Re: Asynchronous, industry-wide virus naming scheme proposed

[Michel Messerschmidt <lists () michel-messerschmidt de>]

On Thu, Oct 02, 2003 at 02:21:21PM +0200, Feher Tamas wrote:
> My idea to solve the above dilemma is: why not implement a system for 
> industry-wide virus identification, called Virus Name System (VNS), 
> somewhat similar in its nature to the distributed Domain Name System 
> (DNS) of the Internet. Numerical (abstract) virus ID would be analogous 
> to the IP address and virus names replace the host name. 

Actually you're not the first who has thought of a DNS-like 
Virus Naming System. 
But there are significant differences between hostnames and virus names. 
While DNS binds a name to a single, unique IP number, 
virus researchers may get many samples of the same new virus in very
short time, that must all be mapped to the same name. 
Additionally it may be difficult to decide if two samples are actually 
the same virus. So a "first-come, first-serve" strategy like DNS may
even lead to more meaningless virus names without solving any other
basic problem.


> Just like a 
> particular IP address can have several host names associated with it, a 
> numerical virus ID could absorb two, three or seven virus names from 
> different vendors and allow for a dismissal of less-favoured names over 
> the time to keep the single real one. 

If researchers can't agree on a single name today, how should such a
system improve this situation. What's still missing is some criteria
how to select the "real one".
Therefore I don't see any advantage about current virus description
databases (that typically include common aliasnames).


> Inter-vendor discussions 
> conducted across the phone or the coffe table as to which name fits a 
> particular malware the best is not addressed in this paper.

So one of the major problems is not adressed.


> the virname system entries stored on root-VNS 
> servers should have records, formalized technical data, which is 
> verbose enough to determine if several differently named virus entries 
> submitted from diverse vendor virname servers are actually the same.

I think there exists no solution for this problem.


> Virus scanning software (the computer programs that customers buy) 
> should incorporate a new feature: when a malicious object is found, it 
> should ask the vendor-VNS server for the name of that malware, based 
> on a query with the virus name which is already hardcoded in its 
> signature database files. 

It's certainly a bad idea to require a network connection after
detecting an incident.


> If there is no match, it should fall back to the virus name which is found 
> hardcoded in its virus signature files. The substance is, the end user 
> and/or security administrator should be confronted with the most 
> authoritive name, whenever avilable.

The main problem is not to have the "most authoritive name", but to
identifiy the type of incident in order to eliminate the security
breach.


There are also some general considerations.
As you may know, it was proven impossible to generally detect every
virus. Taking into account the exponential growth of new malware,
how long will it be possible to classify and name every new piece of
malware ? Or must we rely more and more on generic detection (without
the possibility for a optimal solution) ?
In the long run it may be even more important to try to classify
all known good software.


-- 
Michel Messerschmidt           lists () michel-messerschmidt de
antiVirusTestCenter, Computer Science, University of Hamburg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html