RE: CME: A Total Failure -- Throw in the Towel

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to David Harley:

[This was mostly written a few days ago, but interrupted...]

> > But maybe that's the whole point. Glut has always been a problem,
> > but it's a little more complicated now. Variants, subvariants,
> > subvariants with multiple packers, multiple malcodes with 
> > common code, malcode that mutates as new mods become available.
> > Traditionally, naming has depended on exchange of samples to 
> > establish a common code set, as has testing. But we're not in
> > Kansas anymore, and those models don't work.
>  
> Here's what I don't understand about the Mitre scheme.
>
> Suppose I have a file on a floppy disk. How do I determine whether this is 
> CME-24, or merely something that has some similarities to that? 

There's nothing you shouldn't be able to understand there Alan; in 
fact, it's all really rather simple...

CME is a (very incomplete) "dictionary" of "malware threats" that 
(mainly) acts as a cross-reference of the names that the participating 
AV companies detect specific examples of what they and the CME 
maintainers jointly agree is a single (though possibly comprised of 
multiple files, network streams, etc), specific threat.  For pragmatic 
reasons, it is currently limited to only dealing with "important" 
malware threats rather than trying to be a complete naming cross-
reference.  (Note that due to a twist of history, by the time CME 
finally "got off the ground" the need for it had largely vanished, with 
the "bad guys" who were previously writing and releasing mass-
propagating malware mainly diverting their attention to smaller-scale, 
less-noisy, longer-lived malware increasingly being given "more sexy" 
monikers like "crimeware" to satisfy the need for media exposure of an 
increasing number of new "anti-[something]" software makers and/or 
service providers who have latched onto the fact that folk like Alan 
made wheelbarrows of dosh selling similar such stuff in the early days 
of AV and apparently did so on thanks largely to the clever management 
of the media's coverage of the emerging "virus threat"...)

For CME to be much more than that (like, "far from very incomplete"), 
AND particularly if its aim is to become something of a solution to the 
(historic) malware naming problem, someone (and you can be sure it 
won't be the vendors who actually do the "deconfliction" now) will have 
to spend a truckload of analysis time on the many, many samples of all 
the stuff that currently makes CME "far from complete", and they will 
have to devise a reliable way to separate different variants from each 
other (at a very fine level if the aim is to solve the naming problem, 
because that is the level at which (some of) the AV labs already do it) 
while not separating different samples of "the same" polymorphic and 
metamorphic malcode.

If CME does all that, it will have developed the vast bulk of the 
technology necessary for a top-class virus/malware detector (something 
massively superior to any wet-dream the OAV and Clam folk ever had).

I _may_ be being a tad skeptical here, but I don't see MITRE (or anyone 
else) putting in anything approaching that level of effort _purely to 
solve the malware naming problem_ as the development costs would surely 
vastly outweigh any perceived benefits...  (Don't get me wrong -- I 
agree with the AV users who wonder why all these (reputedly -- and 
mostly _very_ deservedly) terribly smart top AV researchers cannot, 
once and for all, resolve their differences when it comes to malware 
naming, but as none of even the largest and loudest corporate critics 
of the maning mess have actually committed a single purchasing dollar 
to persuading any vendor that they need to tidy up "their part" of the 
naming mess, I'm _sure_ the industry will not attempt to try to fix it 
unilaterally...)

Finally, because far too many folk who really should know better think 
malware detection is "glorified grep", far too many folk have far too 
simplified a view of what the naming problem really is.  Those folks' 
view of the problem is beyond the laughably naïve, yet they make up the 
vast bulk of people aho comment on the (general) "failure of CME", the 
failure of CME or anything else to solve the naming problem, and so on.


Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.