EICAR 2011: a 20th anniversary in Austria


Eddy Willems

EICAR and G Data, Belgium
Editor: Helen Martin


Eddy Willems reports on some of the topics, debates and research presented at the EICAR 2011 conference.

Table of contents

2011 marks the 20th anniversary of EICAR. In that time, many things have been achieved – sometimes with difficulty, but always with openness and sincerity. This year the event looked back over the past 20 years in an attempt to determine the essential facts and developments. In a growing world of poor communication, misunderstanding, hype and commercially driven interest, it is time to realign stake holders - in particular scientific research and commercial product vendors. It is time to assess the real threats and the myths in the non-transparent world of computer malware and anti-malware. As well as looking back, EICAR 2011 also looked at the present and into the future:

  • What new form will malware threats take?

  • What are the issues with current and future anti-malware techniques and products?

  • Is the current industry-driven approach to AV still the right one?

  • Should governments be more proactive?

  • Are new tools and/or regulations required?

  • Does law enforcement need to use malware in an offensive way?


The conference took place at Krems University, a lovely location not far from Vienna. The conference started on Sunday 8 May with a meet-the-experts reception on the university premises.

The event was opened the next morning with a keynote speech from EICAR chairman Rainer Fahs who addressed this year’s conference theme of ‘cyber war’. He pointed out that there is no agreed definition of the term. Though comprising some properties of cybercrime and cyber terrorism, ‘cyber war’ unfortunately is more than just a buzz word and, if not carefully analysed and addressed in the near future, could lead to unknown escalation of attacks on the Internet and its underlying infrastructure. In his book Cyber War (May 2010), Richard A. Clarke describes cyber warfare as ‘actions by a nation-state to penetrate another nation’s computer or networks for the purposes of causing damage or disruption’. This is possibly the most realistic definition we can find. Rainer brought up a number of questions including: what constitutes an attack? What are the boundaries of the battlefield? What are cyber weapons? There are not even any regulations or treaties to regulate such a war. However, nations are re-organizing their military structures and adding cyber defence to their planning in order to be fully prepared for any such attack.

Morton Swimmer of Trend Micro continued the conference with an in-depth look at future threats. I particularly liked his spectrum of cyber threats, where cyber bullying was the lowest level and cyber war the highest.

After a coffee break the day continued with possibly the most controversial paper of the conference: ‘Magic Lantern .. reloaded, (Anti)Viral Psychosis McAfee Case’ by Eric Filiol and Alan Zaccardelle of ESIEA Research. They chose the McAfee product because it is widely used but they noted that similar issues could have been found in other AV products. They detailed a couple of problems they had found with the product. One of these was related to not detecting specific cases of the Conficker autorun files, another was related to McAfee’s quarantine encryption and the possibility of exploiting this to launch an attack against the centralized management system. Their conclusion was that we all have to be very careful with AV marketing in general and that it might be a good idea to have an independent body to verify such things. During the follow-up discussion several people suggested that the academic world and the AV industry should communicate better – as it seems that there are a lot of misconceptions on both sides and that each party would be able to learn from the other.

Ralf Benzmueller of G Data presented an excellent overview of the common AV techniques currently being used in the industry, and Boris Sharov (Dr. Web) described what cyber warfare means from an AV vendor’s perspective. Judging by the content of these presentations, I don’t think that any of us in the industry will be out of a job any time soon.

This year’s panel session was moderated by Rainer Fahs and included Eric Filiol, Boris Sharov, Ralf Benzmueller and Morton Swimmer. Most of the questions related to the cyber war theme, and after hearing the answers I can only say that there is a real need for more communication between law enforcement, academics, and above all organizations. Of course, like many things, this is easier said than done.

This year’s gala dinner was held at the Kloster UND restaurant, housed in the former church of an old Austrian monastery. While the venue was beautiful, we took in some interesting scenery en route – walking past a high-security prison to reach our destination!

Day two

If the first day was a more general presentation day, the second day was for those who are more technically minded. It started with this year’s best paper award which went to Igor Sorokin of Dr. Web for ‘Comparing Files Using Structural Entropy’. As malware writers tend to use increasingly complex techniques to protect their code, AV vendors face the problem of increasingly difficult file scanning as well as the massive growth of AV databases. Sorokin’s solution is based on the assumption that different samples of the same malicious program have a similar order of code and data areas. Files may be characterized by the complexity of their data order. Sorokin’s approach consists of using wavelet analysis for the segmentation of files into segments of different entropy levels and using edit distance between sequence segments to determine the similarity of the files.

I loved Anthony Desnos and Geoffroy Gueguen’s paper: ‘Android malware: is it a dream?’, which gave a detailed analysis of DroidDream and a look into the possible future problems of the Android OS. They showed the importance of new Android analysis tools such as Androguard (http://code.google.com/p/androguard/).

David Harley from ESET explained how difficult it can be to tell the difference between fake AV and real AV. In his paper it became clear that the marketing efforts of the bad guys and the good guys (the AV industry) can sometimes be very similar and difficult to distinguish. More education for end-users seems to be one of the key areas we must look at to help solve this problem.

During one of the breaks between sessions I gave a demonstration in which I showed a representation of the EICAR conference, created by Dr Sarah Gordon, inside Second Life. Walking around in this virtual environment with Sarah’s avatar and explaining the Second Life version of EICAR to those in the real world was a strange experience. Holding a conference in a virtual environment could, and possibly will be the future (in fact it has already been done in some ways), but I for one would miss many human elements and can’t imagine ever preferring it to a real-world venue.

In the last session of the conference a team from BitDefender demonstrated CDS, or Clean by Detection Shifting. The technique uses prior information stored in the cloud to pre-emptively block undetected malware before it has a chance to execute its payload. However, the team’s research is still a ‘work in progress’ as there are still some disadvantages to the technique and so far it has only been tested in a lab environment.

Next year

This is just an overview of some of the many interesting papers presented at the conference. This year’s event was another great one and I’m already looking forward to next year’s. The venue for EICAR 2012 will be announced on the EICAR website in September.



Latest articles:

Throwback Thursday: CARO: a personal view

As a founding member of CARO (Computer Antivirus Research Organization), Fridrik Skulason was well placed, in August 1994, to shed some light on what might have seemed something of an elitist organisation, and to explain CARO's activities and…

VB2016 paper: Uncovering the secrets of malvertising

Malicious advertising, a.k.a. malvertising, has evolved tremendously over the past few years to take a central place in some of today’s largest web-based attacks. It is by far the tool of choice for attackers to reach the masses but also to target…

VB2016 paper: Building a local passive DNS capability for malware incident response

Many security operations teams struggle with obtaining useful passive DNS data post security breach, and existing well-known external passive DNS collections lack complete visibility to aid analysts in conducting incident response and malware…

Throwback Thursday: Tools of the DDoS Trade

In September 2000, Aleksander Czarnowski took a look at the DDoS tools of the day.

VB2016 paper: Debugging and monitoring malware network activities with Haka

Malware analysts have an arsenal of tools with which to reverse engineer malware but lack the means to monitor, debug and control malicious network traffic. This VB2016 paper proposes the use of Haka, an open source security-oriented language, to…

Bulletin Archive