Last-minute presentations:
16:20 - 16:40 URLCheck: malware and phishing URL aggregator Sorin Mustaca, Avira
16:40 - 17:00 Last-minute malicious packer dissected Nicolas Brulez, Websense
download slides (PDF)
16:20 - 16:40 URLCheck: malware and phishing URL aggregator, Sorin Mustaca, Avira
Most new malware spreads these days via emails with various
contents. Because the emails are so well crafted, it is
sometimes not possible to mark them as spam, thus meaning that
they reach users' inboxes. The only way to block access to the
malware is to block the target URLs contained in the emails in
a generic way, without knowing from the beginning the reason
why it is blocked. Such a powerful and dynamic system needs a
very good control and monitoring centre in order to be
maintainable.
URLCheck is a system developed by Avira in order to manage from
a single point the malware and phishing URLs gathered from
multiple sources. This is the natural evolution of the system
described in the article 'Delivering reliable protection
against phishing websites' published in Virus Bulletin, May
2008.
These URLs are used to create updates for several of Avira's
web-filtering products. I will describe the challenges we faced
while creating this system, the benefits it brings, and finally
some results of its functionality. The challenges were actually
caused by the differences between the sources we used: the URLs
detected by our own anti-phishing product, PhishTank, LCheck
(an internal system dealing only with malware URLs) and
Clean-MX. The only thing these sources have in common is the
fact that they have an URL which should be blocked. Other
challenges we faced were the errors and special situations
these services produced: invalid data, service unavailable,
false positives. The system has to deal with these special
situations.
16:40 - 17:00 Last-minute malicious packer dissected, Nicolas Brulez, Websense
In order to stay up to date with the bad guys producing
malicious tools for the masses we always are on the look out
for brand new tools and tricks. This presentation will cover a
malicious packer found on a Chinese underground website. As the
call for last-minute papers is about to close, files wrapped by
this software are still undetected by most AV products (if not
all). Every feature of this malicious packer will be dissected
at the assembly level, with a lot of detail.
Ultimately, a live unpacking demo will demonstrate how it can
be defeated.
