First published: 30th November 2007
The Association of Anti-Virus Asia Researchers tenth international conference was held in Seoul, Korea on 28th to 30th November, with 219 participants from around the world. In his keynote speech, Vincent Weafer (Symantec) reminded us of the changing threat landscape. Previously, we saw increasing involvement in malware from criminals looking to make a financial gain, now the trend is towards small attacks with small gains - if they make enough of them, they still get the same amount of loot. Vincent also warned us that our current testing methods are failing to keep up.
Several papers looked at the threats in online games. Igor Muttik (McAfee) looked at massively multiplayer online role-playing games (MMORPGs or MMOGs) including World of Warcraft, Lineage, Second Life and Club Penguin. Because of the time and effort spent by players acquiring them, virtual possessions have a real value, and, naturally, criminals try to take advantage of that. There are large numbers of data stealing trojans, phishing attacks and viruses targeting games. The games also bring their own vulnerabilities, many games allow players to write their own game objects in the game's own scripting language. The scripts may be run on the client or server, Igor analysed the potential dangers, and the restrictions necessary to make these environments safer. Second Life has even seen a virtual terrorist attack. Deokyoung Jung and Howoong Lee (AhnLab) also looked at online games, describing hacking of the games.
Another theme was detection strategies. Amir Lev (Commtouch) discussed server-side polymorphic malware, and blocking these attacks by identifying patterns in email and cross-referencing with additional data. Itshak (Tsahi) Carmona (CA) discussed generic detection. Mario Vuksan (Bit9) looked at the complement of the detection problem: false positives.
Crime was never far from the agenda, Eugene Kaspersky (Kaspersky Lab) discussed the trends in cybercrime: botnets, bank attacks, DOS attacks, ransomware, MMORPG attacks and social networking.
A couple of papers picked up on the testing issued touched on in Vincent's keynote. David Harley (author and consultant) and Andrew Lee (ESET) looked at the difficulties facing organisations evaluating anti-virus software, and the types of test results available. Andrew Hayter (ICSA Labs) provided an opinion on what constitutes an effective testing program. Maim Morgenstern and Andreas Marx (AV-Test.org) explained testing of "Dynamic Detection", or behavioural-based approaches.
Getting into the internals of anti-virus software, two presentations looked at the issues around packed malware. Chandra Prakash (Sunbelt Software) explained the design of an X86 emulator for generic unpacking. Malware presents unique challenges to emulation, requiring balancing of performance and speed with hostile code. Tan Xiaodong (Websense) gave some thoughts on defeating packer tricks.
Some speakers talked about the situation in their region. Shigeru Ishii (IPA Japan) described the challenges seen by his agency in bot attacks, and presented their Zero-Hour_analysis System that generates a detailed response for malware in less than five minutes. A paper on the effectiveness of Hong Kong's anti-spam law was presented by our Chief Consultant, Allan Dyer, the full paper is available on our Articles website. Chen Rui (Kingsoft) looked at the rise of password-stealing trojans in China, and defensive methods. Dong-Ryun Lee (KISA) described botnet mitigation in South Korea, and her agency's cooperation with ISPs to set up a botnet response system.
Randy Abrams (ESET) demonstrated how to teach what heuristics are, using the example of the official dog of the state of Louisiana, the Catahoula Leopard Dog.
Hongseok Kim (Microsoft) described the truth and myths of Vista security. Jeannette Jarvis (Microsoft), winner of last year's AVAR award to the best Wildlist reporter, gave the Wildlist reporter speech. Jie Zhang of Fortinett warned of the continuing war against Symbian malware.
There was a lively panel discussion on Info(a) ware(ness), chaired by Righard Zweinenberg (Fortinett).
The banquet entertainment was provided by traditional Korean drummers. Many of the overseas participants joined a post-conference tour and had the opportunity to compare security measures in the real-life DMZ with the IT equivalent.