WAVCi

On my way to the VB conference ...

2008-09-28T18:15:00.002+02:00

Indeed I'm on my way to the the VB conference in Ottawa, Canada. WOW ... This is my number 13 of all the Virus Bulletin conferences. I've been attending since 1996 (Brighton, UK) and I can assure you that this is the best conference if you are in the anti-malware industry. You can find more from the conference itself at the VB website. As always I will post some pictures over here afterwards or during the conference. And BTW if you're not there, you're either sick or dead or you just don't belong to that part of the industry. It's simple as that! ;-)

GeenStijl and GeenCommentaar: 0/10 ..Unethical in every aspect!

2008-09-23T19:43:00.005+02:00

It's been a bit of a bumpy ride on the Dutch part of the internet over the last couple of days. One blog - www.geencommentaar.nl - decided to set up something I like to call a 'web 2.0 honeypot' in the form of a petition. The idea behind this was to attract the attention of the biggest blog in the Netherlands - www.geenstijl.nl - and get GeenStijl readers to comment. GeenCommentaar logged the IP addresses of users who made offensive comments on the blog and created a database. (A lot of the offensive comments came from GeenStijl users). Other bloggers could then check the database to see if a particular IP address had been tagged as offensive. Supposedly the idea behind this was to make life easy for other site/ blog owners, by offering an automatic way to filter out (probably) unwanted comments/ content. When GeenStijl realized what was happening, they responded with a vengeance by adding a piece of Javascript to their page. This meant when anyone visited the GeenStijl site, a random IP address was generated, and the GeenCommentaar database would be queried to see if the IP address had been tagged as offensive. All of this was done automatically and without visitors to the site knowing anything about it.
The result? GeenCommentaar's server couldn't handle the load; as well as GeenCommentaar getting hit, some other sites running on the same server were overloaded. In addition to the obvious ethical objections, both the parties involved are breaking the law.
BTW Kaspersky Lab added detection for this DDoS script as Trojan-Clicker.JS.Small.p .

If you want to read more about it
please look at my colleague Roel's comment at
Kaspersky Virus Analyst's Diary
or read my own comments in Dutch at webwereld.nl
A lot of people seems not to think anymore about what seems to be good or bad on the internet. They just act and play like 'criminal' children without notice! Unbelievable!
Well ... at least their names are well chosen: no comment with no style.

Back from Govcert.nl 2008

2008-09-21T17:38:00.002+02:00

I'm just back from the Govcert.nl Symposium 2008 in Rotterdam. It's very interesting to watch how much money the Government of the Netherlands can invest in such kind of events. Most other events are heavily sponsored to make such events possible ... Congrats to Govcert.nl and very well done however if you are a real pro or an anti-virus/malware insider it was not that inspiring. I loved however the key note speeches and especially the 'no press allowed' presentation of the arrests made by the joint efforts of the NHCU and FBI. The case which you can find more background of in my former postings (see August) and which I was also involved in. You still can find the full programme details at http://www.govcert.nl/symposium .

Goodie Security Picture of the Month

2008-09-07T16:09:00.003+02:00

Busy weeks for me ... yes a lot of business and a lot of events to attend to that's what was happening the past weeks. From now I will post a picture from all these events on my blog. Last week we got two nice launching events for our Kaspersky Hosted Security Solution in the Netherlands and Belgium organised by 2 of our distributors. The week before I attended a BBQ event at Copaco Belgium. This week I will attend and speak at the L-Sec Security Conference on Friday. You can have a look at the other speakers on their website at http://www.lsec.be . I will present: 'A Virus Analyst in 15 Minutes?' .

Further on I was cleaning up a little bit my attic where I found a lot of old and newer security goodies (the free give-aways at conferences). So from now on I am going to use the good ones after I throwed away some other rubbish. For this job I got the wonderful help from a Symantec display box. On the picture you can see how you could use it in a creative way. ;-)
BTW It's just coincidence that I used a Symantec 'box' for it.
Other display boxes are also quite good.
This time this picture becomes the Security Goodie of the month!

Kaspersky Lab helps Dutch police dismantle Shadow botnet.

2008-08-13T15:06:00.002+02:00

FYI: This was the press release which I spoke about in my former blog posting.

The Dutch High Tech Crime Unit identified a large botnet when they arrested a 19 year old Dutch man last week. The Unit asked Kaspersky Lab, a leading developer of secure content management solutions, to provide the victims with instructions on how to neutralize the malware on their systems; neutralizing the malware ultimately brings down the botnet. This is an excellent example of the close co-operation which exists between the antivirus industry and law enforcement.

At the request of the Dutch police, Kaspersky Lab created detailed instructions on how to remove the malware. The Dutch police have pointed victims towards a page on the Kaspersky Lab website which contains the removal instructions, and also to a website which gives victims the opportunity to make a formal complaint to the police. Eddy Willems, Security Evangelist with Kaspersky Lab Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime. A spokesperson for the Public Prosecution Service agrees: “The Public Prosecution Service and the police worked together with Kaspersky Lab on this case with full contentment”.

The so-called Shadow botnet is made up of around 100,000 infected machines from all over the world. A botnet is a collection of computers infected with malware which are then linked into a network. The infected machines can be controlled remotely (without their owners' knowledge or consent) and used by criminals to send spam, attack websites, or steal confidential data such as credit card numbers.

Last week the Dutch police arrested a 19 year old Dutch man for selling this botnet to a Brazilian who was also arrested. The arrests were the result of an operation conducted by the High Tech Crime Unit and the FBI.

If you think you're a victim
If you think your computer is part of the botnet, please follow the removal instructions at www.kaspersky.com/shadowbot. However, the removal instructions only apply to the malware which has been used to create the botnet. Eddy Willems warns: “These programs may have downloaded additional malware to computers which were part of the botnet. So users should make sure they perform a full scan of their machine using an up-to-date antivirus solution." If you have Kaspersky® Internet Security or Kaspersky® Anti-Virus running on your computer, you do not need to follow the instructions, as the software will automatically detect and delete the malware.

I'm back!

2008-08-13T14:49:00.003+02:00

Is Eddy Willems dead? How can we reach Eddy?
Several people sent me some emails because they were worried about what happened to Eddy.... he's not blogging anymore.
Well there are some good reasons why you didn't hear from me ...
First of all I was terribly sick with fever sometimes higher than 39,5 C. A duo biological Salmonella bacteria infected me seriously and I was several weeks out. And it was also very bad timing: it just happened before the main Kaspersky event of the year! This was possibly the first conference or event I'm missing within 20 years time.
However I recovered quite well and just afterwards my vacation period was popping up meaning ... no worries, no calls, no media. That's possibly what you think.
You are of course wrong because I even did a few interviews and two television interviews during my vacation.
Both of them can be viewed at my press page from my site.

Starting from today I'm starting again blogging and there is more reason than you think .. a lot of things already happened going from a Kaspersky press release together with the Natinional High Tech Crime Unit of the Dutch police to the bizar race-to-zero creation and test case!
A case I already spoke about to the press some months ago.

Kaspersky Lab Benelux goes sailing ...

2008-06-25T17:40:00.003+02:00

More or less without words ...

Each distributor got their own boat and there was a race between them ...

And DCB, our new Belgian distributor, won the race!

BTW I was part of the 'press boat' and took all these pictures.
;-)

GPCode.ak solution in another way ...

2008-06-15T16:47:00.002+02:00

Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. Please have a look at the blog's posting from my colleague Vitaly at Kaspersky's Viruslist Blog from 13 June 2008.
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)

Typosquatting in Belgium on the rise.

2008-06-15T15:17:00.003+02:00

Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.

China hacking into US computers more realistic than China attacking Belgium!

2008-06-12T09:58:00.002+02:00

You could read the following on the net just a few hours ago: Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. You can find more at
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.

Assistance needed for cracking GPCode.ak ...

2008-06-10T11:57:00.003+02:00

Our office just launched the following press release following the recent problems with a new GPCode variant. See more at www.viruslist.com .

"Kaspersky Lab, announces the Stop Gpcode, an international initiative against the blackmailing virus Gpcode which emerged last week.
The objective of the initiative is to factor (‘crack’) the RSA-1024 key used in Virus.Win32.Gpcode.ak – the latest version of the dangerous Gpcode blackmailer virus. The signature for Virus.Win32.Gpcode.ak was added to Kaspersky Lab antivirus databases on June 4, 2008.
Kaspersky Lab invites all cryptography experts, as well as governmental and research institutions, other antivirus vendors and independent researchers to join the efforts to solve this problem. The company is prepared to provide any additional information at its disposal and is open to dialog with all experts wishing to participate in the Stop Gpcode initiative.
To coordinate the activity of all participants of the initiative, a special Stop Gpcode forum has been created. "This is the first time in the security history that such an initiative is appearing. Let us hope that this could become a good example of perfect international cooperation. However we must not overestimate this possible solution: a backup in combination with optimal security and good malware protection is still the best solution for a lot of problems, also in the future." says Eddy Willems, Security Evangelist at Kaspersky Lab Benelux.
Virus.Win32.Gpcode.ak
Gpcode.ak encrypts files with different extensions by using a RSA encryption algorithm with a 1024 bits key. After encrypting, the virus changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.
The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660. The task of ‘cracking’ the RSA-1024 key is an extremely complicated cryptographic problem. Eddy Willems confirms this: “To crack the key at least 15 million computers have to be running for one year.”."

Of course it's clear that this is just an interesting initiative and I really hope it could be realistic in the near future but of course it's not so easy as it seems.
Nevertheless such initiatives haven't been seen in the past and I think it's time that vendors could work together in a better way then before but is that not another harder question. Could this be even more unrealistic? What do you think?

Kaspersky Lab Benelux 5 years old!

2008-06-01T15:00:00.002+02:00

This weekend we celebrated our fifth 'local office Kaspersky Lab' anniversary with a sleepover in a nice hotel in Valkenburg near Maastricht(NL). If you look at the picture you can find all employers including me on the picture which was given to our COO Dick Gehéniau.

May 2008: Web site compromises record month!

2008-06-01T14:06:00.002+02:00

Here are the highlights of the notable Web site compromises I have seen in the past month:

May 2 - One Year Later, Italian Job Still Working Overtime

It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.

May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign

Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.

A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.

May 10 - More of The Same: Another Half Million Web Sites Compromised

Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.

May 19 - Chinese Weekend Compromise

Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.

May 19 - More Weekend Compromises Reach Other Shores

Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.

May 21 - It’s Not Over: Asian Sites Injected with Nasty Code

Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.

May 22 - Malicious Domains Found in Compromised Japanese Sites

The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.

And I'm not even talking about thousand other websites which were defaced in nearly every country of the world even in Belgium (eg. VTM Broadcast site) ... it's definitely not a good sign and trend.

A lot of XSS methods seems to be used as will in those or a lot of other compromises.

XSS has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.
XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.
XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.
The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of us don’t have).

Back from EICAR ...

2008-05-20T18:57:00.002+02:00

I'm back from EICAR for a week now and it seems that I'm so terribly busy that I could not do a nice writeup about the EICAR conference ... well be patient and have a look at Virus Bulletin magazine June issue where I will publish a conference report. Just a this moment my Belgian friend blogger Didier Stevens was blogging about our EICAR test file. He really likes to play with it in a lot of ways. Now he seems to be publishing a PDF document with an embedded EICAR test file (eicar.txt). This PDF document has also an annotation with a JavaScript action linked to it. Clicking the annotation will export the embedded eicar.txt file to a temporary folder and launch the default editor for .txt files.
eicar.pdf contains only ASCII characters, so you can use Notepad to see what he did. He asks you also to guess what he did... read more at
http://blog.didierstevens.com/2008/05/20/quickpost-eicarpdf/ .

EICAR 2008, Laval, France: A success!

2008-05-05T18:17:00.002+02:00

Our first day of the EICAR conference at Laval is nearly finished, we got a lot of attendees, terrific papers and good food. Well we are in France, isn't it. People who thought that this conference was not going to happen were wrong. If you're not here at this moment, you miss a lot! I will try to do a writeup of this conference very shortly, I hope. I'm now ready to go to our gala dinner at the nice old castle which you can find in the picture.

China attacking Belgium ??

2008-05-02T10:19:00.006+02:00

I just was disturbed by a message on the radio this morning, being back in Belgium for just one day to make me ready for our EICAR conference in France. So I heard several newspapers refering to possible cyberattacks coming from China to some Belgium governmental institutions. Hmmmm, is this real? Why just stating this now to the public?
So a lot of rumour on the radio and the newspapers (De Tijd, GVA, but the statements I've heard from our Minister Jo Vandeurzen (Ministry of Justice, CD&V)) are the exact things, even the exact words I've said to some personal friends in the past...
But is it true? Well there is one thing for sure: I'm seeing a lot more malware coming from China compared to one year ago, but explaining that we are under attack is over the top. Of course this an investigation. But is there no continuing investigation going on all the time by the AV industry? What do you think? We just let everything pass without doing anything... of course not: So every AV company has is own research and indeed we see an ongoing growth of this kind of malware. Can we speak about a targetted attack to Belgium or some other countries? I don't think so, well at least not at this moment as I write this blog, and above all it's very difficult to pinpoint and state that this is coming from China as tracking down such kind of malware and attacks are harder than you think.
I'm not saying that we don't have to be careful and that we don't have to do some research about these things, of course not, I'm even helping in such kind of investigations in the AV industry.
I'm still wondering why this came up just at this moment? Could it have something to do with the strange(read bad) situation of our government at this moment? Maybe CD&V wanted to come up with some different subject to conceal the real problems of the Belgian government at this moment?
I don't know, I'm not a politician, I'm an anti-malware expert. At least the real problem, more malware coming from China, is not new to me and is a real threat today!
And also Belgium could be very interesting for some foreign countries as we got a lot of interesting parties having their office in Belgium: European Commission, NATO, etc ... so could that be the real reason of the possible attacks?

During writing of this blog VRT Radio magazine 'Vandaag' called me about this and will do a live interview with me at Radio 1 after 17:00 today.

Another viruswriting contest ... oh no, not again!

2008-04-28T13:46:00.005+02:00

There will be a new contest at the Defcon hacker conference this August: Called Race-to-Zero, the contest will invite Defcon hackers to find new ways of beating antivirus software. Contestants will get some sample virus code that they must modify and try to sneak past the antivirus products. Awards will be given for "Most elegant obfuscation", "Dirtiest hack of an obfuscation", "Comedy value" and "Most deserving of beer"... The contest was announced Friday. The contest organizers say that they're trying to help computer users understand just how much effort is required to skirt antivirus products. The Race-to-Zero sponsors hope to present the contest results during Defcon. The contest is not organized by Defcon, but is one of the unofficial events that the show's organizers have encouraged attendees to arrange. Defcon runs Aug. 8 to Aug. 10 at the Riviera Hotel & Casino in Las Vegas.
To my opinion this is very unethical, it's like creating new samples of a biological virus and that's something you also try not to do, isn't it. And actually, encouraging people to do this as a contest is really over the top. It's also encouraging people all over the world to create or even change viruses! It's all in the (wrong) mindset of a lot of people these days! Let's hope we can still educate and 'evangelise' the people in the good direction otherwhise the future could be much worse than we think. I predict that a lot of AV and security vendors will have a lot of comment on this topic during the next weeks!

Preparing for the EICAR conference 2008 in Laval, France

2008-04-27T13:42:00.002+02:00

I'm preparing myself to go to the EICAR conference this year, however just before it, I will have a stop at the AMTSO meeting in Amsterdam(Netherlands). You can find more info about both conferences or organisations at http://www.eicar.org and http://www.amtso.org
Let's hope that we got interesting results at the AMTSO meeting where the industry wants to improve the malware-tests.
I heard as well a lot of gossip about our nice EICAR conference. Will it go on or not this year, was for instance one of the questions... well I can assure you ... It will go on and the place seems to be more beautiful than everybody thinks at this moment.

The most secure table at the Data News Award Gala 2008.

2008-04-27T13:38:00.004+02:00

Last Thursday I was at the Data News Awards Gala event. About 13 awards were given to the most innovative or interesting companies for the past year. During the breaks we listened to some nice live music from Sophie or Gunther Neefs. CISCO got the award for the best security company of the year. It's stupid that there was no award for the most secure table. That should have been our table ... we got us (Kaspersky Lab), Apple and Guy Kindermans, the security journalist from DataNews, at our table. You can find more at the Data News website.

'Kraken' exagerated but beware of the Storm codec ...

2008-04-09T20:23:00.005+02:00

There's recently been quite much written about a botnet of spam trojans named Kraken.
There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most AV vendors in the industry have been wondering about the numbers, which seem to be exagerated when taking a look at received samples. Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business again. Several sites offer what looks like a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, meaning users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on these sites, users are required to download the so-called Storm Codec in order to view the said video.... Correct: the codec is called Storm Codec.
Users are advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore ... but do you think that any user knows this?

Polinka Banking Trojan and my Russian Moscow visit...

2008-04-06T11:55:00.005+02:00

There's been a banking trojan spam run in four European countries this weekend. One of the targeted countries seems to be The Netherlands. The mails claim to be from a nice looking Russian student girl looking for a sex partner or just a friend. The mail urges the recipient to check her photos at a site called livejournalhelper.cn (in China). Unfortunately, the site only has thumbnails on Ms. Polinka's pictures; when you try to view them in larger size you get an error message of a missing plug-in which you'd need to see the pictures. The plug-in is a man-in-the-middle banking trojan...

Oh yes talking about Russia ... some people asked me to put a link on my site to the Russian TV interview with RBK TV for their Cnews magazine during my lecture at the Moscow CSO Security Summit. So it's up now and you can find it over here or at my press page. There were several interesting speakers like Eugene Kaspersky (my boss) from Kaspersky Lab and Mikko Hyppönen from F-Secure.

Pictures ... Infosecurity BE and CSO Summit Moscow 2008

2008-03-30T14:08:00.007+02:00

Some people asked me to show the pictures from the past
Infosecurity fair in Belgium which was a success BTW...

Jean-Marie Pfaff and Eddy Willems (me)

My ex-NOXS-Westcon Security colleagues ...

And like I told you in one of my former blogs I just returned now from a trip to Moscow and Munich where I gave a lecture ( see www.fort-ross.ru )about the new trends in Security. RBK-TV Russian Business TV made an item from my lecture for the Cnews magazine.

Targeted attacks against Pro-Tibet groups.

2008-03-24T17:46:00.005+01:00

"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions. This cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization. But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. The exploit silently runs a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used in various targeted attacks. The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.

Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo has also been restricted.

But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities. The cyberattacks directed at Tibetan organizations are similarly the actions of Chinese hackers motivated by nationalism, without national direction.

The massive cyberattack on Estonia last year, in response to Estonia's decision to move a Russian war memorial, presents an analogous situation.

It seems that situations like this are becoming a trend ... another example of a targeted malware attack."

Eddy at the CSO Summit in Moscow

Happy Easter .. from Moscow.

2008-03-23T18:05:00.002+01:00

I'm ready to go to Moscow as I'm speaking at the Russian Moscow CSO Summit. Afterwards I'm again on the road to my Kaspersky colleagues in Germany ... a busy week you see and definitely different compared to the holiday period for a lot of other people. I'm still waiting to see my picture with Jean-Marie Pfaff at our Kaspersky site. Stay tuned!

Security vendor websites under attack!

2008-03-16T11:01:00.002+01:00

Earlier this week, part of the Trend Micro's public online Virus Encyclopedia (VE) was altered via external hacking. The redirect placed on the site didn’t work properly so nobody visiting the hacked pages was at risk of infection. In response to this incident, they shut down the VE for several hours, patched the systems, removed the inserted code, and brought it back to life again. This incident was part of a wider attack on security web sites around the world. In my opinion this is a bad sign as it demonstrates that a lot of hacking is being tried to deface or at least to alter the websites of the 'good' guys. I can assure you that I saw last month several hack-attacks on other very well known security sites. I will not go into detail which other sites have been attacked. I've seen this happening in the past but never on such a scale as this time. Do you have any idea why this is happening now? Does it have anything to do with CEBIT or the upcoming 'InfoSecurity' fairs?