The fight against Cybercrime.

I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.
Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.
Watch out!

Elections and a special week...

It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!

EICAR Conference 2009 Summary (Berlin)

The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.

If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous Virus Bulletin magazine. I wrote the summary.

Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.

Preparing for Kaspersky Regatta and the EICAR conference...and Twitter

Life is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.
Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at www.eicar.org
and if you want to come, there are still seats available.
I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.
But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...

And for people who didn't know it yet, you can follow me
on Twitter: www.twitter.com/EddyWillems
I'm inviting you all.

And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.

Kido/Conficker network fear far too exagerated ...

While analysing Kido network behaviour Kaspersky Lab (my colleagues) has been able to develop an application that helped to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period KL identifeid 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. Of course we always have to be very careful naming numbers so also
this count could be not completely correct ... it shows however that it's definitely not 10 million as some sources reported before.
This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.
You can find more at this link.

I'm getting sick from Twitter worms and Mikey Mooney...

What's up with Mikey Mooney?
He wrote a series of Twitter worms, got hired, got hacked and released yet another worm last night.
This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."
This variant downloaded additional scripts from runebash.net/xss.js .

The messages it sent were more philosophical in nature:
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.Age is a very high price to pay for maturity. Womp. mikeyy.Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.Money is not the only thing, it's everything. Womp. mikeyy.Success is a relative term. It brings so many relatives. Womp. mikeyy.'Your future depends on your dreams', So go to sleep. Womp. mikeyy.God made relatives; Thank God we can choose our friends.Womp. mikeyy.'Work fascinates me' I can look at it for hours ! Womp. mikeyy.I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.RT!! @spam Watch out for the Mikeyy worm (bit.ly link)FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)Mikeyy worm is back!!! Click here to remove it: (bit.ly link)

So to my opinion, please don't hire him but fire him!

Conficker/Kido starts with upgrade ...

The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009. You can find a picture on the weblog from Kaspersky Lab.
And this is possibly not the end yet...

Conficker/Kido FAQ (Frequently Asked Questions)...

Kido spreads via local networks and removable storage media. It penetrates computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft released a patch for in autumn of last year. Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak. Failure to install the patch and to use effective antivirus protection has led to an epidemic: it’s currently estimated that between 5 and 6 million computers which have Internet connectivity are infected with Kido variants.
Several factors made today’s global Kido epidemic possible – neglecting to use antivirus products and the absence of an organization which is responsible for the security of the Internet and which unites and coordinates the efforts of governments and IT security experts.
Epidemics of a similar scale have happened in the past. However, the malicious programs which caused these epidemics did not have the extensive capability which Kido has to evade detection and prevent the disinfection of infected machines.
The third version of Kido is currently spreading on the Internet. This program implements the most sophisticated technologies used by malware authors – it downloads updates for itself from site addresses which are constantly changing; it uses local networks as an additional channel for updates; it uses strong encryption to protect itself; it has sophisticated mechanisms for disabling security services etc.
The third version of Kido updates itself by downloading code from 500 domains. These are chosen from a pool of 50,000 domains which is generated daily. The 500 domains are selected at random and this, together with the large number of domains makes it extremely difficult to monitor the domains used by the malicious program.
Because of this, Kido could become the most powerful cybercriminal tool which is highly resistant to being blocked in the history of the Internet. The gigantic botnet created by the authors of Kido gives cybercriminals the ability to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e. huge spam mailings).
In March there were mass updates to older versions of this malicious program. On 1st April 2009 the Kido botnet will use the approach above to start receiving commands from its creators from 50,000 domains a day; what action the cybercriminals will take subsequently is difficult to predict.

Kaspersky Lab products successfully prevent all versions of Kido from penetrating users’ computers. Recommendations on how to delete the malicious program are available on the Kaspersky Lab technical support site.

Also available:
FAQ of the Kido virus
Audiofragment on the VRT radio about Kido virus (Only in Dutch)
Kaspersky evangelist Eddy Willems at NOS radio news (Dutch only)

We are monitoring constantly the situation.
All press and media will be updated as soon as we have more info.
But I'll personally think that we will not see too much activity today (April 1) but this can change of course any time and definitely any time after April 1...

BTW I'm using Twitter.