Conference program timetable

Wednesday 9th November

Welcome Drinks Reception for AVAR Members

Thursday 10th November

Delegate Registration
- Conference Sessions
- Gala Dinner at Jumbo Floating Restaurant
18.30: Pickup from Renaissance
19.00-21.00: Jumbo Restaurant
21.30: Return pickup to Renaissance

Friday 11th November

- Conference Sessions
AVAR Members Meeting

Saturday 12th November

- Hong Kong Islands Tour
10.30: Pickup Renaissance
11.00-16.00: Boat Trip
13.00-14.00: Lunch
16.00: Return pickup to Renaissance

Wednesday 9th November

- Welcome Drinks Reception and Delegate Registration

Thursday 10th November - Conference Day 1

Time Track 1 - Concord 1 Room Track 2 - Oasis Room
-

Registration and Coffee - Oasis 2/3

-

Welcome Speeches - Allan Dyer (Conference Chairman) Seiji Murakami (Chairman AVAR)

-

AVAR 2011 KEYNOTE SPEECH Creating A Safe, Clean and Reliable Cyber Space

ROY KO, PRINCIPAL CONSULTANT - IT INDUSTRY DEVELOPMENT DIVISION, HONG KONG PRODUCTIVITY COUNCIL & CENTRE MANAGER, HONG KONG CERT

Earlier this year, during the Annual General Meeting (AGM) of the Asia Pacific Computer Emergency Response Teams (APCERT), APCERT members agreed on a new vision of the group – "APCERT will work to help create a Safe, Clean and Reliable cyber space in the Asia Pacific Region through global collaboration". The speaker will share with participants his thoughts on HOW can that be achieved. The speaker will talk about the approaches from different perspectives, covering areas in incident response, software development and internet infrastructure.

-

Human After All

ANDREW LEE & PIERRE-MARC BUREAU, ESET

To properly understand malware, it is crucial to focus on the human being behind them. To do so, a researcher needs to understand the objectives, strategies and tactics of malware creators and operators. In this presentation, we describe current trends in malware focusing on humans and malware. We approach the matter from two different angles: statistics and case studies. We will show up to date statistics on malware as observed from an antivirus company with millions of customers. We will also go into deeper technical details for specific cases. These case studies help understand the global situation with real world examples including analysis for the a number of malware families. Our analysis shows that some of these families target specific regions or avoid some others, we will show geographic distribution for some of these cases.

The Change of Security Awareness Training in Response to Targeted Attacks

YOUNG JUN CHANG & HO JIN PARK – AHNLAB

If examining the cyber attacks over the past few years, most targets companies or government facilities. Because of the increase of these attacks, many companies are adopting security systems to minimize the damage. Also the attackers are increasing their attack against the internal staff to bypass the security systems. This paper describes the targeted attacks, based on the cultural characteristics of Korea's IT environment, and discusses the required changes of the role of security organizations and security awareness training should be t o deal with these attacks effectively.

-

Malware in EFI

DR IGOR MUTTIK - MCAFEE

EFI (Extensible Firmware Interface) is used more and more frequently in contemporary computers - from servers to handheld devices. EFI offers many advantages to software developers due to its multi-platform capabilities, standard interfaces, scripting and extensibility. This powerful framework has not been abused by malware yet but, unfortunately, all the powerful features of EFI can be employed by malware. We look at the commonality of stealth rootkits, which activate during computer start-up (so-called "bootkits"). We also look at the capabilities of EFI and we demonstrate the EFI shell. We will also discuss the implications and look at the arsenal of EFI tools available to the developers, security experts and IT professionals.

Paranoid Android?

V DHANALAKSHMI - K7 COMPUTING

With the increasing popularity of Android in Asia comes the danger of malware attacks. Studies on Android mobile security reveal that the growth rate of Android threats is at a faster pace than that for computer malware at the development stage. This paper will discuss the Android Security Model, and hopes to present a detailed account of the nature of the Android threat landscape so that users in Asia and elsewhere are made aware of t he dangers involved in the use of Android, whilst also focussing on the ways and means of mitigating the risk.

-

Coffee Break - Oasis 2/3

-

Mobile Device Attacks – 2011

ITSHAK CARMONA – HCL Israel

While the latest CommWarrior variants continue to entice mobile phone users into clicking ‘Yes’ to grant them permission to install, we have encountered the first remote exploit for Windows Mobile phones using MMS as the attack vector. It seems like malware is slowly but steady taking over mobile device operating systems, which suffer from the same syndrome as their big relatives the computer operating systems. We are experiencing more and more malware exploiting vulnerabilities and backdoors in the various mobile operating systems. Some vulnerabilities will only require the user to open a malformed MMS message to cause a buffer overflow. We will explore several vulnerabilities and payloads on various mobile devices.

Reverse Engineering Easy Programming Language Applications

JIM WANG - MICROSOFT

Easy programming Language (EPL) is a commercial rapid development language, similar to VB. Using EPL you can easily write an application in Chinese instead of in English. As a result of this kind of flexibility, EPL's popularity is increasing, especially in China, as a medium for creating applications, malicious or otherwise. MSRR (Microsoft Research & Response) receives many EPL samples each day. This paper looks at how to reverse engineer EPL samples and discusses - how to separate user code and library code; identify IDs forms, control details, menu items, Windows APIs and how to identify all object events and their handlers and build the reference between them.

-

To Cloud or Not To Cloud

JIANFENG LU - QIHOO

As threats become more complex and multiply at an increasing rate, this presentation examines the benefits of Cloud Technology at the heart of one of China's fastest growing anti-malware protection systems for Desktop and Mobile networks. With Qihoo 360's Cloud Security System handling 60 billion queries daily from 400 million users, it is collecting 10 million new samples daily and processing over 120 million in timeframes of less than a second per sample. The presentation will go on to examine how it deals with Troajn applications in Malicious URLs as well as Phishing attacks and the benefits for end users through its proprietary 'Just in Time Detection and Protection Systems'.

A Case Study of Targeted Attacks Abusing Regional Software

MR KAZUMASA ITABASHI - SYMANTEC

Both the way we use computers and the purpose of malware has changed as the performance of computers has improved. Now, we are able to use our computers to go online and both manage our own money and as well as shop. Companies, governments, and other organizations also are able to manage and promote their work using computers. Malware authors are therefore aiming to profit financially from creating malware. This paper introduces a particular example using vulnerabilities and regional factors. Targeted attacks that have regional factors are not well-known and hard to propagate.

-

Lunch - Oasis 2/3

-

MUTE - Malware URL Tracking & Exchange

TONY LEE, MICROSOFT & PHILIPP WOLF, AVIRA

MUTE is an effort to simplify the tracking and exchanging of malicious URLs. The current model of URL exchange has followed the file exchange scheme, which is done either via FTP or email and requires each sharing entity to establish and connect with all the other entities (1:n) to receive all malicious URLs. The URLs are usually send in emails or transferred in text-files. Industry exchange standard from IEEE ICSG for URLs (as well as other meta-data) was published in 2010, and calls for robust and efficient URL sharing framework and process. This paper will discuss the objectives of MUTE, its development and review current initiatives in progress.

The Challenges of scanning binaries using multiple antimalware engines

BENNY CZARNY, CEO of OPSWAT

The argument to use multiple engines is simple - There is no single engine that is consistently the most effective at detecting malware. This has already led to the development of products such as Microsoft Forefront, Google’s Postini Services, OPSWAT’s Metascan, Cisco System’s Iron Port and others. However, the benefit of increasing detection rates by utilizing multiple engines could come at a price. Challenges such as increase in exposed engine vulnerabilities, performance degradation and increased FPs may overshadow the benefits. This paper will discuss the advantages of using more than one engine in a security solution, as well as an overview of its associated challenges and limitations.

-

Be Aware of Malware When Enjoying the Convenience of Mobile Payment Systems

CAO YANG & ZOU SHIHONG - NETQIN

In this era of mobile internet, making payments on cell phones is nothing particular. According to IResearch statistics, the volume of mobile payments in China reached twenty billion Yuan last year, with an increase of more than 30% year on year. However, as mobile malware rapidly develops on mobile platforms the risks and related consequences start to emerge. This paper will analyze those risks from mobile malware's perspective and demonstrate, analyze the most widely available payment schemes such as the ones from China Mobile or Alipay and summarize these risks and give several proposals to help build a more secure payment environment.

Poisoning Google Images. An Analysis of Google image poisoning.

MR LUKAS HASIK & MR JAN SIRMER - AVAST

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

-

Coffee Break - Oasis 2/3

-

Discussion Panel - Concord 1

A Review of key topics presented throughout the day. The panel comprises security experts who have presented at the conference:
Andrew Lee - ESET
Benny Czarny - OPSWAT
Scott Wu - Microsoft
Jianfeng Lu - Qihoo

Friday 11th November - Conference Day 2

Time Track 1 - Concord 1 Room Track 2 - Oasis Room
-

Coffee - Oasis 2/3

-

Shattering the shield: Exposing the obfuscation used in current malware

RAYMOND ROBERTS, MICROSOFT

Writers of malware have often sought to protect their creations in the wild from detection and remediation by antimalware vendors. In the past, to accomplish this, standard off-the-shelf methods were considered sufficient to prevent identification and removal from an infected machine; however current malware authors have raised the bar in terms of complexity and effort required to detect and remove these threats. In this presentation, we show the increasing escalation in the "arms race" between malware authors and antimalware vendors; an attempt by malware to survive on the one hand, and the ability of antimalware to protect users on the other.

Weaving Security into the Fabric of our Society

RANDY ABRAMS - INDEPENDENT SECURITY CONSULTANT

Throughout the history of civilization there have been certain skills that society taught all members because they were deemed important enough to be required for survival. As times and technologies change the required skills have changed. The advent of the internet and subsequent exploitation by the criminal element has revealed the need for a new survival skill to be taught as part of our social upbringing. This presentation will examine the crux of the most common Internet attacks, how to teach defense against them, and explain why social engineering defense needs to be a social curriculum.

-

Anti-Malware Product Performance - a Move Towards Determining Full Product Efficacy

RICHARD THOMAS, MATT GARRAD & LYSA MYERS

This paper will consider how West Coast Labs is proposing to introduce a more rounded measure of Anti-Malware product testing than just traditional detection rate evaluations. A series of metrics, including hardware impact performance statistics as well as dynamic and real time detection capability will be considered. The authors will also discuss how this model can be extended to other technologies and describe the implementation of this mathematical model in WCL's Product Performance Index reporting mechanism.

Defending Against Trojans Attacking Online Payment Systems in China

MR JEFF LI - KINGSOFT

Shopping on the Internet has rapidly become a major part of the China economy. People have grown to rely on the Internet with more and more people now choosing Alipay to cover everything from water and electricity bills to credit cards. With 4000 new online shopping Trojans dedicated to stealing users money during online payment transactions, including Groups like the "HuFeiHu Group" , "HuYuCheng Group" and "WangLi Group", this paper will examine how the Trojans tamper with online payment pages and identify the best way to defend against them.

-

Dissection of Exploit Kits

XUE YANG – WEBSENSE

Exploit kits, also known as exploit packs, are bundles of codes that exploit vulnerabilities along with various tools to customize, deploy and carry out automated ‘drive-by’ attacks. Making use of Exploit kits attacks have become one of the major threats to current network landscape. This presentation willdiscuss the top ten exploit kits and take some typical exploit kits as examples to display the key features and differences between them. We will also conduct a comparison on exploits with current hot attacks APT (Advanced Persistent Threat). Finally we analyze the trends for the exploit kits development.

After MACDefender, What's Next for Mac Malware?

MR MARCO DELA VEGA & MR JEFFREY BERNARDINO – TREND

For some time, the Mac OS X's greatest advantages over Windows OSs have been the limited number of malware targeting it. Unfortunately, this is no longer the case; rogue antivirus or FAKEAV, one of the most prevalent malware families targeting Windows-based systems has recently crossed over to Mac platforms with the emergence of MACDefender. This paper provides technical analyses of various rogue antivirus software targeting Macs and deliver predictions on what we think Mac malware creators' will be up to next and how these future threats may affect the current threat landscape.

-

Coffee Break - Oasis 2/3

-

In-Depth Defense

MR JEFFREY MA - SECURITY CONSULTANT

The rapid development of electronic commerce for the customers has brought benefits and opportunities. However, an urgent and immediate challenge is how do we ensure the safety of mutual assets when carrying out electronic commerce transactions. Though most information security vendors are good at protecting electronic commerce networks (such as network, information transmission, antivirus and so on), they lack the experience in protecting the transaction of electronic ecommerce. Therefore, this paper will discuss the security threats faced by both sides of the electronic commerce industry.

Cro-Magnon Cyber Security (Surviving Long Enough to Evolve)

CAMERON CAMP - ESET

Generations past have had to evolve or die, but they (mostly) had time to do it. With the acceleration of technology and networks, how will we "live long enough" to teach a generation to be cyber-savvy? When we combine the time lag to educate a generation, with the speed of upcoming threats hitting the threatscape in greater volume and sophistication, how can we possibly educate users now, in ways that will be effective against the threats of the future, when the threats of the future haven't even been invented yet.

-

The Evolution of a One-Stop Security Solution for PC and Mobile

YU GUO LIU - TENCENT

This presentation will examine how the dynamic challenges of internet security can be effectively dealt with in a 'One-Stop' security solution by combining a variety of technologies such as cloud-based protection mechanisms, proprietary Mobile Terminals Assurance Architecture (MTAA) plus a commitment to establishing a healthy, well-developed security ecosystem. The presentation will also describe how Tencent is cooperating with China's National Security Response Center/Tianjing Virus Lab, and partnering with mobile industrial players including mobile carriers, handset manufacturers, App markets, and other security solution providers to develop an effective security solution.

Web Browser Sandboxing: Security against Web attacks

RAJESH NIKAM - QUICKHEAL

In recent years, Web Browsers have become popular platforms from which to launch Web attacks. Both the browsers and plug-ins like Adobe, Flash and Java combined together have hundreds of reported vulnerabilities. With dozens of Commercial exploit packs available. SEO poisoning has also added dynamics to the spread of malware. In this presentation we will discuss the challenges in the implementation of Sandboxing with reference to the Top 3 Web Browsers, experiments with the live Web Based malwares/exploits, Metasploit and how we are protecting a user's Web experience.

-

Lunch - Oasis 2/3

-

How 'Compromising' & Social Engineering can break Two Factor Authentication in Internet Banking

ALFONS TANUJAYA, VAKSINCOM

Is it true that this two factor authentication is really secure ? Are internet banking users invulnerable and100%secure with two factor authentication? This paper will show how specific malware can compromise dns or “host” files in Windows and can lead its victims to bogus internet banking sites which can fool internet banking users into carrying out fake transactions for criminals’ financial gain. This paper will also highlight the advice given to financial institutions about what they need to do to be more secure from this kind of attack.

Spam and Darvin’s Theory

DARYA GUDKOVA - KASPERSKY LAB

During the last several years we have seen considerable changes in the Internet. With the appearance of Social Networks, Web 2.0 and cloud technologies our communication has shifted to them from traditional e-mails. We talk to each other using IM, we share photos in social networks, we discuss ideas in the cloud. Do we therefore need our personal e-mails anymore? Yes we do. We read notifications from social networks, we get to know about new docs in the cloud shared with us, we read informational mails from banks, online shops and delivery systems and so on. In our presentation we will tell you about latest tendencies in spam, disclose who was the first to use such "official-looking" spam technologies, give short historical background and share some of our thoughts about future of e-mail spam.

-

Discussion Panel - Concord 1

A Review of key topics presented throughout the day. The panel comprises security experts who have presented at the conference:
Yu Guo Liu - Tencent
Richard Thomas - West Coast Labs
Juraj Malcho - ESET
Hamish O'Dea - Microsoft

-

Conference Closing Session Allan Dyer (Conference Chairman) Seiji Murakami (Chairman AVAR)

-

AVAR Members meeting