This year’s annual Virus Bulletin 2009 is being held in Geneva, Switzerland. The presentations are very interesting with topics covering Waledac, Koobface, botnets, and other malware families ThreatFire is most effectively protecting users against every day.
PC Tools’ Kurt Baumgartner presented a survey of Peter Ferrie’s series of papers on anti-unpacking techniques, and how these techniques are and are not implemented within the “worst families” of 2008-2009. Slides here from the Virus Bulletin 2009 slides page. It was exciting to discuss with at least a dozen other researchers the questions and answers we provided about Waledac and its consistent use of Int 0×2e within its packer. We examined other families and specific decryption algorithms implemented by each, and unusual techniques malware writers are using to throw off automated research and file scanners. You can find Peter Ferrie’s “Anti-Unpacker Tricks” Virus Bulletin papers at his web page, under his “International Publications” section.
Righard Zwienenberg presented on the progress AMTSO is making, a group that PC Tools has actively participated in since its start. There was much interest in its activity and some of its current work that we are pleased to take part in driving forward. The upcoming meeting in Prague will bring with it discussion over one of its most controversial papers, “Issues in the Creation of Malware” [for testing purposes], which hopefully will be voted on and released soon. We encourage testers and reviewers to join and actively participant in this group.
Topics of interest included “The real face of Koobface” by Ivan Maclintal, and “Brazil, land of plentiful bankers” from Dmitry Bestuzhev. The Brazilian banker presentation discussed many issues resulting in the thriving banking password stealing efforts and groups in Brazil, and the surprising presence of the Induc virus infecting Bancos password stealers that ThreatFire effectively prevents. Also of interest is the malware working group connecting the AV industry, with Igor Muttik discussing the Industry Connection Security Group’s proposed xml structure and content for sharing samples and information amongst vendors and testers. It’s something we’ll probably exchange thoughts on at the upcoming AMTSO meeting.