funsec mailing list archives
Re: another VX site?
From: Drsolly <drsollyp () drsolly com>
Date: Sun, 8 Jan 2006 17:08:36 +0000 (GMT)
I wasn't there, so I'd love to hear Alan's take on this if my assumptions are wrong, BUT familial grouping by code similarity was seen as an important feature of the naming scheme by _most_ AV researchers in the early days as grouping similar things in a classification system seems to be a natural process for humans and it helps reduce the potential overload of a classification system that does NOT have such a function.
When you see how a virus infects and how you do the repair, you see which virus it most resembles (and probably which virus was used as a template for making the "new" virus). So, as soon as you've identified a new specimen as another variant on Jerusalem, you don't have to think very hard to know how to do the exact identification and repair (and it also makes the disassembly a lot easier), and laziness is one of the three programming virtues. In the early days, it was mainly Vess who was keen on familial classification (he was an academic then). I had some interest (it helped in the pursuit of laziness), and Fridrik's product used a scanning method that tended to give familial identification, and I think his database was family-oriented.
That is a very important thing to recall too -- when all this started, virtually ALL malware that was of interest to the nascent AV industry was _parasitically infectious_. Nowadays probably 99+% of the malware _files_ handled by AV, IDS, etc, etc systems are static _by design_.
Even then, there might be data areas, counters or internal buffers, which are different from instance to instance.
They may still be viral -- what I call "monolithic replicators"; think network share crawlers, self-mailers, etc -- but this was an almost unseen category back when Alan, Vess and Frisk were cutting their teeth on Lehigh, Stoned, Jerusalem, etc, etc and talking about standardizing a naming scheme. And that was a good thing, as the scheme we have today is flexible and extensible enough to fairly easily deal with the vagaries of malware development we have seen in the last 15+ years...
We didn't know how things would develop, but we could see that extensibilty would be important.
In the past, very few AV products tried to apply a virus map; working out a virus map is quite time consuming on the analyst. And, as of 1995, Findvirus was the only product that used virus maps to do exact identification (the situation might be different now).I had an idea that Frisk has been using something very similar for a very long time (even since _before_ the major engine revision at v2.0)?
I'm not certain, but I don't think so, because F-Prot couldn't do *exact* identification.
You really do not want the "what is the correct plural of virus" discussion here,
Too right, and I normally don't bother, it's actually helpful when folks self-identify as 1337. I don't really know why I bothered this time. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: another VX site?, (continued)
- Re: another VX site? dudevanwinkle () gmail com (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 08)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 08)
- Re: another VX site? Drsolly (Jan 09)
- Re: another VX site? Valdis . Kletnieks (Jan 08)
- Re: another VX site? Nick FitzGerald (Jan 07)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? Joe Jaroch (Tera Innovations, Inc.) (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: Re[2]: another VX site? Nick FitzGerald (Jan 07)
- Re: another VX site? Lionel Ferette (Jan 07)
- Re: another VX site? Jeff Kell (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Nick FitzGerald (Jan 07)
- beer! [WAS: another VX site?] Gadi Evron (Jan 07)
- Re: beer! [WAS: another VX site?] Nick FitzGerald (Jan 07)