Last-minute presentations:

16:20 - 16:40 URLCheck: malware and phishing URL aggregator Sorin Mustaca, Avira
16:40 - 17:00 Last-minute malicious packer dissected Nicolas Brulez, Websense

Technical stream: Thursday 2 October 2008, 16:20 - 17:00.

16:20 - 16:40 URLCheck: malware and phishing URL aggregator, Sorin Mustaca, Avira

Most new malware spreads these days via emails with various contents. Because the emails are so well crafted, it is sometimes not possible to mark them as spam, thus meaning that they reach users' inboxes. The only way to block access to the malware is to block the target URLs contained in the emails in a generic way, without knowing from the beginning the reason why it is blocked. Such a powerful and dynamic system needs a very good control and monitoring centre in order to be maintainable.

URLCheck is a system developed by Avira in order to manage from a single point the malware and phishing URLs gathered from multiple sources. This is the natural evolution of the system described in the article 'Delivering reliable protection against phishing websites' published in Virus Bulletin, May 2008.

These URLs are used to create updates for several of Avira's web-filtering products. I will describe the challenges we faced while creating this system, the benefits it brings, and finally some results of its functionality. The challenges were actually caused by the differences between the sources we used: the URLs detected by our own anti-phishing product, PhishTank, LCheck (an internal system dealing only with malware URLs) and Clean-MX. The only thing these sources have in common is the fact that they have an URL which should be blocked. Other challenges we faced were the errors and special situations these services produced: invalid data, service unavailable, false positives. The system has to deal with these special situations.

16:40 - 17:00 Last-minute malicious packer dissected, Nicolas Brulez, Websense

In order to stay up to date with the bad guys producing malicious tools for the masses we always are on the look out for brand new tools and tricks. This presentation will cover a malicious packer found on a Chinese underground website. As the call for last-minute papers is about to close, files wrapped by this software are still undetected by most AV products (if not all). Every feature of this malicious packer will be dissected at the assembly level, with a lot of detail.

Ultimately, a live unpacking demo will demonstrate how it can be defeated.

VB Conferences

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The whole conference was superb. Not enough superlatives to describe it.’

Poll

Will the current banking crisis lead to an increase in phishing attacks?

Leave a comment
View 1 comment

Virus Bulletin

In this month's magazine:

Does the punishment fit the crime?
Prophet and loss
All your MP3s are belong to us
Malware teaching considered harmful?
Il buono, il brutto, il cattivo
Lavasoft Ad-Aware 2008
The problem of backscatter – part 1

Subscribe now!

Virus Bulletin currently has 138,346 registered users.

Fighting malware and spam