Wednesday, September 26, 2007

Virus Bulletin Conference 2007, Vienna

I had the privilege of attending the Virus Bulletin 2007 conference in Vienna, Austria and witnessing it first hand. Although this was my second attendance to a security conference (the first one being the AVAR conference in Auckland, New Zealand in Dec 2006 where I presented a paper about Rootkits on Windows), this was my first time attending the Virus Bulletin conference. It has truly been a pleasurable experience. Apart from enjoying the beautiful music, art, monuments and palaces of Vienna, the conference itself was very informative and interesting. The best part was to be able to meet some of the best minds in the AV-industry, as well as to connect with some of the well know and well respected figures in the AV-community.

AVPD and Wild List

I also had the opportunity to attend the AVPD (Anti Virus Product Development Consortium) & Wild List meetings that were held prior to the actual VB conference. Both of these organizations are supported and sponsored by ICSA labs that are known for their certification testing of AV-products (among other security products). Andrew Hayter, who led the AVPD meeting, introduced the current methodology used for testing and proposed some future improvements. The Wild List meeting led by Peter Chung had interesting ideas floating around in order to improve the quality of current Wild List.

Good ole Wild List


ICSA labs publishes its AV-product testing results in buyer’s guides for security products. Such results clearly influence buyers’ decisions toward AV-products. Another such influential AV-product testing results is published by AV-Test.org which is maintained by Andreas Marx and his team. It is worth mentioning here about Andreas Marx conference presentation on “death of the Wild List" where he emphasized upon known limitations and shortcomings of the current Wild List that render it irrelevant and misleading for AV-product testing. In other words Andreas states that the Wild List collection is non-dep
endable and trivial. Even though Andreas is quite right in stating so, my personal opinion is that the Wild List has potential. It is supposed to be a diverse collection of self-replicating pieces of malware that are actually prevailing “in the wild”. The quality of the Wild List is only as good as the quality, quantity and consistency of its reporters (malware researchers from reputable AV-companies – the chosen ones). This heavily requires more “active” reporters to respond and submit samples that are found in the wild, more frequently.

An interesting presentation…


An interesting, well versed and technically rich presentation was by Dr. Vesselin Bontchev from FRISK Software. His presentation introduced various points of susceptibility in modern mobile platforms that would allow virus (or self-replicating code) to thrive. He also gave some predictions about the future of viruses on such platforms.

Building relations…

I also had the privilege of connecting with a diverse group of people: from prominent researchers, tech junkies, and marketing personal to people from the academia. I was also able to build relations with representatives from globally know AV-companies as well as with those from localized AV-companies. Some of these localized AV-companies are actually very well known and thriving in their local geographical regions.

A sense of community in the AV-industry

Any AV-company, while always striving to improve its technology, also tries to diversify its malware collection and rely on reputable sources to contribute to an ever-growing set of samples. Attending conferences such as these and building relations helps any AV-company to establish a base line of trust allowing the exchange and influx of newer malware samples from other AV-vendors. This also helps them to see the bigger picture in terms of newer evolving threats. This in turn, also helps the AV-community as a whole, to work and fight as a team against today’s commercialized malware crime.

The Feds need our help…


Finally the conference was commenced with a panel of international law enforcement representatives chaired by David Thomas (FBI special agent, Cyber Crime division). The discussions
provided insight into workings of the world police in fighting Internet crime. The panel described that they really take cyber crime very seriously and that the Internet is actually “killing people”. They also admit that they cannot fight this battle all by themselves and require help from the AV-community. Their plea was for partnership and co-operation from the AV-community in providing information about organized computer crime that we might come across on a day-to-day basis. They also acknowledged that as a business, we still have to provide services to our customers and appreciate any time we spend in helping out law enforcement officials. The representatives in the panel admitted that they are limited in their resources and man-power to fight this battle, and that sometimes, reported incidents might seem like un-noticed by them, but those might later be re-surfaced to build up a case against the bad-guys. Hence no information is useless information. My personal opinion: as a community we should be able to, as time and resources permit, provide useful information to law enforcement agencies to help curb this scum of internet crime.

The fun part…


Conferences such as these are specifically geared toward the AV-community (also popularly known as “white hats”), in an attempt to exchange information & technol
ogy, educate each other of the types of threats being dealt with, and prepare for emerging threats. The conference was a perfect combination of technology, passion, and fun. The gala dinner on the second day of the conference was profoundly entertaining, presented with good food, and Viennese waltz performance.

They also arranged for a complete casino set for those post dinner partiers. Free chips were given away for those who wanted to try their luck, and needless to say I happened to try my hand as well.

Surprisingly, I won a whole stack of chips (not too bad for a first timer) until in the end I put it “all in” and lost it all!! (a mixture of over confidence and greed I suppose). Oh well! “easy come, easy go”. If only I had followed my wife’s advice and stopped at that moment I might have won her an ipod (which was the first prize to be given away to the person who won the most number of chips). All in all, the conference was a great experience in every respect.

Me and my wife, Amy, at the gala dinner.


Digg This | Slashdot This | Add to del.icio.us