funsec mailing list archives
Re: another VX site?
From: "dudevanwinkle () gmail com" <dudevanwinkle () gmail com>
Date: Sat, 07 Jan 2006 18:05:56 -0800
Drsolly wrote:
Pretty easy, actually. We already agreed a naming scheme that's a bit like the scientific system for naming flora and fauna, where the problem is much bigger. Read the Caro naming document. Google caro naming.
Ja, but it seems in Caro there were (what are apparently now) some outdated assumptions, for example: Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier] maybe should be updated to a few different standards that share the same type format (eg 1:OS_Name.OS_Version.App_Name.App_Version.File_Name.File_Version 2:Some_Name.Some_Version.Other_Name.Other_version, etc., format just like ip became ipv6 due to increased demand, Caro (and CVE,CME, etc) needs to be re-evaluated, updated, and fine tuned, just like any system that is worth keeping. "All overwriting viruses written in a high-level programming language are grouped in a single family, called HLLO. " Arent most of the 65k viri* written with a high level programming language? we could have something like OS_Name.OS_Version.App_Name.App_Version.File_Name.File_Version, but should also try and guess what the viri of the future will look like, and plan for a naming standard that has room for growth and could be added on to as the needs arise (eg: Encryption_Family.Encryption_Type or Polymorphic_Some.Polymorphic_Thing :-)
Ah, you've spotted the familial-type naming system, whereby all the malware that's very similar to Sober is called Sober.something, which makes the naming system possible.
well I can call everything "bob", but thats not much of a naming system. If I remember correctly, the current scourge is just different revisions of an open source malware app that has been modified to escape detection by AV companies, then "rediscovered". These apps have been modified by using a hex editor to cut the files in half, then scanned to see which half sets off detection, then cutting again, etc, etc. down to the part that makes up the signature, the that is the code that is changed (plus a slightly different payload). I know I am being very general, but it seems the method of detection put forth by av companies is what makes 3,000 variants of the same viri possible. I like the detection method that NOD32 has, with variants being based on err, well I dont really know, but it sure catches a lot.
To calculate an md5, you have to specify which bytes you're going to include in the summation. If you think about viruses, for example, you'll recollect that each instance of a virus-infected file, will have bytes in the virus part that are variable, and depend on the conditions of the computer at the moment of infection.
Hmm, I was assuming that a virus is based on a file somewhere, that has exploit code, a payload, and a propagation method. Even if the payload is polymorphic, isnt there an algorithm or encryption method that the badware uses to conceal itself that could be used in the naming?
By the way, there's no such word as "viri", and people who refer to "viri" put themselves firmly in a group that you possibly don't want to be seen as being a member of.
Just called my sisters wife, who is a PhD in english on a tenure track at a college in Washington DC... she said "viri" was correct english, if new english. English needs updating on occasion too. so there :-) -JP "It really doesnt matter what you call 'em, as long as you can remove 'em" -H. Cortez _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: another VX site?, (continued)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Barrie Dempster (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? Nick FitzGerald (Jan 07)
- Viruseseseseses Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 08)
- Re: Viruseseseseses TheGesus (Jan 08)
- Re: Viruseseseseses Drsolly (Jan 08)
- Re: Viruseseseseses Valdis . Kletnieks (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Nick FitzGerald (Jan 07)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? Nick FitzGerald (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? Nick FitzGerald (Jan 08)
- Re: another VX site? Drsolly (Jan 09)
- Re: another VX site? Valdis . Kletnieks (Jan 09)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 08)