EICAR Report 2009
Andrew Lee, CTO, K7 Computing Private Limited
The EICAR Conference was held in the beautiful German city of Berlin on the 11th and 12th of May 2009. Unfortunately no-one seems to be immune from the current recession and EICAR was no exception, however, sole sponsor Dr Web's generous support meant that the conference was able to go ahead with a full program and good entertainments.
A rare treat for all was the opportunity to hear from probably the most important person in the history of computer viruses, Dr Fred Cohen. Dr Cohen talked with wit and authority about the history of computer virology and expounded his thoughts on where the industry is heading in the future. Dr Cohen is a charismatic and interesting speaker whose long experience as a university professor gives his explanations refreshing simplicity and clarity. Some of Dr Cohen's ideas are controversial, provocative even, but they are never less than intelligently presented with good justification for his statements. His thoughts on future of viruses include that virology will become the preserve of nation states and viruses and malware will be considered munitions.
Kicking off the conference proper, Ronald Schultze talked about the use of internet by young people in Germany, covering how to prevent online stalking of children and teenagers and protecting them from receiving sexually related content. He went on to discuss their project to provide an early warning system about problems of this kind.
Dr Boris Sharov was up next representing the sponsor Dr WEB. His topic was "What's new on the malware Frontline" and revealed some interesting facts about ransom-ware and how different technologies are being used aside from pure PC based malware. He discussed attacks using file encoders that encode documents and then holds user to ransom for the decoder. One interesting attack was the use of SMS-Services on mobiles. A malware locks windows so the user can't log-in, and gives a pop up screen to call a particular number, then you have to activate a code number via SMS to get access to your windows again. Dr Sharov is always an interesting speaker, and his perspective from the Russian area is particularly valuable.
Asia was well represented this year, with two interesting talks from Babu Nath Giri, and Vinoo Thomas, of McAfee's Bangalore research lab. Babu talked about how we see computers in almost all walks of life, from satellites to cell phones, and from cars to coffee machines. He postulates that as computers become faster, smaller, and wireless, wearable or implanted devices will gain in popularity. He talked about these devices with security in mind and the possibilities of future malware exploiting them. Vinoo and his colleagues took a look at a range of AutoRun infection techniques in his paper 'The Return of Removable-Disk Malware'. They traced the history of AutoRuns and discussed their patent pending solution to proactively detect and stop malware that spreads via removable drives.
The first day concluded with a lively panel discussion on Anti-malware product testing, with experts representing AMTSO (the Anti-Malware Testing Standards Organisation), EICAR and Users, the vendor community and ICSA, a well respected testing lab. This discussion was also expanded by at least three other papers during the conference covering issues with testing, clearly a hot topic and one that is rightfully gaining some attention, notably in the area of dynamic or execution context testing, a subject covered by David Harley of ESET.
An excellent gala dinner was accompanied by a fun magic and comedy show by an up-and-coming German performer who some people may have remembered from his previous performance at the EICAR conference in Hamburg a few years ago.
The second day was unfortunately more sparsely attended, perhaps the lure of the nearby Berlin Zoo was too much for some, but there were some interesting papers. One controversial topic, nicely fitting in with Dr Cohen's earlier keynote speech, was the discussion of use of Trojans by the state, and the privacy, legal and technical issues that go along with it.
Andrew Hayter of ICSA presented a testing themed paper on why accreditation under ISO standards of a testing laboratory is important, it's certainly good to hear testing labs discussing how they themselves expect to achieve and maintain good scientific standards.
Anthony Desnos and Eric Filiol presented a paper about detecting of a Hardware based Virtual Machine rootkit (Blue Pill), this was an interesting paper particularly given the increase in and importance of virtualisation in enterprise systems and was one of the few strongly technical offerings at the conference. Later, Damien Aumaitre, Christophe Devaux and Julien Lenoir talked about their experiences discovering Russian botnets, although an interesting topic, it wasn't particularly revealing of any new techniques or information.
As with any conference, it's impossible to see everything, but EICAR was definitely worth attending. The conference was well planned, with some very interesting sessions, and a strong attendance considering the economic conditions, it would be good to see more focus on technology in future although what was presented was certainly of good quality and I enjoyed participating in the panel debate. The next EICAR conference will be in Paris on the 8th - 12th of May.