Yesterday we’ve seen some warm up discussions about past botnets (Mariposa, Webwail), some PDF exploits detection techniques, and a very interesting discussion about cyber terrorism, by Morton Swimmer of Trend Micro.

The presentation I liked most was that of Pedro Bustamante from Panda Security, about the Mariposa botnet. Leaving aside the technical details, which are very interesting and detailed, one thing raised some eyebrows and laughs: Two of the members of the Mariposa gang came to Panda to ask for a job.

They even brought their CVs to show that they have some knowledge in the security field. Of course, the guys at Panda didn’t hire them and even helped the Spanish police to get them behind bars (even if only temporarily).

I would like to point out that this is the only way a serious software security company handles such requests. If you hear that some company hired a fraudster or an ex-fraudster, stop using their products. You simply can never know when something hits you. Never hire a hacker or an ex-hacker is one of the unwritten laws of the security software industry. It is a moral contract between the company and the users, if you want. At least we, at Avira, will always respect that.

The second day of the conference proved to be much more animated than the first one. The topics varied more and there were also the last minute presentations on Stuxnet. The presentations which were most important for me were those about social media, threats spread via URLs and Reputation based security.

Carey Nachenberg of Symantec, talking about Reputation Based Security

At the end of the day there were two presentations about Stuxnet, one with a live demonstration. All presenters were gathered around a discussion panel and the participants to the conference started to fire questions.

One presentation really created a lot of negative reaction in the audience: “Why your AV solution is ineffective against today’s threats” from Greg Leah, Symantec. The message is that with so many polymorphic threats these days, it is no longer possible to keep the pace with malware while making signatures for each variant. The solution is to use heuristics to detect the threats. Greg’s message does make sense and everybody in the audience agreed on that.

On the other hand, it is not quite true that a signature is being made for each variant – nobody does such a thing these days. Greg is coming from the old MessageLabs, now Symantec managed email security. He has tested the detection of emails containing as attachments polymorphic viruses, while he measured the reaction time of all vendors only for the attachments and not for the entire email. This is like comparing apples with oranges. A correct approach would have been to compare the same detection process for all vendors, and the results would’ve been much different.

Sorin Mustaca
Data Security Expert