20 years with or within the Anti-Virus and Security Industry

Today it's exactly 20 years ago one of my former managers gave me a diskette which appeared to be having the AIDS information trojan. At that time I was one of the first in the world to get a detection for it and who could reverse the situation from a trojanised machine back to healthy one. It changed my life completely. 2 years later I was one of the founders of EICAR. And it kept going on in the good direction. Look here if you want to see how I changed in 20 years. ;-)

I love what I'm doing. It's my life and I'm one of the few which are not doing it only for the money. During those 20 years I've met a lot of interesting, brilliant minded and enthusiast people. The AV industry itself is also quite special and I still like to work with or inside this industry even after 25 years IT experience (not counting my university and school years). However some people involved are not always what they pretend to be and just do their job. It's just a job for them.
It's not a job for me, it's much more, It's my life.

And take it from me, there is big difference if you're driven by a mentality or principle to do something good for the people, to help the people in the continuous battle against crime or should I better say cybercrime today.

I'm ready for another 20 years. Let's hope I can continue in the same direction.

Security Events and ... where to find Eddy Willems? updated version 2

It's unbelievable how fast time flies if you're having fun. I've been travelling lately from one event to the other one. I got 3 events in a row on 3 days. During some of the events I speak, give a lecture, keynote or a presentation. A lot of people have asked me in the past to put my agenda on the internet but of course this is something I will not to do because of the security aspect however I will give a small (incomplete) overview of some of the events where I will speak the next weeks:

- 13 October: Kaspersky Lab Ingram roadshow
( http://www.ingram.be )
- 21 October: Kaspersky Lap UK Partner Event
( www.kaspersky.co.uk )
- 22 October: Kaspersky Lab DMAX-Copaco roadshow
( http://www.dmax.be )
- 4-5 November: Infosecurity NL 11:00-11:30u
(Malware testing considerations from Analysts in-the-cloud)
( http://www.infosecurity.nl )
- 22-23 November: Kaspersky Lab Student Conference London
( http://www.kaspersky.com/events )
- 25 November: Securiosity Nijmegen : Nederlandse Universiteiten
Security Event Keynote
( https://www.securiosity.nl )
- 26 November: Kaspersky Lab DCB roadshow
( http://www.dcb.be )

.....

More is coming for HCC NL and another big event in Belgium.
And I possibly forget a couple of other ones.
If you want to book me, it's possible: just contact Kaspersky Lab.

Just updated the agenda with a UK event ... replacing David Emm.

I'm too busy with security events ...

I will be giving a presentation tomorrow at IDG's in-the-cloud event (Netherlands). Next week I will be in Geneva, Switzerland for my 14th Virus Bulletin conference. This time I will be sponsored by EICAR and I will bring the CFP and the News magazine from EICAR with me. After this I will give a lecture at the CBM masterclass event (Netherlands, 30 September) and the day afterwards I will give another lecture at Nemesys also in the Netherlands... And that's only the beginning. And I'm missing a lot of other events, I just have no time to visit them all. Maybe I should try to split me up in 2 or 3 or maybe a virtual copy of myself. Well that's a future thingy isn't it. Just keep an eye on my Twitter space where you can find some more info, if I have the time for it.
Let's hope I don't forget my birthday in meantime... ;-)

10 Most Known Malware in 2 Decades (Random Order)

a) Conficker (2008-2009) -- Also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
b) I Love You (2000) -- Who wouldn't open an e-mail with "I Love You" in the subject line? Well, that was the problem. By May 2000, 50 million infections of this worm had been reported. The Pentagon, the CIA, and the British Parliament all had to shut down their e-mail systems in order to purge the threat. I still remember that I was on a customers site when it all started and I was overloaded with press and media attention afterwards.
c) Melissa (1999) -- Melissa was an exotic dancer, and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005.
d) SQL Slammer (2003) -- This fast-moving worm managed to temporarily bring much of the Internet to its knees in January 2003. The threat was so aggressive that it was mistaken by some countries to be an organized attack against them. I was just ordering a fish in a fish-shop that day however I didn't got the time to eat it afterwards ....
e) Nimda (2001) -- A mass-mailing worm that uses multiple methods to spread itself, within 22 minutes, Nimda became the Internet's most widespread worm. The name of the virus came from the reversed spelling of "admin."
f) Code Red (2001) -- Web sites affected by the Code Red worm were defaced by the phrase "Hacked By Chinese!" At its peak, the number of infected hosts reached 359,000.
g) Blaster (2003) -- Blaster is a worm that triggered a payload that launched a denial of service attack against windowsupdate.com, which included the message, "billy gates why do you make this possible? Stop making money and fix your software!!"
h) Sasser (2004) -- This nasty worm spread by exploiting a vulnerable network port, meaning that it could spread without user intervention. Sasser wreaked havoc on everything from The British Coast Guard to Delta Airlines, which had to cancel some flights after its computers became infected.
i) Storm (2007) -- Poor Microsoft, always the popular target. Like Blaster and others before, this worm's payload performed a denial-of-service attack on www.microsoft.com. During Symantec's tests an infected machine was observed sending a burst of almost 1,800 e-mails in a five-minute period.
j) Morris (1988) -- A real oldie: without Morris the current threat "superstars" wouldn't exist. The Morris worm (or Internet worm) was created with innocent intentions. Robert Morris claims that he wrote the worm in an effort to gauge the size of the Internet. Unfortunately, the worm contained an error that caused it to infect computers multiple times, creating a denial of service.

I used the most common known malware names over here and not particular specific Kaspersky Lab or other security vendors names.

Induc ... the Delphi Virus

Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables. The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu. Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted. The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.
It's also quite interesting to note that Kaspersky Lab was the first to detect this new virus however it's a shame that some media are ignoring this!

Malware growth beyond 30 million soon, 30.000 new threats a day...

I'm back from my vacation and during the last 3 weeks a lot of things happened:
Koobface got new tricks, Twitter went down, Induc the innovative file infector (Delphi) was found and three people were indicted for stealing 130 million credit cards and other data useful in identity theft. And I was interviewed 4 times on my first working day(VTM (TV), De Morgen, etc..)... However the more real problem comes from the ungoing threat of the creation of new malware. Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger. Kaspersky Lab finds every day over 30.000 new samples. And it's not only us seeing this. Also AV-Test.org has released their findings(see picture).
With more than a million new samples being seen every month, we are now reaching 30 million soon depending how you count the samples. That should clearly illustrate the scale of the malware threat. As the threat continues to grow, so will the system resources needed to protect users from it. How else can users cope up with this threat growth? In my years of experience managing malware signatures, I believe that the only way to go is in the cloud combined with some other new technologies like whitelisting and sandboxing. By using these combined technologies the security world can still cope with the large amount of malware growth combined with good performance. You can find all these new features within the new released Kaspersky Lab Internet Security Suite 2010.

Some advice about Twitter before my vacation ...

If you use Twitter for this or other purposes, you’re probably aware that the site compresses URLs posted in tweets, usually with bit.ly, as far as I can see. You’re probably well aware that compressed URLs are frequently used by malware authors et al to conceal the true URL. bit.ly addresses this problem by filtering links through Google Safe Browsing, SURBL and SpamCop, which is reassuring, but is unlikely to catch every malicious site. bit.ly also makes available a Preview Plugin for Firefox that allows users to see more information about a site before they click on it. Personally, I prefer the tinyURL.com approach, which is browser-independent. If you go to tinyURL.com, you can enable a setting that will allow you to preview the real link whenever you click on a tinyURL on that particular machine. Alternatively, the person creating a tinyURL can send a version that begins http://preview.tinyurl.com/…
I started using these a while ago, but got a couple of comments from people who didn’t want to see the redirect. However, thinking about it and given the increase in malicious compressed URLs I’ve decided to start doing it again. Not because it will eliminate the problem altogether but because it might at least make people aware that there’s a slightly safer way of doing it without telling them which browser they should be using. If you don’t like the redirect, all you have to do is paste the URL into your browser and delete the "preview." substring that comes after the "http://".

And that's not the only problem about Twitter these days:
There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam. Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'. Kaspersky Lab is detecting the malware as Trojan-Downloader.Win32.CodecPack.iow. Very good as well is that also Twitter itself is doing something about it by informing infected Twitter-accounts and even temporarily disabling them however this only works if they know about it and this can take some time.

I'm ready to start with my vacation now for the next 3 weeks where I will use my Twitter account to give some updates what I'm really doing however be careful and try to be safe on the social internet... it seems to me that the internet is not that socical anymore, isn't it?

Find me at www.twitter.com/EddyWillems!
See you all within a couple of weeks or in case of an emergency maybe earlier, you'll never know.