RE: AV Naming Convention

["Todd Towles" <toddtowles () brookshires com>]

I didn't take offend, don't worry.

Nowhere did I state that AV researchers were doing a crappy job and
everything needs to change. I stated a shift is needed. A shift toward more
sharing of information between AV companies is needed. 

A naming convention would be a start, and a good one I think. Do we have to
have a council and all this stuff people are complaining about? No. 

AV companies can get together and decided how they want to do it, it isn't
my job. My job is to protect my network. I am not a virus researcher or a
code analyst (note - I never said I was).

I can tell you that the way viruses are named right now is meaningless to
the public. Look at the newspaper; they just throw headlines with "MyDoom"
and "Beagle" in them. They can't keep up with what version is or and who
called this what.

We only keep up with it because it is part of our job. I look around
Starbucks sometime and think about how lost and open to attack people are
all the time.

Do you really believe that trying to improve the AV information process is
meaningless? Just because we can't see the answer at this very second
doesn't matter that one doesn't exist.



-----Original Message-----
From: Jan Muenther [mailto:jan.muenther () nruns com] 
Sent: Tuesday, August 10, 2004 2:23 PM
To: Todd Towles
Cc: Mailing List - Full-Disclosure
Subject: Re: [Full-disclosure] AV Naming Convention

Hi,

> I wouldn't be in my position, if I ran everything that was sent me. Home
> users need to be educated, but that is a whole different issue.
Well, I didn't mean to be offensive (no really, for a change). 
I meant the 'you' rather figuratively. It's not only home users that need to

be educated - enterprise users too, in fact, especially them. 


> The Trojan on my desktop was broken down by me and a friend that is a
> security researcher. It is a Trojan used by SPAM groups. It isn't a
> mass-mailer. I am going to write any article about how I received it and
the
> partly code analysis. 

Well, do so, if you wish. Part of my job is actually forensic analyisis, and
almost every time I find some malware that's not yet documented - simply 
because a single person has written it for his/her personal use only. 
Submitting that to an AV vendor seems pretty useless to me, unless some
great 
new technique is introduced (which most often is, erm, not the case). 

Yeah, it's true, there's a lot out there which people don't see. 
In any case, the AV vendors pretty much are the ones I'd blame least. They
are on a fairly abstract level compared to the things users and sofware
vendors
f*ck up with and get their machines compromised. 

For instance, I've found ELF infectors in the wild. But Linux is free from 
Viruses, isn't it? There's a huge attitude problem here. 
I do agree though that simply educating users is probably bound to fail, at 
least most efforts seem to have little to no effect. There may be a techno-
logical solution, but the malware detection part can only be fragment, and
one
which comes in rather late, if you ask me. 
 
> But the point, I want to make is that things need to change. We can throw
> off all talks about it now (and some of you look like you want to) or we
can
> try to find ways to advance the field. We are the customers and we direct
> where the time and money is spent indirectly.

Well, can you be a bit more specific? 
I find a statement like "just do better" fairly arrogant towards people at 
researchers like f-secure, who do brilliant work in the field of matching 
e.g. variants of malware through the use of graph isomorphisms (yeah, like
halvar does). Man, they go far beyond simple pattern matching in the sense
of
e.g. snort rules. 

I'm sure if you have any revolutionary ideas, a lot of people have very much

open ears indeed, but just complaining just isn't helpful. 

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html