Re: AV Naming Convention

[Nick FitzGerald <nick () virus-l demon co uk>]

Thomas Loch wrote:

> > This completely misses the point.
> I do not completely agree ...

You're welcome to your opinion, but it's clearly based on a grossly 
simplistic and inadequate notion of what virus scanners do and how 
viruses work.

> > When a new virus is discovered, it is 
> > essential that there is a RAPID response to the threat. ...
> I agree...

Good...

> > ...The idead of 
> > handing the critter over to a committee to decide it's name is, quite
> > frankly, plain bonkers.
> Why?

Because of the time it must take to do that...

Also, the level of expertise you need to have on that committee to get 
a high level of correct decisions, especially if you want to get those  
decisions very quickly to reduce the naming agreement latency as much 
as possible will necessarily reduce the talent pool available to the AV 
companies _AND_ be very expensive to employ and maintain because such 
talented and experienced AV researchers are among the most highly paid 
"technicians" in the IT industry.

> Why can't we handle not yet named viruses as 'unnamed' ...

This is actually the most sensible (so therefore probably the least 
likely to be used) of solutions.  It has been suggested innumerable 
times in the past and, at least until there is some compelling 
(financial!) reason for AV developers to change their current 
practices, seems very unlikely to be implemented by any developers.

> ... or we use a 
> standardized (by ISO?) method to generate a numeric code that consists of a 
> classification in categories and a sequential number and probably some kind 
> of checksum or hash until the virus gets an official name?

This is suggested almost every day by some or other newbie with no clue 
how viruses work.  Sadly, in (today's) real world, it quite simply will 
not work and, worse, cannot be made to work.

Do you have any idea what polymorphism is?

Don't see any problems with that?  OK, try adding metamorphism (aka 
"body polymorphism") -- still no problems with the above suggestion?

In an ideal world it should be able to work _combined with access to a 
library of reference samples that would be the basis of the generated 
identifiers_ (i.e. an identifier would point to a specific sample, 
deemed to be the definitive exemplar of the named variant).  _HOWEVER_, 
that ideal world requires all kinds of complex trust issues that simply 
cannot be made to work in today's real world (and seem unlikely to be 
workable at least in the medium term).

...

I'm pleased to note that so far in this, and the parent, thread no-one 
has wheeled out the hoary old chestnut of "Why not use something like 
the hurricane/tropical storm naming scheme that has worked so well in 
meteorology?" as it is replete with problems that are obviously 
insoluble to anyone who understands anything about computer virus, and 
related malware, incident handling.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html