On my way to the VB conference ...

Indeed I'm on my way to the the VB conference in Ottawa, Canada. WOW ... This is my number 13 of all the Virus Bulletin conferences. I've been attending since 1996 (Brighton, UK) and I can assure you that this is the best conference if you are in the anti-malware industry. You can find more from the conference itself at the VB website. As always I will post some pictures over here afterwards or during the conference. And BTW if you're not there, you're either sick or dead or you just don't belong to that part of the industry. It's simple as that! ;-)

GeenStijl and GeenCommentaar: 0/10 ..Unethical in every aspect!

It's been a bit of a bumpy ride on the Dutch part of the internet over the last couple of days. One blog - www.geencommentaar.nl - decided to set up something I like to call a 'web 2.0 honeypot' in the form of a petition. The idea behind this was to attract the attention of the biggest blog in the Netherlands - www.geenstijl.nl - and get GeenStijl readers to comment. GeenCommentaar logged the IP addresses of users who made offensive comments on the blog and created a database. (A lot of the offensive comments came from GeenStijl users). Other bloggers could then check the database to see if a particular IP address had been tagged as offensive. Supposedly the idea behind this was to make life easy for other site/ blog owners, by offering an automatic way to filter out (probably) unwanted comments/ content. When GeenStijl realized what was happening, they responded with a vengeance by adding a piece of Javascript to their page. This meant when anyone visited the GeenStijl site, a random IP address was generated, and the GeenCommentaar database would be queried to see if the IP address had been tagged as offensive. All of this was done automatically and without visitors to the site knowing anything about it.
The result? GeenCommentaar's server couldn't handle the load; as well as GeenCommentaar getting hit, some other sites running on the same server were overloaded. In addition to the obvious ethical objections, both the parties involved are breaking the law.
BTW Kaspersky Lab added detection for this DDoS script as Trojan-Clicker.JS.Small.p .

If you want to read more about it
please look at my colleague Roel's comment at
Kaspersky Virus Analyst's Diary
or read my own comments in Dutch at webwereld.nl
A lot of people seems not to think anymore about what seems to be good or bad on the internet. They just act and play like 'criminal' children without notice! Unbelievable!
Well ... at least their names are well chosen: no comment with no style.

Back from Govcert.nl 2008

I'm just back from the Govcert.nl Symposium 2008 in Rotterdam. It's very interesting to watch how much money the Government of the Netherlands can invest in such kind of events. Most other events are heavily sponsored to make such events possible ... Congrats to Govcert.nl and very well done however if you are a real pro or an anti-virus/malware insider it was not that inspiring. I loved however the key note speeches and especially the 'no press allowed' presentation of the arrests made by the joint efforts of the NHCU and FBI. The case which you can find more background of in my former postings (see August) and which I was also involved in. You still can find the full programme details at http://www.govcert.nl/symposium .

Goodie Security Picture of the Month

Busy weeks for me ... yes a lot of business and a lot of events to attend to that's what was happening the past weeks. From now I will post a picture from all these events on my blog. Last week we got two nice launching events for our Kaspersky Hosted Security Solution in the Netherlands and Belgium organised by 2 of our distributors. The week before I attended a BBQ event at Copaco Belgium. This week I will attend and speak at the L-Sec Security Conference on Friday. You can have a look at the other speakers on their website at http://www.lsec.be . I will present: 'A Virus Analyst in 15 Minutes?' .

Further on I was cleaning up a little bit my attic where I found a lot of old and newer security goodies (the free give-aways at conferences). So from now on I am going to use the good ones after I throwed away some other rubbish. For this job I got the wonderful help from a Symantec display box. On the picture you can see how you could use it in a creative way. ;-)
BTW It's just coincidence that I used a Symantec 'box' for it.
Other display boxes are also quite good.
This time this picture becomes the Security Goodie of the month!

Kaspersky Lab helps Dutch police dismantle Shadow botnet.

FYI: This was the press release which I spoke about in my former blog posting.

The Dutch High Tech Crime Unit identified a large botnet when they arrested a 19 year old Dutch man last week. The Unit asked Kaspersky Lab, a leading developer of secure content management solutions, to provide the victims with instructions on how to neutralize the malware on their systems; neutralizing the malware ultimately brings down the botnet. This is an excellent example of the close co-operation which exists between the antivirus industry and law enforcement.

At the request of the Dutch police, Kaspersky Lab created detailed instructions on how to remove the malware. The Dutch police have pointed victims towards a page on the Kaspersky Lab website which contains the removal instructions, and also to a website which gives victims the opportunity to make a formal complaint to the police. Eddy Willems, Security Evangelist with Kaspersky Lab Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime. A spokesperson for the Public Prosecution Service agrees: “The Public Prosecution Service and the police worked together with Kaspersky Lab on this case with full contentment”.

The so-called Shadow botnet is made up of around 100,000 infected machines from all over the world. A botnet is a collection of computers infected with malware which are then linked into a network. The infected machines can be controlled remotely (without their owners' knowledge or consent) and used by criminals to send spam, attack websites, or steal confidential data such as credit card numbers.

Last week the Dutch police arrested a 19 year old Dutch man for selling this botnet to a Brazilian who was also arrested. The arrests were the result of an operation conducted by the High Tech Crime Unit and the FBI.

If you think you're a victim
If you think your computer is part of the botnet, please follow the removal instructions at www.kaspersky.com/shadowbot. However, the removal instructions only apply to the malware which has been used to create the botnet. Eddy Willems warns: “These programs may have downloaded additional malware to computers which were part of the botnet. So users should make sure they perform a full scan of their machine using an up-to-date antivirus solution." If you have Kaspersky® Internet Security or Kaspersky® Anti-Virus running on your computer, you do not need to follow the instructions, as the software will automatically detect and delete the malware.

I'm back!

Is Eddy Willems dead? How can we reach Eddy?
Several people sent me some emails because they were worried about what happened to Eddy.... he's not blogging anymore.
Well there are some good reasons why you didn't hear from me ...
First of all I was terribly sick with fever sometimes higher than 39,5 C. A duo biological Salmonella bacteria infected me seriously and I was several weeks out. And it was also very bad timing: it just happened before the main Kaspersky event of the year! This was possibly the first conference or event I'm missing within 20 years time.
However I recovered quite well and just afterwards my vacation period was popping up meaning ... no worries, no calls, no media. That's possibly what you think.
You are of course wrong because I even did a few interviews and two television interviews during my vacation.
Both of them can be viewed at my press page from my site.

Starting from today I'm starting again blogging and there is more reason than you think .. a lot of things already happened going from a Kaspersky press release together with the Natinional High Tech Crime Unit of the Dutch police to the bizar race-to-zero creation and test case!
A case I already spoke about to the press some months ago.

Kaspersky Lab Benelux goes sailing ...

More or less without words ...

Each distributor got their own boat and there was a race between them ...

And DCB, our new Belgian distributor, won the race!

BTW I was part of the 'press boat' and took all these pictures.
;-)

GPCode.ak solution in another way ...

Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. Please have a look at the blog's posting from my colleague Vitaly at Kaspersky's Viruslist Blog from 13 June 2008.
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)

Typosquatting in Belgium on the rise.

Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.