Re: another VX site?

[Drsolly <drsollyp () drsolly com>]

> I wasn't there, so I'd love to hear Alan's take on this if my 
> assumptions are wrong, BUT familial grouping by code similarity was 
> seen as an important feature of the naming scheme by _most_ AV 
> researchers in the early days as grouping similar things in a 
> classification system seems to be a natural process for humans and it 
> helps reduce the potential overload of a classification system that 
> does NOT have such a function.

When you see how a virus infects and how you do the repair, you see which
virus it most resembles (and probably which virus was used as a template
for making the "new" virus). So, as soon as you've identified a new
specimen as another variant on Jerusalem, you don't have to think very
hard to know how to do the exact identification and repair (and it also
makes the disassembly a lot easier), and laziness is one of the three
programming virtues.

In the early days, it was mainly Vess who was keen on familial 
classification (he was an academic then). I had some interest (it helped 
in the pursuit of laziness), and Fridrik's product used a scanning method 
that tended to give familial identification, and I think his database was 
family-oriented.

> That is a very important thing to recall too -- when all this started, 
> virtually ALL malware that was of interest to the nascent AV industry 
> was _parasitically infectious_.  Nowadays probably 99+% of the malware 
> _files_ handled by AV, IDS, etc, etc systems are static _by design_. 

Even then, there might be data areas, counters or internal buffers, which
are different from instance to instance.

> They may still be viral -- what I call "monolithic replicators"; think 
> network share crawlers, self-mailers, etc -- but this was an almost 
> unseen category back when Alan, Vess and Frisk were cutting their teeth 
> on Lehigh, Stoned, Jerusalem, etc, etc and talking about standardizing 
> a naming scheme.  And that was a good thing, as the scheme we have 
> today is flexible and extensible enough to fairly easily deal with the 
> vagaries of malware development we have seen in the last 15+ years...

We didn't know how things would develop, but we could see that 
extensibilty would be important.
 
> > In the past, very few AV products tried to apply a virus map; working out 
> > a virus map is quite time consuming on the analyst. And, as of 1995, 
> > Findvirus was the only product that used virus maps to do exact 
> > identification (the situation might be different now).
>
> I had an idea that Frisk has been using something very similar for a 
> very long time (even since _before_ the major engine revision at v2.0)?

I'm not certain, but I don't think so, because F-Prot couldn't do *exact* 
identification.
 
> You really do not want the "what is the correct plural of virus" 
> discussion here,

Too right, and I normally don't bother, it's actually helpful when folks
self-identify as 1337. I don't really know why I bothered this time.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.