Full Disclosure mailing list archives
Re: (no subject)
From: Maarten <fulldisc () ultratux org>
Date: Thu, 12 Aug 2004 16:20:33 +0200
On Wednesday 11 August 2004 02:48, Nick FitzGerald wrote:
Frank Knobbe to Valdis Kletnieks:
Obviously not at time of research. But these days everyone is keeping an ear on the ground... I mean Internet... while they are doing research.Actually, no. Much AV research and analysis takes place in physically isolated labs (for hopefully obvious reasons such as not contributing further to the outbreak and ensuring the lab systems are in known states). The analysts typically need relatively quiet surroundings to allow them to concentrate closely on what they are doing so as, for example, to bypass the various anti-debugging and other tricks used in much malware specifically to slow its analysis and thus increase its initial spread time. Folk working in such environments commonly have no access to their Email, the web or other "normal" desktop resources (IM, corporate IT systems, etc) -- they are networkologically isolated for a reason, remember. Also, even if they do have access to such resources ("clean" and "dirty" networks that are never allowed to mix by careful network planning and lack of removable media in the workstations on the "clean" network but located inside the "dirty" lab, say) they often do not _want_ to break their own concentration.
I'd suggest they're not so isolated as you claim. For one thing, how do you suppose they get to hear new strains are found ? Or receive samples ? So effectively, there is a layer between them and the internet that does communicate (it doesn't really matter whether that layer is social or technological). And the analysts aren't the people naming the virii anyhow, that's probably some entirely other part of the AV company.
Well, one large vendor in particular is especially notorious for not renaming malware, at least once it has released a non-beta DEF update that includes a new family name or a variant ascription. This is not peculiar to that particular developer, but is a heavily entrenched practice due in no small part to an incredibly brain-dead infrastructure underlying much of the non-detection collateral that "follows" addition of a virus detection to their DEF files. Great scads of support material, web descriptions and all manner of other stuff that users really like are significantly based on the _name_ the scanning engine reports when detecting a piece of malware, so once that company "goes public" with a name it has an enormous amount of baggage tied very closely to the name. This is, of course, entirely bad and stupid "design". In fact, I'd argue it is a classic case of an abject lack of any informed design process at all, as it ties far too much "ephemeral"stuff (regardless of how useful/desirable to the user) to what anyone with half a clue about antivirus processes knows in the core of their being is an _entirely arbitrary and highly volatile_ identifier -- the chosen malware name...
What's this ? AV vendors can't work with variable substitution ?? # $thisvirus = vendor-200408121403 $thisvirus = MyDoom-AV
I'm still confused if MyDoom-O and MyDoom-M are the same thing or not.Well, they darn well should be different. Only one scan engine uses the (non-standard) "-<variant>" form so it should be the case that detections of "-M" and "-O" "variants" of the same family are, in fact, detections of two truly different variants. Of course, what Sophos calls MyDoom-M may well be called MyDoom.O by some other scanner(s) for one or more of the reasons likely to emerge from the situations already described above, but that is a different matter.
No. It may not matter IF you only use one single brand of AV software. But that is NOT how it works in the real world. Companies tend to deploy multiple AV solutions on different layers so as to decrease the likelihood of some virus slipping through. And maybe even more importantly, "Google research" is done all the time, which doesn't work well if a strain goes by many different names.
BTW: Perhaps the analogy to medicine was misplaced. I just thought in term of diseases. How many different names do we have for ...say... chicken pox or colitis or diabetes? Imagine you had 5 different names for the flu. I could come up with a dozen Monty Python sketches taking place in the doctors office....Ahhhh yes, but so long as the doctor has the machine that goes BING everything will be OK...
You're missing the point. Every doctor addresses the type II diabetes as being the type II diabetes. There is no confusion whatsoever here.
I agree, but having been inside it for a while and close to it for about as long before that, I don't see anything likely to compel the industry to address such issues as doing so will cost them money with no apparent return on the investment. A very large government (or group of governments) may be able to apply enough leverage through terms of purchase for its departments, so long as a naming standard the industry could more or less agree to can be developed to provide the baseline for determining "correct" name reporting. And a possible practical result of such a move may be that reported malware names become much less "precise", in the sense that instead of reporting "Bagle.AA" and "Bagle.AB", product developers may respond to naming consensus requirements by simply reporting both as "Bagle" (though internal to the product they will often still have to differentiate at the a finer level for disinfection purposes).
Every industry has, at some point, to start regulating itself. Yes, that will cost money. If an industry fails to do so, they will eventually end up BEING regulated instead of regulating themselves. The second scenario is often not the desired one for the industry. So choose your preferred poison... Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Valdis . Kletnieks (Aug 10)
- Re: (no subject) Frank Knobbe (Aug 10)
- Re: (no subject) Valdis . Kletnieks (Aug 10)
- Re: (no subject) Kyle Maxwell (Aug 10)
- Re: (no subject) Alerta Redsegura (Aug 10)
- RE: (no subject) Todd Towles (Aug 10)
- Re: (no subject) (!!!) Thomas Loch (Aug 10)
- Re: (no subject) (!!! (complement)) Thomas Loch (Aug 10)
- RE: (no subject) Todd Towles (Aug 10)
- Re: (no subject) Nick FitzGerald (Aug 10)
- Re: (no subject) Maarten (Aug 12)
- Re: (no subject) Michael Simpson (Aug 10)
- Re: (no subject) Paul Schmehl (Aug 10)
- RE: (no subject) spoofed addresses still confuse many... Ron DuFresne (Aug 09)
- RE: (no subject) spoofed addresses still confuse many... Todd Towles (Aug 09)