The antivirus industry sometimes has a reputation of being secretive or even aggressive to newcomers.  Only a small visit at the Virus Bulletin conference that is being held in Vienna this year is all it takes to convince anyone of the opposite.  It is impressive to see how much information is exchanged during the three days of this gathering and to observe the openness of mind displayed by all attendees.  If you are lucky, you might even see employees of competing companies playing table soccer against each other in an effort to win the second world championship hosted by GData.

Researcher Maksym Schipka gave a presentation on the evolution of automation methods in malware development.  It was a good opportunity to gain valuable insights on the techniques used by malware authors to generate numerous variants of their software to in an effort to evade detection from antivirus products.  The researcher showed that some malware authors would release two new versions of their malware every fifty nine minutes but could create a new version in less than a minute.  Furthermore, the modification between every variant is not trivial.  It seems that the malware creator would recompile their creation every time in order to change instructions in multiple locations of the resulting file.  First of all, this means that the antivirus industry has an impact on malware since they are trying to evade our detection.  Second, it is mandatory to have proactive detection to detect the new variants since they are now generated every couple of minutes, waiting for a signature update in this case is simply not an option.

Another interesting presentation was delivered by Dmitry Alperovitch on stock spam and pump and dump scams.  Dmitry demonstrated that fraudsters could easily make 40 000 dollars of profit in half an hour.  Their technique is to use stolen brokerage account data to buy a company’s stock and increase its value.  Once a threshold value is reached, they sell everything and try to hide with their money.  The “problem” with this approach is that it leaves a money trail that can be followed and this is why at least one of the fraudster has been arrested.

Presentations continue tomorrow with cutting edge topics such as unpacking PE files on the Windows mobile environment and  advances in the business models of cyber criminals.

Pierre-Marc Bureau
Researcher