Last-minute presentations:

16:20 - 16:40 URLCheck: malware and phishing URL aggregator Sorin Mustaca, Avira
16:40 - 17:00 Last-minute malicious packer dissected Nicolas Brulez, Websense

16:20 - 16:40 URLCheck: malware and phishing URL aggregator, Sorin Mustaca, Avira

Most new malware spreads these days via emails with various contents. Because the emails are so well crafted, it is sometimes not possible to mark them as spam, thus meaning that they reach users' inboxes. The only way to block access to the malware is to block the target URLs contained in the emails in a generic way, without knowing from the beginning the reason why it is blocked. Such a powerful and dynamic system needs a very good control and monitoring centre in order to be maintainable.

URLCheck is a system developed by Avira in order to manage from a single point the malware and phishing URLs gathered from multiple sources. This is the natural evolution of the system described in the article 'Delivering reliable protection against phishing websites' published in Virus Bulletin, May 2008.

These URLs are used to create updates for several of Avira's web-filtering products. I will describe the challenges we faced while creating this system, the benefits it brings, and finally some results of its functionality. The challenges were actually caused by the differences between the sources we used: the URLs detected by our own anti-phishing product, PhishTank, LCheck (an internal system dealing only with malware URLs) and Clean-MX. The only thing these sources have in common is the fact that they have an URL which should be blocked. Other challenges we faced were the errors and special situations these services produced: invalid data, service unavailable, false positives. The system has to deal with these special situations.

16:40 - 17:00 Last-minute malicious packer dissected, Nicolas Brulez, Websense

In order to stay up to date with the bad guys producing malicious tools for the masses we always are on the look out for brand new tools and tricks. This presentation will cover a malicious packer found on a Chinese underground website. As the call for last-minute papers is about to close, files wrapped by this software are still undetected by most AV products (if not all). Every feature of this malicious packer will be dissected at the assembly level, with a lot of detail.

Ultimately, a live unpacking demo will demonstrate how it can be defeated.

del.icio.us

digg this

VB Conferences


	VB2013 (Berlin) VB2012 (Dallas) VB2011 (Barcelona) VB2010 (Vancouver) VB2009 (Geneva) VB2008 (Ottawa) Photos Programme Call Slides Sponsors VB2007 (Vienna) VB2006 (Montréal) VB2005 (Dublin) VB2004 (Chicago) VB2003 (Toronto) VB2002 (New Orleans) VB2001 (Prague) VB2000 (Orlando) VB99 (Vancouver) VB98 (Munich) VB97 (San Francisco) VB96 (Brighton) VB95 (Boston) VB94 (Jersey) VB93 (Amsterdam) VB92 (Edinburgh) VB91 (Jersey) ‘The VB conference is must-see event undoubtedly. A reference event in the field, definitely.’

Quick Links

Poll

The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Leave a comment
View 11 comments

VB2012


	VB2012 will take place 26 - 28 September 2012 at the Fairmont Dallas hotel, Dallas, TX, USA.

Virus Bulletin currently has 224,243 registered users.

Fighting malware and spam

Last-minute presentations:

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)