Re: (no subject)

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Harlan Carvey wrote:

> Forget the whole naming thing...it's been bandied
> about before, ad nauseum, and things haven't changed. 
> What *I* would like to see is some real analysis of
> what they find.  Too many times, weeks after
> something's come out, some A/V company still has
> "modifies/updates some Registry keys" on their web
> site.  Even Symantec lacks consistency with
> this...specifying Registry keys or file entries that
> affect Win9x vs NT+ in some writeups, but not in
> others.
>
>  
>
>  

I think the whole AV naming issue is, though problematic, the least of 
our problems.  I think you hit the nail on the head here, Harlan.

How do you enforce a unified naming schema?  How would you hold them 
accountable for following the standard and/or listening to the standard 
body that does the naming?  There's no way to do it that I know of that 
wouldn't cause all kinds of problems.  Not to mention the fact that in 
most western countries this would almost certainly be a major legal 
rights issue.  I'm no libertarian by any stretch of the imagination, but 
not allowing corporations to maintain their own naming symbols is 
counterproductive and problematic on many levels.

What I would like to see is an organization that maintains it's own 
malware dictionary - including virii, trojan horses, worms, spyware, 
adware, exploits, etc...

This organization would have a standardized naming procedure, and these 
standard names would be able to be cross-referenced with the aliases 
that the anti-virus companies utilize.  The sole purpose of this 
organization would be to provide this information to whomever looks for 
it.  It would not serve to force the AV vendors to do anything. 

Yes, this is similar to CVE.  Yes, it would take a monumentous amount of 
work to do.  :)  But, it could also be a very useful resource if created 
properly.

I can see forums for each malware branch/variant.  I can see evolving 
analysis trees.  I can see white-paper repositories on specific malware 
methods and ways to keep them from doing their damage.

I think that the solution to this is not to try to force the companies 
to do what they don't want to do -- that's worse than herding cats.  The 
key is to create a meeting-ground of sorts.  This is frought with 
problems as well, but could be really worthwhile.  Does anything like 
this exist at this moment?

            -Barry




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html