EICAR 2012

While the 2011 EICAR conference was dominated by the buzzword ‘cyberwar’, the theme of the 2012 EICAR conference was ‘Cyber Attacks – Myths and Reality in a Contemporary Context’. The recent past has brought about a considerable shift in the underground world of malicious code writers – a swing from the thrill-seeking geeks striving for fame and glory, to professional criminals using sophisticated methodologies for the ultimate goal of financial gain. The contemporary threat scenario calls for an adaptation of defence technology and methodologies. Although scientific research can provide a baseline for innovations, we need a more holistic approach towards the implementation of such new technologies – this year’s conference invited papers to address some of these issues.

The conference took place at the Marriott Hotel in Lisbon, Portugal. The event started with a pre-programme presentation by Dr Eric Filiol (ESIEA): ‘Why and how the current AV approach fails’. Eric underlined the need for innovation or even a change within security products to counter the recent flood of malware and targeted attacks. One initiative that aims to introduce change is DAVFI, a consortium involving the computing department of French technology institute ESIEA, deep packet inspection firm Qosmos, IP solutions provider Nov’IT, and naval group DCNS. The consortium has started to develop an open-source anti-virus solution based on new detection techniques, which it hopes to make available in both consumer and professional versions by 2014. It remains to be seen whether the consortium can come up with new innovations and techniques. EICAR will play a supporting role in bringing users together and asking them what they think a new product should look like, and will feed this input back to the consortium.

The morning after the traditional EICAR members’ meeting and welcome party, Chairman Rainer Fahs officially opened the EICAR conference and welcomed Wade Williamson from Palo Alto Networks as the keynote speaker. In his address he summarized an interesting study in which researchers analysed traffic within several corporate networks and found a lot of unknown traffic related to malware. Unknown traffic is usually relatively rare in corporate networks. Inspecting this traffic showed that a lot of data seemed to have been encrypted to evade detection. Circumventing technologies are pervasive in enterprise networks and often represent high-risk applications. The conclusion was that intelligent network analysis at specific points in the network can stop new malware entering at the source.

Axelle Apvrille and Tim Strazzere continued with a deep look at mobile malware. The fact that end-users have difficulties spotting malicious mobile applications means that most Android malware goes unnoticed for up to three months before a security researcher finally stumbles upon it. Axelle and Tim have put together a Google Play crawler to detect Android malware when launched in the marketplace. Google enforces its own communication protocol to browse and download applications from its market. The market crawler can reverse and implement this protocol, issue appropriate search requests and take necessary steps so as to avoid being banned. The crawler is based around a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs etc. Each flag is assigned a different weight, based on the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights the samples that are the most likely to be malicious.

Mobile malware was the subject of several presentations. A number of examples of mobile malware were shown in speeches from Itshak Carmona and Alex Polischuk, and Taras Malivanchuk showed how static analysis and generic detection can be used to detect mobile malware.

In his presentation, Dr Vlasti Broucek showed that, to date, there has been little consideration of how differences between indiscriminate malware and targeted attack tools hamper the capacity of organizations to manage risk. His paper considered how the continuum from malware through to targeted attack tools poses a range of technical, legal and moral dilemmas that organizations need to face before relying on cloud solutions. He even suggested that it is doubtful as to whether we can ever trust the cloud completely.

Anoirel Issa highlighted the problems AV researchers face when using VMs and emulators. Many virtual machines (e.g. VMware, Qemu, VirtualBox and sandboxes) are available and are widely used by malware researchers and analysts. Moreover, many anti-virus scanners incorporate their own implementation of emulators that run malicious code within a controlled environment in order to decrypt obfuscated code. Virus writers have always responded to such technologies and the majority of today’s malware uses anti-debugging techniques to counter analysis and evade detection – this is not likely to stop.

David Harley gave two presentations this year. The first was about AMTSO and the work and progress the organization has made over the last couple of years. In his second presentation, David outlined some recommendations for the public in using passwords and pin codes. Weak passwords and pin codes are a problem that is underestimated by a lot of security managers and administrators.

It is traditional for student papers to be presented at EICAR conferences, and the two awarded with ‘best student paper’ status this year were: ‘In situ reuse of logically extracted functional components’ by Craig Miles, Arun Lakhotia and Andrew Walenstein, and ‘The security of databases’ by Baptiste David, Dorian Larget and Thibaut Scherrer, which took a deep look inside security problems related to MS Access.

John Aycock gave a controversial presentation describing his study of Kwyjibo, a sophisticated domain/word generation algorithm that is able to produce over 48 million distinct pronounceable words. He showed through four different implementations how Kwyjibo might be deployed, and how its size can be reduced to under 163KB using a technique known as lossy distribution compression. This means that Kwyjibo is both powerful as well as small enough to be used by malware on mobile devices.

One of the talks I enjoyed the most was given by Dr Richard Ford and Dr Marco Carvalho on the subject of cyber resilience. While there is great interest in resilient cyber systems, the topic is clouded by the lack of an appropriate definition of the term ‘resilience’ and by the challenges of measuring the resilience of a system (if, indeed, this can ever be done correctly).

It is not possible to describe every paper in detail here, but others that were worthy of note include Marco Helenius’s ‘An evaluation of automated freeware C++ source code analysers’, ‘Dronezilla – automated behavioural analysis and testing framework’ by Claudiu Popa, and Cristina Vatamanu’s presentation which outlined ‘An approach of clustering malicious PDF documents’.

This year’s event was another great one and I’m already looking forward to the next – EICAR 2013 is scheduled to be held in Cologne, Germany from 9 to 11 June 2013.

Details of next year’s conference as well as some new initiatives from EICAR regarding the DAVFI project will appear soon on http://www.eicar.org/.