RE: another VX site?

[Nick FitzGerald <nick () virus-l demon co uk>]

Oliver Schneider to me:

> > What do you mean by that?
> >
> > Like the tropical storm naming systems?
> Whatever ... some uniform naming scheme shared among all the vendors. I
> think that a consortium made up of a dozen or so of the AV vendors would
> suffice to push others to use the same scheme.

The problem of mapping names to new families are multitudinous...

First, someone analysing a sample has to correctly decide that this 
thing is, in fact, deserving of placement in a new family.  With 
viruses this is supposed to be relatively easy as they are supposed to 
be put in families primarily on the basis on their replication code.  
This simple rule, however, is not at all well followed -- note all the 
AV companies that cannot even tell that the non-replicating malware 
_associated with_ Bagle _cannot_ be put in the Bagle family because the 
Bagle family is a _virus_ family...  (Only CA and Symantec are doing a 
half decent job of keeping all those Glieder, Mitglieder and other 
downloaders, droppers, etc separated by functionality...).

There's more, but I must stop trolling my Email and get on with some 
work, so I'll cut to why the hurricane naming system won't work...

First, it would have to be a long list of potential names, whereas with 
hurricances it is limited to (actually, less than) 26 per annually-
refreshed list.  Further, names repeat in the hurricane list _unless_ 
they happen to get used for a really major storm (e.g. Andrew, Katrina, 
Rita will never (?) be used again _on the Atlantic list_).

Second, (some) AV researchers really do like to devise "appropriate" 
names for the malware they analyse and name.  This is a double-edged 
sword as often they come up with really bad names for malware -- e.g. 
in general AV researchers dislike naming viruses _either_ as the virus 
writer wanted _or_ after the virus writer (yes, there are lots of 
examples where this advice has not been followed, and not everyone 
agrees, but publicity _was_ a major incentive for a lot of virus 
writers, so denying them their jollies might not be a bad thing).  If 
there was a list like the hurricane list and there was a name a virus 
writer "liked" coming up, the list could be gamed to try to get the 
desired name, which many of us would conisder a bad thing.

Further, the list could be gamed in by several writers all trying to 
get the same name, and we may end up with several entirely unrelated 
viruses in a short period of time all proclaiming to the FooBar virus, 
when only one of them actually succeeded in getting that name.  This is 
why, unlike CVE, CME uses a random draw for the number -- someone will 
not be able to game CME-666 or whatever numbers are "desirable" to 
them...  And yes, as I recall, when CME gets "close" to assigning all 
three-digit numbers the pool will have all four-digit numbers added so 
the last few three-digit ones cannot be gamed, and so on...

An alternative proposal we commonly see is to have a "hurricane list" 
but not for all viruses/malware; just for "the really big ones".  This 
suggestion is universally prefaced or followed by "it works really well 
for tropical storms".  Well, the problem there is malware outbreaks are 
not like tropical storms.  We often find, add detection, and therefore 
name, new things before it is apparent that they have reached 
"outbreak" scale.  Further, our strong preference for keeping things in 
families of similar code means that when FooBar.F finally comes along 
and "hits it lucky" we will not want to call it by the next name on the 
hurricane list...

Another problem with the "hurricane list for outbreaks" suggestion is 
that outbreaks are not at all obvious nor objectively defined.  
Sometimes we "just know" that something "will go ballistic" and 
probably about half that time we are actually right.  But there's also 
the flip side -- sometime (though rarer) you'll see some new mass-
mailer (or whatever) and think "That's so clearly stupid and rubbish it 
can't have a chance" _plus_ the early indications from filtering 
sensors and what have you show no typical initial up-tick.  But, 24, 
36, 48 (and occasionally even more) hours later -- boom...  Hurricanes 
are not like that.  There are objective measures that define when a 
formation is a tropical storm, and at that point it gets named.  
Further, there are objective points at which the watchers can say "it 
is now a hurricane" and so on.  These mainly happen when the storm is 
reasonably far off to sea and they provide plenty of warning as to 
which areas may need to evacuate, etc, etc.  Often with malware, it 
becomes an "incident of note" well after it has been found, analysed 
and named.

I could continue, but I really must get into some work...

> Of course, a numbering scheme is already a turn into the right direction,
> but it won't help too much because the different fora or flooded with the
> different names (not numbers), while many of the differing names actually
> mean the same malware.  ...

Providing that common cross-reference number is the point of the CME 
scheme, but the scale and speed with which CME can operate means that 
it will seldom be on top of or ahead of the actual outbreaks.  You'll 
still get Symantec making a press release about Beagle when most other 
vendors use "Bagle" and a CME will be assigned _after_ that...

> ...  So someone in search for information about one thing
> might find a different thing instead of what he searches for or not find it
> at all because the naming scheme of his vendor is not quite wide-spread.

Yep -- and realistically, this seems unlikely to change much in 
future...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.