Full Disclosure mailing list archives

RE: AV Naming Convention

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 13:47:08 +1200

Clairmont, Jan M wrote:

IT would be an automated naming based on first time of discovery and
reporting, there could be aliases added for the bugger.
This could be for searching for Mydoom.b Mydoom.c etc. variant rather
trying t search for a name like Virus20040908.19:24:31.8843 time stamped
variants.


Ummmm, how would this system deal with parasitic infectors?

What about polymorphics?

Worse, metamorphics?

_Any_ kind of fully automated name generation mechanism has to solve 
the Halting Problem to begin to  useful, and were that's possible the 
naming system would entirely supplant any kind of the antivirus system 
based on one or more of the far less accurate and far less reliable 
known virus scanning, generic and heuristic scanning, behaviour 
monitoing/blocking, etc, etc, etc, etc approaches.

And, if we had perfect, fully automatic virus detection we would not 
really need names for them as the "it infected me before my AV was 
updated" issue disappears...

Similar or equal virus would later be eliminated or archived for
information.


Ahhh, so you are aware of that problem, but clearly did not think about 
what you were proposing as what you propose is simply the system we 
have now but with an ignorant automaton doling out names rather than 
loosely interconnected groups of subject matter specialists trying to 
reduce naming conflicts as part of their naming decisions.

On balance, the automaton is likely to produce a _lot_ more different 
names for the same thing, making matters worse rather than better, at 
least once you realize that the humans who write viruses will be easily 
able to target the braindeadedness of the automaton to deliberately 
reek naming havoc via it.

...  Standard record stamping for a database like Oracle.  Maybe
Oracle could be persuaded to provide an
international database, great public service, providing needed
information to reduce spam, and virus spreading etc.


Oh yes, just what we need as a "public service" -- a publicly 
accessible database of virus and other malware code.  That will reduce 
availability and damage from malware no end...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: AV Naming Convention, (continued)
- - - RE: AV Naming Convention Nick FitzGerald (Aug 11)
    - RE: AV Naming Convention Todd Towles (Aug 11)
  - RE: AV Naming Convention Frank Knobbe (Aug 10)
    - Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
    - RE: AV Naming Convention Nick FitzGerald (Aug 11)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Randal, Phil (Aug 10)
  - RE: AV Naming Convention Rui Pereira (Aug 10)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Clairmont, Jan M (Aug 10)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention tcleary2 (Aug 10)
- RE: AV Naming Convention Brad Griffin (Aug 10)
  - Re: AV Naming Convention ASB (Aug 11)
  - RE: AV Naming Convention Nick FitzGerald (Aug 12)
- RE: AV Naming Convention John . Airey (Aug 11)