CARO Workshop 2010 – Day One

CARO logo
Greetings from picturesque Helsinki where the 2010 CARO workshop (Computer Anti-virus Research Organisation) is being held. This year the focus is on the the scale of the malware problem, a problem all anti-virus vendors have no choice but to deal with.

The keynote speaker was veteran anti-virus expert Dr Alan Solomon (famous, of course, for Dr Solomon’s Anti-Virus Toolkit before his company was ultimately acquired in the late 1990s by McAfee). A couple of the guys who work at Sophos used to work for Alan back then, including SophosLabs director Mark Harris and Graham Cluley (Graham wrote about some of his experiences working for Alan over on his blog)

Dr Solomon demonstrates his perfect anti-virus

CARO workshop is attended predominantly by anti-virus vendors (with ponytails it seems, only Alan Solomon was wearing a Santa Claus hat) and others involved in the computer security world so it is only fitting that the presentations today have revolved around practical issues such as sample sharing and other volume-related topics.

So there have been several graphs showing exponential sample growth and data explaining that anti-virus will be dead by 2012. Yikes! It sounds like it’s game over.

Well, not quite. Fortunately Roel Schouwenberg from Kaspersky Labs had the sensible hat on. Focusing on detecting executables, which, although they are by far the most common threat we see, is not the only (or best) way to protect users. The executable is normally the last link in the chain but there are normally multiple other opportunities to block the threat.

For example, if you block your users from going to a dodgy domain, you don’t need to worry about any malicious executables hosted there. This is something we’ve been doing for a while at Sophos.

From a researcher’s point of view there was an excellent talk by Microsoft’s Tim Ebringer. He has developed a system which allows their analysts to search for binary strings. When they receive a new sample they extract a few key bytes and can pull down similar files in less than a second.

Whilst certain members of the AV community really couldn’t see the point, trust me, it is cool and something front-line analysts will use daily. We’ve got something similar at Sophos but we might just need to borrow an element or two from “Bindex”.

Hopefully the talks tomorrow are as interesting as they were today.