| The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in | | |

Eddy Willems Anti-Virus Consultancy International

This is Eddy Willems’ official and original homepage for anti-virus and anti-malware consultancy with links to most anti-malware sites and companies in the world.

This site is the reference in independent anti-malware advice and information. It is also known as the first Belgian anti-virus page and one of the oldest anti-malware sites on the Web. This site is completely renewed in September 2010 and exists since 1995. Within these pages you will find one of the most comprehensive lists of anti-malware sites in the world with over 4000 links.

I have been working in the past (over 2 decades) as Anti-Malware Technology Expert for the security industry ( NOXS (a Westcon Group Company), McAfee, TrendMicro and Symantec ) and as Security Evangelist for Kaspersky Lab . I am now working as Security Evangelist for G Data Software AG . I am a Belgian security expert who is member of most international security and malware organisations in the world. I am the first and only in Belgium being on the board of three ( EICARAMTSO and LSEC) international security organisations at the same time. Find more about me at the ‘about me’ page for a more detailed bio.

Take also a look at my Twitter, Facebook, LinkedIn, YouTube channel or iTunes channel. Don’t forget to subscribe to my popular anti-malware Blog with continuous updates and to take a look at my new Blog and my press page with over 1000 interviews and articles.

This site is and will remain always completely independent! (Site Design: Sonia Auger and Eddy Willems)

Internet of (Things) Trouble … the continuing story

Is the IoT industry making the same mistakes again?

A half year ago I wrote about the expected problems related to IoT. And guess what? Unfortunately we were right. It even became worse in the past 6 months. Nearly everything what was described back then became exploited. And that’s not a good thing.

The Car Industry

Especially all hacked cars made it into the latest newsflashes from online news media to the biggest media broadcasters in the world. Some examples were the Fiat Chrysler where 1.4 million cars were called back after the vendors Jeep hack and a Corvette where the brakes of the car could be remotely controlled. These examples confirmed the problems related to the whole car industry described in our former blog (e.g. The BMW problems).

The Fitness Industry

Completely different but fully related to the Internet of Things are the new wristbands, step counters or mobile fitness devices and the data they gather in-the-cloud and on the device and your smartphone. Interesting was the test performed by AV-Test, a worldwide well known independent test organization for security products. This test tried to measure how the private fitness data is transferred from the devices to the smartphones or the cloud and how secure the apps of fitness trackers are. You can find the full test here. These new fitness wristbands are very popular and it is already a trend; all activity results are recorded and analyzed in an app on the user’s smartphone. This means it is possible to immediately see how well the user performed. The question remains, however, is the data transported securely from the wristband to the user’s smartphone? Or is it possible for someone to intercept this link, copying or even manipulating the data? Or could the app itself be manipulated? Those questions were investigated, where 9 fitness wristbands or trackers together with the corresponding Android apps were monitored in live operation. How well performed those trackers in terms of security? And what about eavesdropping? (more…)

The AV community mourns for Klaus Brunnstein

The Viren-Test-Center’s founder passed away in May 2015, at the age of 77.

Brunnstein was born in Cologne and later on based in Hamburg. Working at the University of Hamburg, he influenced the computer science education worldwide. He will for sure be remembered by many colleagues, family and friends.

Picture of Klaus Brunnstein (*25.5.1937 - +19.05.2015)

A man we all will miss!

Klaus was one of the founders of CARO (the Computer Anti-Virus Research Organization), an organization that was established in 1990 to research and study malware. CARO was planning to create another official and public organization called EICAR, an organization aiming at antivirus research and improving development of security software. It was during the inaugural meeting of EICAR in Brussels, Belgium in 1991 that I’ve met Klaus for the first time.

While talking to Klaus, I got to learn about so many new aspects of viruses and that made me being even more interested in this whole matter. Some of his ideas were very controversial while some others, on the contrary, were even very conservative. His ideas inspired me in a lot of security related topics, events and publications I touched, visited and launched afterwards. At least you could say that, without Klaus and my first encounter with a Trojan horse, back in 1989, I wouldn’t have been into the security industry at all.

I still remember Klaus from his interesting discussions and points of view on a closed security forum. Actually, I still have all of his feedback in my backup system. Some of these old mails range back 19 years! I always stayed in contact with Klaus and I have met him during many security related events like the early EICAR conferences in the nineties.

During one of the latest CARO workshops, I told him about a book that I was writing and he told me that he always would be there in case I needed some advice. For that reason, I asked him, several months ago, to write an opinion chapter about the future of security for my book, called “Cyber Danger” (the German version “Cybergefahr” will be published later this year). I now do realize, that this will most probably be the last words he officially wrote in a book. Klaus will always be remembered as a pioneer. I am greatly saddened to have learned of his death yesterday. He contributed so much to the industry.

Klaus, I still owe you a copy of my book! Somewhere. Sometime.

Regin, an old but sophisticated cyber espionage toolkit platform

Malware can be named in one breath with Stuxnet & Co.

Regin is one of the latest cyber espionage toolkits targeting a range or organizations, companies and individuals around the world. This malware is very sophisticated and it can mentioned in the same breath with other cyberespionage campaigns like Duqu, Stuxnet, Flame, Uroburos (aka Snake/Turla). First reported about by Symantec[1], Regin kept itself under the radar for years.

As G DATA experts worked on this rootkit for quite a while we also gathered some data. The first Regin version we identified was used in March 2009 and the compilation date is July 2008:

paul@gdata:~/regin$ ./ b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
File:    b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Size:    12608 bytes
Type:    PE32 executable (native) Intel 80386, for MS Windows
MD5:     ffb0b9b5b610191051a7bdf0806e1e47
SHA1:    75a9af1e34dc0bb2f7fcde9d56b2503072ac35dd
Date:    0x486CBA19 [Thu Jul  3 11:38:01 2008 UTC]
EP:      0x103d4 .text 0/4

Some sources go even back to 2003 but this in unclear at this moment however we can confirm that this campaign appeared at least early 2009.

An Open Source detection tool provided by G DATA

We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:

typedef struct _HEADER {
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;

During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
Download the python script by going to the original G DATA article (link see below). SHA256: 98ac51088b7d8e3c3bb8fbca112290279a4d226b3609a583a735ecdbcd0d7045 MD5: 743c7e4c6577df3d7e4391f1f5af4d65

And here is the output when a virtual file system is scanned:
paul@gdata:~regin$ ./ security.evt
SectorSize:  1000
MaxSectorCount:  0500
MaxFileCount:  0500
FileTagLength:  10
CRC32custom:  df979328
CRC of the file: df979328
Regin detected


So far, victims of Regin were identified in 14 countries:

  • Algeria
  • Afghanistan
  • Belgium
  • Brazil
  • Fiji
  • Germany
  • Iran
  • India
  • Indonesia
  • Kiribati
  • Malaysia
  • Pakistan
  • Russia
  • Syria

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater, a well-known Belgian cryptographer. Kaspersky Lab stated this in their report which you can find at .

Even more interesting is the fact that Regin seems to be the spyware behind the Belgacom case, a big Belgian Telecom provider hacked in 2013. Belgacom acknowledged the hack, but never provided details about the breach. Ronald Prins from Fox-IT, which helped with the forensics and investigation of the Belgacom case, confirmed on his Twitter page that Regin could possibly be the malware behind the Belgacom case.

The Intercept, a publication of First Look Media, not only connects Regin to Belgacom, but also names the European Union as potential victim in an article published on November 24th.