EICAR 2010: RAINY DAYS IN PARIS

Eddy Willems

G Data Software and EICAR, Belgium

The 19th EICAR conference took place last month in the heart of the beautiful city of Paris at the école Supérieure d’Informatique, Electronique, Automatique (ESIEA). The second International Alternative Workshop on Aggressive Computing and Security (iAWACS’10) was held immediately before the conference at the same venue, and EICAR delegates were also able to attend this event. iAWACS’10 included workshops on smart cards and crash courses on securing PLC networks, but the most noteworthy item on the agenda was the anti-virus evaluation challenge ‘PWN2KILL’, the aim of which was to attempt to bypass anti-virus software and evaluate its effectiveness in practical terms. A technical summary is available on the iAWACS website. [David Harley shares his views on the challenge on p.2 – Ed.]

GETTING STARTED

After an official EICAR members meeting and welcome party on the Sunday evening, the real meat of the conference began on Monday morning with an opening address from the chairman of EICAR, Rainer Fahs, continuing with a keynote from Christophe Devine – better known as the father of ‘Aircrack’ – about problems related to AV testing. He described a series of tests and rated their usefulness. Devine believes that, in most cases, careful inspection reveals no real winners, and several tests are not even relevant to the real world. He proposed an initiative called AVerify, an open-source anti-virus test suite which would facilitate the creation of reproducible, more reliable tests. AVerify would be inspired by the EICAR test file, maintained independently of EICAR but following the same code of conduct.

(continue reading…)

I will attend EICAR 2010 in Paris from 7th May to 15th May. Wish I could lucky enough to meet some guys who are also interested in ARK and have tried SysReveal.

Goolbot, another Bredolab like malware. The name came from its binary which has the strings “Google Bot”,  filled the “User-Agent” in the initial communication request. Surprisingly, it’s quite straight-forward, no fancy encryption, just plain text http.  That’s why i love it.

Server response on 30th Jan.

Server response on 3rd Feb.

You may find that, the list changed. Yes, that is the most important characteristic of GoolBot. It will download massive malware onto your computer, turn it to multi-function bot. Usually, it will download FakeAV downloader, Pushdo/Cutwail, Zbot, etc.  For the simple solution, you could just block the domain name – klitar.cn.

Yet again we arrived to witness the Pushdo’s aftermath. After it spread with its old friend Bredolab(v10), new friend GoolBot(v9). Now, it’s only a few days before the Valentine’s Day. Pushdo will not let this opp slip away, it(v11) started to spread the love once again.  As usual,  Russia is an exception.

The Pushdo advanced installer doesn’t change. Same routine, same communication protocol, same custom encryption. It just changed a coat(custom stub+UPX 3.03).  The attachment myphoto.exe could be FakeAv downloader. In this case, it will download fixer_sdgareh_b.exe which is fakeav.