funsec mailing list archives
RE: CME: A Total Failure -- Throw in the Towel
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 16 Mar 2006 21:21:38 +1300
Drsolly to David Harley: [This was mostly written a few days ago, but interrupted...]
But maybe that's the whole point. Glut has always been a problem, but it's a little more complicated now. Variants, subvariants, subvariants with multiple packers, multiple malcodes with common code, malcode that mutates as new mods become available. Traditionally, naming has depended on exchange of samples to establish a common code set, as has testing. But we're not in Kansas anymore, and those models don't work.Here's what I don't understand about the Mitre scheme. Suppose I have a file on a floppy disk. How do I determine whether this is CME-24, or merely something that has some similarities to that?
There's nothing you shouldn't be able to understand there Alan; in fact, it's all really rather simple... CME is a (very incomplete) "dictionary" of "malware threats" that (mainly) acts as a cross-reference of the names that the participating AV companies detect specific examples of what they and the CME maintainers jointly agree is a single (though possibly comprised of multiple files, network streams, etc), specific threat. For pragmatic reasons, it is currently limited to only dealing with "important" malware threats rather than trying to be a complete naming cross- reference. (Note that due to a twist of history, by the time CME finally "got off the ground" the need for it had largely vanished, with the "bad guys" who were previously writing and releasing mass- propagating malware mainly diverting their attention to smaller-scale, less-noisy, longer-lived malware increasingly being given "more sexy" monikers like "crimeware" to satisfy the need for media exposure of an increasing number of new "anti-[something]" software makers and/or service providers who have latched onto the fact that folk like Alan made wheelbarrows of dosh selling similar such stuff in the early days of AV and apparently did so on thanks largely to the clever management of the media's coverage of the emerging "virus threat"...) For CME to be much more than that (like, "far from very incomplete"), AND particularly if its aim is to become something of a solution to the (historic) malware naming problem, someone (and you can be sure it won't be the vendors who actually do the "deconfliction" now) will have to spend a truckload of analysis time on the many, many samples of all the stuff that currently makes CME "far from complete", and they will have to devise a reliable way to separate different variants from each other (at a very fine level if the aim is to solve the naming problem, because that is the level at which (some of) the AV labs already do it) while not separating different samples of "the same" polymorphic and metamorphic malcode. If CME does all that, it will have developed the vast bulk of the technology necessary for a top-class virus/malware detector (something massively superior to any wet-dream the OAV and Clam folk ever had). I _may_ be being a tad skeptical here, but I don't see MITRE (or anyone else) putting in anything approaching that level of effort _purely to solve the malware naming problem_ as the development costs would surely vastly outweigh any perceived benefits... (Don't get me wrong -- I agree with the AV users who wonder why all these (reputedly -- and mostly _very_ deservedly) terribly smart top AV researchers cannot, once and for all, resolve their differences when it comes to malware naming, but as none of even the largest and loudest corporate critics of the maning mess have actually committed a single purchasing dollar to persuading any vendor that they need to tidy up "their part" of the naming mess, I'm _sure_ the industry will not attempt to try to fix it unilaterally...) Finally, because far too many folk who really should know better think malware detection is "glorified grep", far too many folk have far too simplified a view of what the naming problem really is. Those folks' view of the problem is beyond the laughably naïve, yet they make up the vast bulk of people aho comment on the (general) "failure of CME", the failure of CME or anything else to solve the naming problem, and so on. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: CME: A Total Failure -- Throw in the Towel, (continued)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 11)
- Re: CME: A Total Failure -- Throw in the Towel Blue Boar (Mar 11)
- RE: CME: A Total Failure -- Throw in the Towel David Harley (Mar 11)
- RE: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Axel Pettinger (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Blue Boar (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Blue Boar (Mar 11)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 11)
- RE: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 16)
- RE: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 16)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Virus Info Alliance == "new CME"?? (was: CME: A Total Failure) Young, Keith (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Alexander Sotirov (Mar 12)