Full Disclosure mailing list archives
Re: AV Naming Convention
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 14:25:40 +1200
nobody@localhost to "Randal, Phil":
This completely misses the point. When a new virus is discovered, it is essential that there is a RAPID response to the threat. The idead of handing the critter over to a committee to decide it's name is, quite frankly, plain bonkers.I think you missed some of his point, his is not saying a committee should name it, he is saying whoever gets there first gets to name it.
Ahhh, well regardless who else already missed (some of) the point, you clearly now must be added to that list. You see, the "first in" process is basically what we have now and, correct me if I've misinterpreted something here, but I thought the whole point of this thread was to point out what a terrible mess we have now (and to air everyone's pet theories of how to make it better).
I for one would rather all the antivirus vendors came up with their own names if it meant that detection/disinfection patterns came out hour earlier.Actually, I was thinking the exact same thing, I'd like to set up a AV vendor neutral, FD style virus repository. I'd require a user cert for anyone who wants to "deposit" a new virus and the first to deposit the new virus would get to name it. It would be assigned a GUID, so that a computer friendly identifier was available.
And how would your "repository" determine that what UserY just deposited as FooBar.Y was not, in fact, just another sample of Foobar.X that UserX deposited a few minutes, days, weeks, etc ago?? And don't say something like "file hash" as that shows you have no idea what parasitic viruses are or what "variant samples" of invariant malware are... And don't say "by scanning it with all other virus scanners" because that shows you have no idea how much known virus scanning is a probabilistic, rather than deterministic process (if you think virus scanners are simply "grep on steroids", much like the OpenAntiVirus project and its cousins, you really should not be taking part in this discussion other than reading and learning from it).
There would be an RSS feed as well as various push feeds. Lineage could be discussed and mapped. Other vendors could add their names to that record with information about what virus def file name the virus first appears in.
Doesn't allowing others to list "alternate" names really obviate the purpose of _consolidating_ naming???
If it turns out that more than one group submits the same virus, then those "dups" would be discarded from the db, thus encouraging AV vendors and other groups to post new viruses asap so that everyone has a chance to download them and start researching them.
I agree that speed of information flow is at the core of many current naming problem issues, but speed of access to samples need not be (and proposing a system that depends on such will likely see that system boycotted by many of the top AV professionals and the rest of their companies for a whoile raft of professional ethics reasons. That does not mean the entire idea is without merit though. For example, with Word and Excel VBA macro viruses, there has been a very successful project running for years within part of the AV community whereby competent researchers can exchange identification data for new VBA malware without having to distribute samples, _and_ in many cases recipients of this ID data can actually add specific detection of that malware sight-unseen to them. This means that folk who may not hold requisite trust levels for sample sharing can co-operate equally in announcing and naming new VBA malware. This approach has kept the naming of Word and Excel VBA malware very consistent among the vendors who have staff actively involved in this project (which is not all vendors for many reasons I'll not get into here). Sadly, that model cannot easily be extended to most other forms of malware as the complexity of devising suitably flexible identification mechanisms skyrockets with the removal of various constrictions imposed by the VBA model, the size and complexity of its op-code set, and so on. However, a sufficiently useful, while somewhat constrained form of this approach may be possible for the more complex platforms, but no-one has had the time and funding, and the vendors don't have the motivation, to investigate what may be possible and how effective such an approach could be.
Fear of the government labeling me a terrorist gives me pause though...
8-) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: AV Naming Convention Randal, Phil (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention ASB (Aug 10)
- Re: AV Naming Convention nobody@localhost (Aug 10)
- Re: AV Naming Convention Nick FitzGerald (Aug 10)
- Re: AV Naming Convention Thomas Loch (Aug 10)
- Re: AV Naming Convention Alerta Redsegura (Aug 10)
- Re: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Thomas Loch (Aug 10)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Frank Knobbe (Aug 10)
- Re: AV Naming Convention ASB (Aug 10)
- <Possible follow-ups>
- RE: AV Naming Convention Glenn_Everhart (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
(Thread continues...)
- RE: AV Naming Convention Todd Towles (Aug 10)