funsec mailing list archives
RE: another VX site?
From: "Oliver Schneider" <Borbarad () gmxpro net>
Date: Sat, 7 Jan 2006 17:59:37 +0100 (MET)
Hey, that's a great idea. Why didn't anyone think of it before!
I am well aware of CME- actually amazing when one sees how intransparent most parts of the AV industry are for "outsiders".
- How often should the vendors sit down together?
Physically maybe once a year, virtually (i.e. over the internet) at least once anyone has a new sample - history proves that names of viruses have actually changed in the signature files (so it is well possible to meet once a week and agree on the common names for the last week's detected samples). And I don't say they have to give it the same name, it would already be sufficient if a central and neutral(! - don't tell me the US department of homeland security is neutral) institution would take submissions of new samples and then (unless it was already submitted) assign it numbers or whatever else (just as CME does, but including old samples, and still, located at a *neutral* organization!). These numbers are fed back to the vendors, e.g. vendors look up certain hashes + file sizes of their "newly" found sample and just pick the number if one was assigned already or submit to the institution it if it's a new one. Vendors then could still have their own naming schemes (although the actual names could also be normalized).
- How many vendors will participate in these meetings?
All.
- What names should they use in between these get-togethers?
Possibly either the unique numbering scheme or, if they finally got it to have human-readable names, these.
- How will vendors determine whether they're actually talking about the same thing (remember, you can have two samples of the same thing, which aren't the same file)?
Then you still have something like a hierarchy (platform, category, family, virus ...). CME proves it can work, but I yearn for a more holistic approach to it. IMO the current problem is, that many of the virus writers seem united in sharing knowledge. I know of the database which is shared among virus vendors, but to me it sounded as if no one really likes it. As long as the AV vendors do not learn to share their knowledge (including *all* samples in a timely manner) and compete through their engines instead of through the number of detected pieces of malware or whatever, the "dark side" will be better off anyway. ... let alone how intransparent the processes in the whole AV industry are. As if making it transparent would give the "dark side" any advantage. As if vetting on lists like TH-Research gives the "dark side" any drawbacks (well, maybe if you count stoopid script kiddies to the dark side, ha ha ha ...). They share their knowledge through other channels and obviously prevail, even worse - writing trojans and worms and the like has become a big business while it was "just" the venture of some outlaws before, who just didn't care how they acquired new knowledge ... Cheers, Oliver -- --------------------------------------------------- May the source be with you, stranger ;) ICQ: #281645 URL: http://assarbad.net _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- another VX site? Gadi Evron (Jan 05)
- Re: another VX site? Drsolly (Jan 06)
- Re: another VX site? Barrie Dempster (Jan 06)
- Re: another VX site? Drsolly (Jan 06)
- <Possible follow-ups>
- RE: another VX site? Todd Towles (Jan 06)
- RE: another VX site? Nick FitzGerald (Jan 07)
- RE: another VX site? Oliver Schneider (Jan 07)
- RE: another VX site? Drsolly (Jan 07)
- RE: another VX site? Oliver Schneider (Jan 07)
- Re[2]: another VX site? Pierre Vandevenne (Jan 07)
- Re: Re[2]: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Gadi Evron (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Gadi Evron (Jan 07)
- Re: another VX site? Barrie Dempster (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- RE: another VX site? Nick FitzGerald (Jan 07)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Drsolly (Jan 07)