MoMusings

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2006 conference, which was held at the Fairmont Queen Elizabeth Hotel in Montreal, Canada, between the 11th and 13th of October [Yes, that was a Friday; Friday the 13th, and knowing the recent spate of problems that the VB Conference has experienced since 2001, it seemed that they were tempting fate once more!]

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Wednesday the 11th of October:

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by Mikko Hypponen who gave his keynote speech, which was entitled ‘Case: Virus X‘, which he informed us he couldn’t now talk about due to legal restrictions. So, instead he did a presentation covering the major developments of malware since the start of the problem, almost exactly 20 years ago. It was a very interesting presentation, given in an unusual but very effective style. He used 164 slides in just 40 minutes!

The next session was also interesting, a presentation by Rob Murawski of the CERT Coordination Centre on ‘Data exfiltration techniques: how attackers steal your sensitive data‘. This talk sort of set the tone of the rest of the conference, as it covered cyber-crime, of which we would hear a number of talks about - from different perspectives.

After lunch, the conference split into its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, but for a number of reasons I spent the rest of the first day in the corporate stream instead.

The first talk in the afternoon that I attended was a slightly controversial one to say the least, on user education, given by Stefan Gorling. His talk was entitled: ‘The myth of user education‘. The focus of his talk was on how it was “pointless” to try and educate end users.

The very next presentation was also on user education, given by Peter Cooper and entitled: ‘User education: teaching techniques and learning styles for damage limitation‘. This very ‘memorable‘ presentation approached user education from the opposite side, saying that anyone can be trained, given the right approach. The presentation was memorable for two reasons, it used a new technique that I hadn’t seen used before, the 10/20/30 method which Peter assured us would make it a memorable presentation, and secondly because just as he mentioned about his presentation being memorable his MAC laptop shut down! This lead many of the audience to ask Peter after his talk whether this was purely coincidental or part of his presentation.

Then it was time for a tea break, which I used to setup my laptop for my presentation, which was the next one on the ‘Corporate stream‘. While I was setting up, I was asked for my opinion on ‘user education’ by a delegate, and I mentioned that I agreed with both of the previous speakers. I continued to say that I, like Stefan, thought that generally trying to educate end users on the technical side of malware was a waste of time; for most end-users anyway. But, that with infinite time and resources then they should be educated, but mainly on simple policies and procedures, rather than the specific details of a specific threat, which most of them are not interested in, or even want to know about. Only a few days later did I find out that the ‘delegate’ was a journalist; he never introduced himself and his badge was obscured, and I was distracted in setting up my laptop - slightly sneaky of him!

So, as you may have guessed by now, my presentation [’Rootkits: risks, issues and prevention‘] was next, however we started 5 minutes late. This meant I never got to use my last 3-4 slides. Overall, I think the presentation went well as I had a number of people approach me and tell me they had enjoyed it and/or discuss some aspects in more detail. I also received very positive feedback on the actual paper too.

My presentation was followed by Matthew Braverman, who spoke about ‘Behavioural modelling of social engineering based malicious software‘. This was another excellent presentation and rounded off the end of the first day in the ‘Corporate stream‘.

Later in the evening we had a welcome drinks reception, which gave us a chance to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way. Oh, and enjoy a drink or two to help keep the brain lubricated.

Day 2 - Thursday the 12th of October:

For the first three sessions of the second day, I decided to stay in the ‘Technical Stream‘, these were:

• Full potential of dynamic binary translation for AV emulation engine - Presented by Jim Wu
• Anti-rootkit safeguards and methods of their bypassing - Presented by Aleksander Czarnowski
• Botnet tracking techniques and tools - Presented by Jose Nazario

The last two of these presentations caused quite a bit of discussion, especially Aleksanders, which was picked up by the press and numerous articles appeared on specific points he raised about fooling Vista. His paper was also a really good technical look at rootkits, which sort of complimented my own one on the same subject.

For the next two sessions of the second day, I decided to switch back to the ‘Corporate Stream‘, these were:

• The challenge of detecting and removing installed threats - Presented by Jason Bruce
• Dirty money on the wires: the business models of cyber criminals - Presented by Guillaume Lovet

The last of these presentations caused quite a bit of discussion as Guillaume had a quote that claimed that cyber-crime was more profitable now to the ‘Mob‘ than drugs! I’ll post more on this when I get a copy of his slides.

After lunch, I decided to stay in the ‘Corporate stream‘, partly because I was chairing the first two sessions, and then the final two presentations on the ‘Corporate stream‘ were the most interesting. Oh, and then there was a panel discussion.

• The game goes on: an analysis of modern spam techniques - Presented by Rob Thomas and Dmitry Samosseiko
• Containing spam - the local challenge - Presented by Jay Goldin
• Spy-phishing - a new breed of blended threats - Presented by Jamz Yaneza
• Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them - Presented by Dmitri Alperovitch
• Panel discussion: Anti-Spyware Coalition - working together to combat spyware - Chaired by Richard Baldry

As you can see the afternoon was full of spam and phish, and we’d already had lunch!

After this there was a special ‘Birds of a feather‘ session on tackling graphical spam, which was lively and very interesting.

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied, and more nerdy/geeky chat too. The after dinner entertainment was supplied by jugglers and acrobats and rounded off by a good band.

Day 3 - Friday the 13th of October:

The last day of the conference was ahead of us, the first two days had gone past so quickly, so much to digest, both physically and mentally! On the final day I was in the ‘‘ for the first three presentations and then switched back to the ‘Technical stream‘ for the rest of the day. The ones I attended on the the corporate stream were:

• Applying collaborative anti-spam techniques to anti-virus - Presented by Adam J. O’Donnell
• The inspector: automating the forensic investigation of infected computers - Presented by John Morris and Eric Kedrosky
• Can strong authentication sort out phishing and fraud? - Presented by Paul Ducklin

The last two were the most interesting with John and Eric showing how they had used free scanning/forensic tools to remotely inspect systems that were suspected of being infected. These tools were scripted and for the most part automated, nice work guys, and no I won’t be writing a paper on how to improve the system, this time!

Paul’s presentation was great and informative, as we have all come to expect from such a knowledgeable guy who is also a very animated presenter.

Switching back to the ‘Technical stream‘ for the final talk before lunch, I sat in on:

• Macintosh OSX binary malware - Presented by Marius van Oers

During lunch the speakers photo was taken, here it is:

I’m right in the center of the front row [blue checked shirt and white trainers], next to me in the red sleeveless top is Michael Morgan and next to him is Morton Swimmer. The other side of me is Paul Ducklin and then Dr. Richard Ford. A full version of this picture, naming all of those in it, will be available on the Virus Bulletin site as soon as they have collated all commented all the pictures they have from the conference and of Montreal itself.

After lunch I stayed on the ‘Technical stream‘, the presentations I saw were:

• SymbOS malware classification problems - Presented by Dr Vesselin Bontchev
• A deep look into Symbian threats - Presented by Robert X. Wang
• Me code write good - the l33t skillz of the virus writer - Presented by John Canavan
• Panel discussion: Fighting cybercrime: one size does NOT fit all!. - ‘The Internet Strike Force’, led by David Perry

Although the presentations on Symbian were interesting there was little new information in them. The best of the afternoon session was the panel on Cybercrime led by the animated and funny Dave Perry in his ‘Internet Strike Force‘ bowling shirt.

And then it was the final session of the day, and of the whole conference:

• Conference closing session - Presented by Helen Martin

All in all, this was a very good Virus Bulletin conference, although I felt that the ‘technical stream‘ was the poorest I had ever seen, with only a small number of interesting papers and presenters this year. However, this was offset by the number of excellent papers and presentations given on the ‘Corporate stream‘, and I’ve been at nine of the last eleven VB conferences. Even allowing for this, there is still nothing quite like a VB conference, and long may it continue! I’m already looking forward to next years and thinking up possible papers to submit abstracts for possible selection for VB2007, which will be held in Vienna, Austria!

And even though the conference ran on Friday the 13th, there were no problems, no disasters, outbreaks of diseases, hurricanes, confiscated mugs, and so on, it all went very smoothly - well apart from Peter Cooper’s MAC laptop that crashed on the first day; Wednesday the 11th, so it doesn’t count. And, there were no major virus/malware outbreaks either during VB, that in itself is rather spooky!

Just in case you didn’t spot the link to my paper, here it is again: Rootkits: Risks, Issues and Prevention

I would be keen to hear from others who attended VB2006, at least to find out what they thought of the conference content this year.

No I haven’t fallen off the edge of the world, been kidnapped by aliens, or been hibernating. I’ve been preparing for the Virus Bulletin 2006 conference which was held last week in Montreal, Canada. Before that I was in France for 4 days at a customer site, I have also been updating a presentation for a guest lecture that I will give tomorrow at the University of Warwick, so, I’ve been busy creating and giving presentations. Oh, and that’s on top of my ‘usual‘ workload.

I will post a review of the conference in a week or so, covering my own personal thoughst on the conference and the content. This will include my thoughts on some of the presentations I attended on both the technical and corporate streams.

So, now the conference is over, I can make the paper I presented available to anyone that wants a copy.

Here’s the abstract that I submitted, and was selected back in March:

“Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX [Unix/Linux] problem, corporate and academic computers running Microsoft Windows are now an increasing target. We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are, but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions. ”

The full paper [in Adobe Acrobat format (PDF)] can be found here: http://arachnid.homeip.net/papers*

All feedback, comments, flames, suggestions, etc. are most welcome.

Normal service will be resumed as soon as I’ve caught up with the backlog of work I have piling up around me. So, if you see a news article saying: “A computer geek was found today buried under piles of work… he was finally extracted, alive, by teams of rescuers digging him out 48 hours after they were alerted to the disaster…” then you know it was probably me.

[*] All my other conference papers and magazine articles I’ve written can also be found there.

April has come and gone and spring has arrived. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1657 samples during April, which have been catalogued as 54 distinct families and variants. In comparison during March I captured 1356 samples which were catalogued as 61 distinct families/variants. As you can see the captures in April are only slightly up on March and still below the high of January’s total.

During April I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in April is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During April I reported 157 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during April. Its percentage fell from 73 percent [in March] to 53 percent of the pie.

Netsky.P lost its second place slot from March falling down the chart to seventh place.

The Mytobs regained the ground lost during March when they accounted for just two slots in the top ten. In April they captured five out of ten places.

The share-crawling worms lost their hold they had on March’s table where they took six out of ten places. In April they are down to just three places, halving their presence.

The only other mass-mailing worm that made it into the top ten was W32/Mydoom.o@MM [McAfee].

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Zafi family move out of the top ten.

In pole position we have Mytob.c, which was also number one for the last two months. Second place is occupied by Netsky.t [same as in March]. Lovegate.w makes a return [in third]. Netsky.q takes fourth place [up from seventh]. Lovegate.ad is a new entry at number five. The rest of the chart is made up of Netsky .b in sixth place [down from fourth. Mytob variants [y, t, u and q] in seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has grabbed back its number one slot which it lost in March. Zafi.b slips from pole to second. Nyxem.D[aka MyWife] has consolidated its third place from March. Mydoom-AJ is stationary in fourth place [it was a new entry in March]. Another Netsky [D] grabs fifth place. The final places are made up of Mytob variants [ FO, C, Z and AS] in sixth, seventh, eighth and tenth respectively, broken up by the presence of a new entry Delebot.A in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 53 percent in April. Mytob has grabbed back second place from Operserv which slips down to third. Fourth place is occupied by Mydoom, up from fifth in March. Netsky slips one place to sixth. Mytob.The rest of the vacant spots are almost all taken by share crawling worms and bots, these being: Sdbot, Ranky and the related multi-component dropper. The only e-mail based worms which appear in the lower five places of the chart are W32.Reatle and W32.Kapser [aka MyWife.D.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of April] here. This clearly shows that April was quieter than December 2005, which was the quietest month ever in the case of e-mail borne malware being trapped.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 188,252 [as at the end of April 2006]. That’s a growth of 19,445. Interestingly just like in March the growth of new malware slowed in April by almost 50 percent when compared to the first two months of the year

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in April 2006.

• E-mail Warning about Scams is a Scam
• Lost in MySpace
• WARNING:-Annual Internet Cleaning Day!

Conclusions:
Although malware growth slowed during April, you may have noticed that spam, phishing and 419 scams have been very aggressive during the same period and they show no sign of stopping. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

On this subject, I have been asked to present on ‘Rootkits’ at the Virus Bulletin 2006 conference to be held later this year. The paper will be made available for all to read once it has been presented.

Links:

• Virus Top Twenty for April2006 [Kaspersky]
• Top ten viruses and hoaxes for April 2006 [Sophos]

As previously mentioned on this blog I had a paper selected for the EICAR 2006 conference which was held at the Hotel Hafen in Hamburg, Germany between the 30th of April and the 3rd of May.

The hotel was quite interesting, made up of the ‘Classic’ part [left side of the picture with the hotel name on it]; which was the sailor’s mission [home] from 1864 until 1979, and the new ‘Residenz’ modern section [on the right side, includes the modern tower and you can just see part of the Ellipses]. The conference was held in the modern part of the hotel for the first two days, and then moved to the ‘Classic’, old part of the hotel for the final day.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Sunday 30th April:

The start of the day was used by many of the Working Groups and Task Forces that EICAR has. The conference ‘proper’ was kicked off by Sarah Gordon who gave her keynote speech. Sarah covered some interesting areas such as sociology, ethics and her being seen as a heretic when she originally published some of her research and ideas some years ago. These have now [for the main part] become considered as part of the mainstream. At the end of her keynote, Sarah challenged those in the room to dare to be the next heretic!

This was followed by a panel session about ‘groups’ in both the anti-malware and malware scenes.

After a break, I decided to stay in one of the two streams, this one being held in Ellipse I. The session room was smaller, but the number of people attending them meant that a number had to stand as there was not enough seating. The ones that I found most interesting were:

• Mystery Meat: Where does spam come from, and why does it matter? - Presented by Christopher Lueg.
• Spam Zombies from Outer Space. - Presented by John Aycock and Nathan Friess

Both of these caused a flurry of questions and the lively debate raged on after the sessions.

The end of day 1 was rounded off by the ‘Meet the Experts’ session which was a chance for many of us to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way.

Day 2 - Monday 1st May:

The first sessions of the day that I attended were held in Ellipse II and were all on Spyware; from very different perspectives. I was the second slot of the four to be given during the first half of the morning.

• Spyware: A risk model for business - Presented by Vanja Svajcer
• Spyware: Risks, Issues and Prevention - Presented by Martin Overton
• The Trials and Tribulations of Testing Spyware Solutions: Towards a Testing Methodology - Presented by Larry Bridwell
• A Testing Methodology for Anti-Spyware Product’s Removal Effectiveness - Presented by Josh Harriman

The next set of presentations which I found interesting were these:

• Behavioral Classification - Tony Lee
• TTAnalyze: A Tool for Analyzing Malware - Presented by Ulrich Bayer, Engin Kirda, Christopher Kruegel
• Enlisting the End-User - Education as a Defense Strategy - Presented by Jeannette Jarvis
• Pharming: a real threat? - Presented by David Sancho
• Evolution from a Honeypot to a distributed honey net - Presented by Oliver Auerbach

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied. The after dinner entertainment was supplied by a somewhat manic magician who spoke very fast and almost only in German which left about half to two-thirds of those assembled trying to work out the jokes, punchlines and the general patter that went along with the rather good magic.

Day 3 - Tuesday 2nd May:

On the last day of the main conference we moved from a two stream format to a single stream held in a conference room in the ‘Classic’ part of the hotel. This layout was significantly better than the first two days where it was somewhat cramped and there were no tables, only rows of chairs.

The day started off with another keynote, this time it was given by Professor Klaus Brunnstein. Although it was a very interesting talk he over ran by almost half an hour which put the rest of the days schedule off. Here are the presentations that I found most interesting druing the morning sessions:

• Inherent Technical Risks will lead Information and Knowledge Societies into a risk Society - Presented by Prof. Klaus Brunnstein
• Future Trends in the realm of malware - Presented by Guillaume Lovett
• Windows Rootkits - Presented by Mika Stahlberg

The rootkit one I found particularly interesting as I’m currently writing a paper for the Virus Bulletin conference on this very subject. Thanks go to Mika for helping me by writing and presenting his paper [and sending me his slides too] as this will help me no end in writing mine [with due credit of course].

The afternoon also proved to be eventful as several of the sessions planned had to be removed due to speakers not turning up to present. This meant that the schedule went from being half an hour late to almost an hour early. So, the panel session was moved forward to take up the slack. As usual with panel sessions this proved to be quite animated, especially when David Perry of TREND is part of the panel .

I didn’t stay for the last day [3rd of May] as it was a day just for Task Force meetings.

All in all, this was a very good EICAR conference, in fact it was the best attended ever with almost 100 attendees! I’m already looking forward to next years.

Just in case you didn’t spot the link to my paper, here it is again: Spyware: Risks, Issues and Prevention

Virus Bulletin have just informed me that my abstract entitled: ‘Rootkits: Risks, Issues and Prevention‘ has been selected for the Virus Bulletin 2006 international conference to be held from the 11th to the 13th October 2006 at the Fairmont The Queen Elizabeth, Montréal, Québec, Canada.

The abstract for the paper appears below:

Abstract:
Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX problem, corporate and academic computers running Microsoft Windows are now an increasing target.

We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions.

All I have to do now is get management approval to attend and then carry out all the required research and write the paper, piece of cake, NOT!

If approved then this will be the ninth time I’ve written and presented a paper for Virus Bulletin. Thanks go to VB for allowing me the honour of presenting at ‘The Premier‘ anti-virus conference in the security conference calendar once more.

The value to me personally in attending this conference is the knowledge I gain, that in itself is priceless. It is also a chance to finally meet some of the people I converse with via e-mail, and catch up with like minded people I’ve met before, some of whom I would now consider to be friends.

If you have never been to a Virus Bulletin conference and you work in the information security field, then it is about time you did, you won’t regret it!

The full paper will be made available after the conference. I’ll post an announcement here shortly after the conference has finished.

Woohoo, my paper on using Bayesian Filtering to classify malware has been mentioned on no other than the ‘Looswire’ blog run by Jeremy Wagstaff. Jeremy, apart from having a very interesting blog is also a regular columnist for WSJ.

The paper was written for and presented at the Virus Bulletin 2004 international conference in Chicago, USA.

The tool he is discussing is POPfile a FREE anti-spam tool for all platforms that support PERL [for Windows you don\’t have to install PERL as it is all part of the Windows install package supplied].

It is very easy to set up and it learns very quickly. Why not give it a try?

The blog entry can be found here: How to Make More Use of the Vicar

The Vicar in question is Thomas Bayes, an 18th Century nonconformist minister who came up with a simple but very effective way to classify things using a simple theorem. If you want to know more then take a look at the paper.

EICAR have just informed me that my abstract, entitled: ‘Spyware: Risks and Prevention‘ has been selected for the EICAR 2006 conference to be held in Hamburg, Germany between the 29th April and the 2nd of May 2006.

The abstract for the paper appears below:

Spyware has grown over the last two years from a minor annoyance to what it is today; a major headache for companies and academia (most of them just don’t know it yet) and home users alike.

This paper will investigate the growth of this threat and the ‘cart-load’ of risks and issues that Spyware and related risks bring to the corporate table. Furthermore it will investigate what the security staff in corporations can implement to address the risks and their companies liability, including.

• Policy
• Education
• Firewalls
• Proxies
• Intrusion Detection Systems
• Anti-Virus tools
• And last but not least, Anti-Spyware tools.

The processes, procedures and other solutions and guidance offered in this paper will come mainly from real-world experience of tackling spyware and related issues/risks.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months…Hang on they need the completed paper by the 17th of March!!!

The full paper will be made available after the conference. I’ll post an announcement here shortly after the conference has finished.

As some of you may have noticed this blog has been rather quiet over the last month or so, why? Well this posting should give you some idea why I haven’t been able to find much ’spare’ time to post here. Hopefully things should get back to something resembling ‘normality’ [if there is such a thing], at least for a while.

The EMEA SecureWorld conference was held in the beautiful city of Prague in the Czech Republic between the 21st and 24th of November at the Prague Hilton about a mile from the historic centre of Prague.

I arrived late in the afternoon on the day [Sunday] the before the conference started, and was rather surprised that it had snowed; in fact it was snowing most of Sunday which made it a cold trip from the airport to the hotel.

Having been to Prague before and knowing that the taxi drivers are notorious for:

• Speeding
• Driving like maniacs
• Over-charging tourists

I decided to have a ‘mini-adventure’ and try and get to the hotel via public transport; bus and then metro. I must admit I was feeling rather daunted by the prospect, but apart from the bus driver being rather brusque and awkward, the trip was fairly simple and I arrived about an hour after leaving the airport. All for the cost of around 1 UK Pound [40 Czech Crowns] instead of the 600-1,300 Czech Crowns [Koruna] it would have cost by taxi.

But, don’t just take my word for it. Here’s a picture from the Virus Bulletin 2001 conference featuring Graham Cluley from Sophos with a slide about the ‘risk’ levels of certain things:

The text below the ‘Meteor Strike’ image that he is obscuring, says ‘ LOW, but pretty nasty’, so you can see that if you willing use Prague taxis you are considered to have a ‘Death Wish’, or just don’t know any better!

On the subject of Prague taxi drivers being notorious, they even tried to rip-off [over-charge] the Mayor of Prague when he was disguised as a tourist!

Anyway, back to EMEA SecureWorld:

I was invited to present on the following:

• DI09 - IDS and IPS Another piece of Protection Puzzle [1]
• DI10 - Outsourcing Security, Why and What? [3]
• TM18 - Bots and Botnets: Risks, Issues and Prevention [2]

Two of these presentations [DI10 and TM18] were repeated on the last day of the conference; so I ended up doing five one hour presentations. Not only that but I also was interviewed by a journalist for the Czech version of one of the technology magazines [Professional Computing] and I also participated in a ‘radio interview’ for the Czech republics largest radio station. The radio ‘interview’ will be translated into Czech and will be broadcast in January 2006.

Both of these were about ‘bots and botnets’ as well as SPAM and Phishing.

Representing the US Virus Cert was Chuck Springer who gave a number of presentations on malware related topics.

• TM01 - Introduction to Malware
• TM02 - Worm Wars
• TM03 - First Aid Virus
• SGC04 - Corporate Threat Assessment Model
• TM04 - Will International Law Stop Virus Writers?

Other things to be aware of in Prague are: the pick-pockets, beggars and the the infamous scam where you get approached by someone asking for change, next thing you know a ‘policeman’ is demanding to see your passport, and then proceeds to conviscate it. Next, both the ‘change’ requestor and the ‘policeman’ disappear. Guess what, the policeman was not a policeman and you have been scammed and are now without your passport!

How do I know about this scam? Well I have been to Prague before, to present at the Virus Bulletin 2001 conference and the paper I was doing that year was all about hoaxes, scams, urban legends and related things. So, before I went I did some research in to local ‘known’ scams, hoaxes. etc.

Don’t get me wrong I really like Prague, it really is a very beautiful historic city with some amazing architecture, and I would happily go there again, in fact my Son is very keen to visit as soon as I can be surgically removed from my computers and my desk .

Right, back to the EMEA SecureWorld conference:
There were a number of other interesting presentations which I managed to attend, including a very good one on ‘Secure DMZs’ presented by Jeff Crume. However, it was not possible for me to attend all of the ones I was interested in as I was often presenting at the same time as they were being run, typical!

All in all, this was a useful conference to attend and the feedback we’ve received so far indicates that it was a hit with the delegates too!

On the Friday, the day I was travelling back to the UK, it started to snow again, quite heavily. So I arrived to snow, it didn’t snow during the conference [although it was bitterly cold] but started to snow as I was leaving Prague.

I decided to repeat my ‘mini-adventure’ and try and get to the airport via public transport; metro and then bus. I allowed extra time, however I needn’t have worried as the whole trip was painless and I was at the airport in under 45 minutes and as I bought a ticket for the metro and bus in advance it cost me about 50 Pence [20 Czech Crowns].

[1] This presentation is based on the paper written for the EICAR 2005 conference and can be dowloaded from http://arachnid.homeip.net/papers
[2] This presentation is based on the paper written for the Virus Bulletin 2005 conference and can be dowloaded from http://arachnid.homeip.net/papers
[3] There is no paper for this.

Well the annual Virus Bulletin International conference has come and gone again. This year it was held in Dublin, Ireland between the 5th and 7th of October. The change this year was a move to extending the conference to an ‘almost 3 day’ format.

As usual there were over thirty top speakers there to present their papers. These ranged from discussing ‘Symbian Malware’ to panel discussions on ‘Who is hiding the virus writers’ and ‘Dying for information in the information age’. There were numerous excellent technical and corporate presentations.

The ‘Technical’ stream was once again the most interesting (from my perspective), although I did sit in on several ‘Corporate’ stream presentations as well.

Tuesday the 4th - Pre-conference activities:
I took part in the AVIEWS/AVIEN discussing the upcoming ‘Virtual Conference’ amongst other topics and general chit-chat, such as catching up with old friends.

The following were the top presentations that caught my interest:

Day 1 - October 5th:
We kicked off early in the morning with a number of vendor presentations. The ones I managed to see were the ones from Eset [Presented by Andrew Lee] and Trend [Presented by David Perry]. As usual David’s presentation was both informative and very funny. He also made some very nice comments about my paper during his talk.

The conference officially started at 14:00 with Helen Martin’s Welcome pitch. The conference them split into two streams [as usual], one being the technical stream and the other being the corporate stream.

The keynote presentations for each stream were:

• Technical: Igor Muttik talking about ‘Manipulating the Internet’.
• Corporate: Martin Overton talking about ‘Bots and Botnets: risks, issues and prevention’.

From 16:20 and for rest of the afternoon I was chairing sessions in the ‘Technical Stream’. Both of these talks were interesting. The talks were about ‘Tracing execution paths’ and ‘Defeating polymorphism: beyond emulation’.

I also participated in a ‘Round Table’ session on ‘Malware Trends’ after the end of the day’s presentations. Although this was interesting and lively, the down side was that 3 of the 4 invited guests were misquoted by the press. As usual, this caused a certain amount of annoyance to those affected. But, this is a known [and grudgingly accepted] risk when dealing with the press.

After that a well deserved drink was had by all at the ‘Welcome Drinks’ event [Guinness and Jameson, of course], and this spilled over into another ‘Private Drinks’ session after the official VB ‘Welcome’ party finished.

Day 2 - October 6th:
As usual on the second day I spent the whole day in the technical stream. The following caught my interest:

• Solving the Bagle jigsaw - Scott Molenkamp and Hamish O’dea.
• The evolution of malicious IRC bots - John Canavan.
• What makes Symbian malware tick - Jarno Niemela.
• Hide ‘n seek revisited - full stealth is back - Kimmo Kaslin et al.
• Dying for information in the information age - Gaby Dowling [I was a panel member on this session].

The day was finished off by the ‘Gala Dinner’, which is always a good event. As usual we were entertained by a local act. In this case it was a ‘Riverdance’ type troupe of dancers.

Day 3 - October 7th:
I split my day between the technical and corporate stream as there were a number of interesting looking talks I wanted to attend. These were the ones that I found most interesting:

• Genotype spam detection - Dmitry Samosseiko.
• Why user authentication is a bad idea - Nick Fitzgerald.
• Psuedo-words for spam filtering in an unmodified Naïve Bayesian text classifier - John Graham-Cumming.
• The strange case of Judith C. - David Perry.
• Techniques of adware and spyware - Eric Chien.

Conclusion:
VB2005 was the best attended of the VB conferences over the last 5 years or so (380 delegates), lots of new faces, lots of old faces too. This has helped to keep VB fresh and interesting and, as far as I’m concerned, the best security conference for the area that I’m interested in, and long may it stay that way!

If you are interested in security and malware/anti-malware and related things then this is a must attend conference!

For those that are interested, the paper I presented at this conference can be found here: http://arachnid.homeip.net/papers/

This covers Bots and Botnets, discussing what they are, how they work, the risks they bring and what techniques and methodologies you can use to help counter them.

Or gone down with a virus!

Sorry for the lack of blog entries over the last month or so, but I’ve been writing a conference paper and creating a presentation for the Virus Bulletin international conference in Dublin Ireland, last week.

Later this week I will be lecturing at the University of Warwick on malware and internet security.

I have also been asked to present at the upcoming EMEA SecureWorld conference to be held in Prague in November. In fact I will be presenting twice during that conference, and guess what I will be doing now that I’m back from VB2005? Yes, that’s right, creating the two presentations for SecureWorld!

I will also be submitting an abstract or two for next years EICAR conference to be held in Germany.

All of these above presentations and papers are extra work on top of my more usual workload.

Can anyone clone me?…..Oh alright, one of me is enough, or one too many

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!

Now that the Virus Bulletin conference is over [and a good conference it was too] I can make the paper available, here’s a link to it: Bots and Botnets: Risks, issues and prevention.

The promised Zotob posting is coming soon, honest.