CARO Workshop 2010 - Day One
Greetings from picturesque Helsinki where the 2010 CARO workshop (Computer Anti-virus Research Organisation) is being held. This year the focus is on the the scale of the malware problem, a problem all anti-virus vendors have no choice but to deal with.

The keynote speaker was veteran anti-virus expert Dr Alan Solomon (famous, of course, for Dr Solomon’s Anti-Virus Toolkit before his company was ultimately acquired in the late 1990s by McAfee). A couple of the guys who work at Sophos used to work for Alan back then, including SophosLabs director Mark Harris and Graham Cluley (Graham wrote about some of his experiences working for Alan over on his blog)

CARO workshop is attended predominantly by anti-virus vendors (with ponytails it seems, only Alan Solomon was wearing a Santa Claus hat) and others involved in the computer security world so it is only fitting that the presentations today have revolved around practical issues such as sample sharing and other volume-related topics.

So there have been several graphs showing exponential sample growth and data explaining that anti-virus will be dead by 2012. Yikes! It sounds like it’s game over.
Well, not quite. Fortunately Roel Schouwenberg from Kaspersky Labs had the sensible hat on. Focusing on detecting executables, which, although they are by far the most common threat we see, is not the only (or best) way to protect users. The executable is normally the last link in the chain but there are normally multiple other opportunities to block the threat.

For example, if you block your users from going to a dodgy domain, you don’t need to worry about any malicious executables hosted there. This is something we’ve been doing for a while at Sophos.

Source - CARO Workshop 2010 - Day One | SophosLabs blog

CARO Workshop 2010 - Day Two
Today’s talks were much more upbeat. Instead of dwelling on the asymptotic apocalypse we’re all apparently hurtling towards, speakers presented case studies of some of the most interesting recent malware and practical methods for conducting analysis, classification and even testing.



Cristian Craioveanu of Microsoft kicked off the day with analysis of the Aurora exploit attacks, supposedly launched from China and targeted at Google and several other high-profile companies. We blogged about this at the time and mentioned that Sophos’ BOPs technology would effectively prevent the exploit from causing any damage to our customers. Cristian laid out the complete timeline of the exploit and presented prevalence data for the exploit which clearly showed that use of the exploit exploded after it was leaked to the public and subsequently made available on Metasploit.

That talk was followed up by another case study, this time by Peter Kruse and Dennis Rand of CSIS. They talked about a banking Trojan that they believed had stolen at least 2 million kroner from Danish banking customers and had also been used to attack banks in the US, Ireland, Greece and Holland. They gave the checksum of a sample in their talk and we can confirm that Sophos detects this family of banking Trojans as Troj/Alvabr-Gen.

Source - CARO Workshop 2010 - Day Two | SophosLabs blog

Posted By: JMH
28 May 2010