-26T19:30:00.003+01:00

A week ago the company published new terms and conditions for being a Facebook user which included a perpetual retroactive license to use your content nearly anyway they see fit - even after you "delete" your account. Thousands cried foul and there was even a threaten to file a complaint with the FTC. Facebook has since backed down and reverted to its previous user agreement. Nevertheless the issue points out the severe risks of using social networking services - especially Facebook. Some might say that the site operates in a fashion similar to a gigantic information gathering operation that lures people in by offering fancy tools that allow them to exercise the egos to various extremes. Others might just think it's "cool" and a "must-do" sort of thing because their peers expect them participate. The bottom line here is that Facebook has demonstrated a clear intent to leverage you and your content to their own advantage.
So my advice is this: Don't use Facebook too much... But if you can't resist then don't post anything on Facebook that the majority of people don't already know about you. In fact you might consider adopting as part of your company security policy a ban that prohibits employees from mentioning anything about your company in their Facebook profiles. One tiny data leak could be used against you and there'd probably be little if anything you can do about it.

I love Facebook but like everyhting else, don't exagerate and that's exactly what everyone is doing. And I haven't even spoken about the (in)security of possible 'Facebook'-applications and other related security problems.

Adobe Reader/Acrobat JBIG2 Indexing Zero Day Vulnerability.

2009-02-25T09:48:00.003+01:00

I hope you are aware of the 0-day vulnerability currently being actively exploited in Adobe Reader/Acrobat. I initially heard rumours about this 0-day vulnerability on 16th February 2009. Three days later, Adobe confirmed the existence of the 0-day vulnerability and Secunia issued an advisory. Over the last couple of days, I have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it seems that it does not protect against the actual vulnerability. Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.
Bottomline: All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not. I hope that Adobe will be issuing patches very soon.
To be continued ...

Some malware predictions for the next 10 months of 2009.

2009-02-24T09:52:00.003+01:00

A little bit late I know ... but it seems that working for a security vendor takes more time than I thought! ;-)

Just to sum it up in a couple of lines, these are a couple of my own predictions:

. Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. I expect this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email which is already the case today.
. Personalized Threats Speak Your Language. I expect to see the continued expansion of malware in languages other than English like Dutch, etc... Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.
. Malware Targets Consumer Devices. I expect to see increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.
. Security Software Scams. The malware underworld is using mainstream practices in an effort to "sell" security software that is either misleading or outright fraudulent. This trend will continue.
. Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, etc allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.
. More Targeted Phishing and Corporate Blackmailing. Botnets via zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.
. Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.
. Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.
. More Scams Involving Home Businesses. "Legitimate" home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We'll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.
. Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary "from" addresses. This has increased the usability of these services significantly to businesses, but has also increased the "abusability" by spammers.

Eddy Willems in S.Crimineel on S.Televisie

2009-02-20T23:23:00.004+01:00

What a week.. pff.. 5 days looked like 5 minutes, do you know the feeling?
Of course there was a climax with Eugene Kaspersky our CEO, and my boss, coming to the IDC European Security Conference. After a terrific panel session with several other experts and loads of interviews with the press including a very nice one with Kanaal Z we went out for a good diner in the known Beenhouwerstraat in Brussels.
Returning home and zapping to all the tv-channels I realised that not only Eugene was on it (Kanaal Z), I saw myself showing up in S.Crimineel on S.Televisie, a 3 times in a day repeated show about criminality and law in general. A quite long show and interview for about 23 minutes in one long shot taken without cutting. You still can watch the show until next Thursday if you have cable television from Telenet, a known ISP and cable provider in Belgium.
So everybody will at least see somewhere something from Kaspersky! For the people who don't have cable tv or Telenet I will put a link to the show shortly on my site on the press page.
So lets see what the next week will bring after this strange and quick week and of course .. the hacks of the websites from Kaspersky, Bitdefender, F-Secure and Symantec .... but that's another story.

About testing anti-malware products...

2009-02-11T15:23:00.007+01:00

Kaspersky Lab is an enthusiastic supporter of this initiative, and several members of the research team attended the AMTSO meetings already. And AMTSO seems to get there... Recently there was a meeting in Cupertino. Major progress was made on a number of papers I’d say are pretty important: these include not only a glossary, but also papers that discuss such topics as gathering samples, sample validation, in-the-cloud testing, issues with malware creation or modification for testing purposes, and whole product evaluation, and I expect to see quite a few of these finished and approved before the next AMTSO meeting.
Standardization on good practice is good for the industry, of course, and continuing cooperation between the antimalware and testing industries benefits both parties. But if we do this properly, it will be even more beneficial for end-users and prospective and actual customers. Not because what’s good for the industry is good for its customers, but because what we’re aiming for is to make it easier for them to distinguish between good and bad testing.
So this is indeed a good thing protecting everybody from bad testing.
What did you say?
Oh yes I've seen a lot of bad tests in the last 2 decennia...