Re: Show me the Virrii!

[Nick FitzGerald <nick () virus-l demon co uk>]

Nicob <nicob () nicob net> replied to S G Masood:

> > 5. They *might* have an arrangement with each other to
> > share samples.
>
> Individuals at antivirus companies share samples every day, without any
> previous arrangement.

In fact, that would be relatively rare.

It may happen that a "junior" (new, less experienced, not well known 
within the industry) analyst may be told by a more senior research 
analyst to send someone at another company a sample.  In such a case, 
although the junior analyst may well not know the recipient, s/he would 
be following the trust decision of the senior analyst and that would be 
based on a great deal of prior arrangement and experience.

> At a corporate level, there's the "Rapid Exchange of Virus Sample"
> (REVS) hosted by The Wild List website.

First, REVS was not hosted by the WildList Organization (although some 
once prominent in the WLO folk were involved in setting up REVS).

Second, REVS is no more.  It "died out" because too many of the "more 
influential" members of the AV research community would not accept the 
removal of inter-personal trust relationships from the sample 
distribution equation that participation in REVS necessitated.  
(Whether that was entirely a good thing or not given REVS was intended 
purely for use with "emergency" samples and not all or even "many" 
samples is something that could be debated ad nauseum, but this is not 
the appropriate venue for that...)

REVS was replaced by another inter-researcher sample distribution 
mechanism that outwardly looks quite similar but which crucially (for 
those to whom this was an issue) allows the _sender_ of a sample to 
know both who it is going to _and_ to limit the distribution should one 
or more folks on the sample distribution list not meet the sender's 
required level of trustworthiness.  That is, REVS was replaced by a 
mechanism that allows for sender-determined control over recipient -- a 
glorified way of saying "dependendt on previous arrangement".

I think anyone who thinks they'll break into contemporary mainstream 
antivirus research (which is very heavily dependent on access to huge 
repositories of malware samples) by side-stepping such issues is  
severely deluding themselves...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html