funsec mailing list archives
RE: another VX site?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Jan 2006 14:22:13 +1300
Oliver Schneider to me:
What do you mean by that? Like the tropical storm naming systems?Whatever ... some uniform naming scheme shared among all the vendors. I think that a consortium made up of a dozen or so of the AV vendors would suffice to push others to use the same scheme.
The problem of mapping names to new families are multitudinous... First, someone analysing a sample has to correctly decide that this thing is, in fact, deserving of placement in a new family. With viruses this is supposed to be relatively easy as they are supposed to be put in families primarily on the basis on their replication code. This simple rule, however, is not at all well followed -- note all the AV companies that cannot even tell that the non-replicating malware _associated with_ Bagle _cannot_ be put in the Bagle family because the Bagle family is a _virus_ family... (Only CA and Symantec are doing a half decent job of keeping all those Glieder, Mitglieder and other downloaders, droppers, etc separated by functionality...). There's more, but I must stop trolling my Email and get on with some work, so I'll cut to why the hurricane naming system won't work... First, it would have to be a long list of potential names, whereas with hurricances it is limited to (actually, less than) 26 per annually- refreshed list. Further, names repeat in the hurricane list _unless_ they happen to get used for a really major storm (e.g. Andrew, Katrina, Rita will never (?) be used again _on the Atlantic list_). Second, (some) AV researchers really do like to devise "appropriate" names for the malware they analyse and name. This is a double-edged sword as often they come up with really bad names for malware -- e.g. in general AV researchers dislike naming viruses _either_ as the virus writer wanted _or_ after the virus writer (yes, there are lots of examples where this advice has not been followed, and not everyone agrees, but publicity _was_ a major incentive for a lot of virus writers, so denying them their jollies might not be a bad thing). If there was a list like the hurricane list and there was a name a virus writer "liked" coming up, the list could be gamed to try to get the desired name, which many of us would conisder a bad thing. Further, the list could be gamed in by several writers all trying to get the same name, and we may end up with several entirely unrelated viruses in a short period of time all proclaiming to the FooBar virus, when only one of them actually succeeded in getting that name. This is why, unlike CVE, CME uses a random draw for the number -- someone will not be able to game CME-666 or whatever numbers are "desirable" to them... And yes, as I recall, when CME gets "close" to assigning all three-digit numbers the pool will have all four-digit numbers added so the last few three-digit ones cannot be gamed, and so on... An alternative proposal we commonly see is to have a "hurricane list" but not for all viruses/malware; just for "the really big ones". This suggestion is universally prefaced or followed by "it works really well for tropical storms". Well, the problem there is malware outbreaks are not like tropical storms. We often find, add detection, and therefore name, new things before it is apparent that they have reached "outbreak" scale. Further, our strong preference for keeping things in families of similar code means that when FooBar.F finally comes along and "hits it lucky" we will not want to call it by the next name on the hurricane list... Another problem with the "hurricane list for outbreaks" suggestion is that outbreaks are not at all obvious nor objectively defined. Sometimes we "just know" that something "will go ballistic" and probably about half that time we are actually right. But there's also the flip side -- sometime (though rarer) you'll see some new mass- mailer (or whatever) and think "That's so clearly stupid and rubbish it can't have a chance" _plus_ the early indications from filtering sensors and what have you show no typical initial up-tick. But, 24, 36, 48 (and occasionally even more) hours later -- boom... Hurricanes are not like that. There are objective measures that define when a formation is a tropical storm, and at that point it gets named. Further, there are objective points at which the watchers can say "it is now a hurricane" and so on. These mainly happen when the storm is reasonably far off to sea and they provide plenty of warning as to which areas may need to evacuate, etc, etc. Often with malware, it becomes an "incident of note" well after it has been found, analysed and named. I could continue, but I really must get into some work...
Of course, a numbering scheme is already a turn into the right direction, but it won't help too much because the different fora or flooded with the different names (not numbers), while many of the differing names actually mean the same malware. ...
Providing that common cross-reference number is the point of the CME scheme, but the scale and speed with which CME can operate means that it will seldom be on top of or ahead of the actual outbreaks. You'll still get Symantec making a press release about Beagle when most other vendors use "Bagle" and a CME will be assigned _after_ that...
... So someone in search for information about one thing might find a different thing instead of what he searches for or not find it at all because the naming scheme of his vendor is not quite wide-spread.
Yep -- and realistically, this seems unlikely to change much in future... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: another VX site?, (continued)
- Re: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Nick FitzGerald (Jan 07)
- beer! [WAS: another VX site?] Gadi Evron (Jan 07)
- Re: beer! [WAS: another VX site?] Nick FitzGerald (Jan 07)
- Re: beer! [WAS: another VX site?] Drsolly (Jan 08)
- Re: beer! [WAS: another VX site?] Nick FitzGerald (Jan 08)
- Re: beer! [WAS: another VX site?] Drsolly (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- RE: another VX site? Nick FitzGerald (Jan 07)
- RE: another VX site? Oliver Schneider (Jan 08)
- RE: another VX site? Nick FitzGerald (Jan 08)
- RE: another VX site? Drsolly (Jan 09)
- Re: another VX site? Gadi Evron (Jan 06)
- Re: another VX site? val smith (Jan 06)
- Re: another VX site? Drsolly (Jan 06)
- Re: another VX site? der Mouse (Jan 09)