RE: another VX site?

["Oliver Schneider" <Borbarad () gmxpro net>]

> Hey, that's a great idea. Why didn't anyone think of it before!
I am well aware of CME- actually amazing when one sees how intransparent
most parts of the AV industry are for "outsiders".

>  - How often should the vendors sit down together?
Physically maybe once a year, virtually (i.e. over the internet) at least
once anyone has a new sample - history proves that names of viruses have
actually changed in the signature files (so it is well possible to meet once
a week and agree on the common names for the last week's detected samples).
And I don't say they have to give it the same name, it would already be
sufficient if a central and neutral(! - don't tell me the US department of
homeland security is neutral) institution would take submissions of new
samples and then (unless it was already submitted) assign it numbers or
whatever else (just as CME does, but including old samples, and still,
located at a *neutral* organization!). These numbers are fed back to the
vendors, e.g. vendors look up certain hashes + file sizes of their "newly"
found sample and just pick the number if one was assigned already or submit
to the institution it if it's a new one. Vendors then could still have their
own naming schemes (although the actual names could also be normalized).

>  - How many vendors will participate in these meetings?
All.

>  - What names should they use in between these get-togethers?
Possibly either the unique numbering scheme or, if they finally got it to
have human-readable names, these.

>  - How will vendors determine whether they're actually talking about the 
> same thing (remember, you can have two samples of the same thing, which 
> aren't the same file)?
Then you still have something like a hierarchy (platform, category, family,
virus ...). CME proves it can work, but I yearn for a more holistic approach
to it.

IMO the current problem is, that many of the virus writers seem united in
sharing knowledge. I know of the database which is shared among virus
vendors, but to me it sounded as if no one really likes it. As long as the
AV vendors do not learn to share their knowledge (including *all* samples in
a timely manner) and compete through their engines instead of through the
number of detected pieces of malware or whatever, the "dark side" will be
better off anyway.

... let alone how intransparent the processes in the whole AV industry are.
As if making it transparent would give the "dark side" any advantage. As if
vetting on lists like TH-Research gives the "dark side" any drawbacks (well,
maybe if you count stoopid script kiddies to the dark side, ha ha ha ...).
They share their knowledge through other channels and obviously prevail,
even worse - writing trojans and worms and the like has become a big
business while it was "just" the venture of some outlaws before, who just
didn't care how they acquired new knowledge ...

Cheers,

Oliver

-- 
---------------------------------------------------
May the source be with you, stranger ;)

ICQ: #281645
URL: http://assarbad.net
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.