funsec mailing list archives

Re: another VX site?

From: "dudevanwinkle () gmail com" <dudevanwinkle () gmail com>
Date: Sat, 07 Jan 2006 13:29:32 -0800

Drsolly wrote:

Put a sock in it.


Done! =P

At the time, we sorted out the names for all the viruses there were (maybe
1000?), and laid down naming conventions, that are still being followed.

The essential problem remains. You get a new "thing", you want to make 
detection for it immediately, so you need a name for it, and you don't 
really want to spend a week with 1000 other AV companies etc, working out 
whether the file that you have in front of you is the same malware as the 
one they have (remembering that you can have the same malware in different 
files) before including it in the product. And afterwards, reconciling the 
names that 1000 companies have chosen, is really non-trivial, expecially 
if there's 1000 new malwares per month.

Ja, no offense to the AV industry, or Dr Solomon in general ;-) , but
attempting to come up with unique names for variants of 65,000 known
viri is kind of a hopeless task, and even if names were contrived, those
of us without the benefit of photographic memories would soon lose
track. Shoot even the AV industry has given up, calling everything
Sober, MyDoom and Klez.

I would suggest (as I would guess others have before) that we name the
viri by their md5sum or some such naming signature. maybe if our
numbering scheme is successfully (maybe a md5 of the malicious payload,
followed by the md5 of the exploit(s) it uses to propagate, followed by
the md5 of the "schlock" (eg: "greetz to my diapers") then we could even
have a DNS-esq scheme for mapping those nasty long numbers to nifty
short names based on autovariant detection. One would hope the viri DNS
system would base the naming convention on points of entry or payload
sections of viri rather than the schlock part.

I am assuming that this has already been discussed and dismissed, does
anyone know why?

-JP


"what was that word again... oh yeah! photographic memory!"
-JP writing this email
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: another VX site?, (continued)
- - - RE: another VX site? Drsolly (Jan 07)
    - RE: another VX site? Oliver Schneider (Jan 07)
    - Re[2]: another VX site? Pierre Vandevenne (Jan 07)
    - Re: Re[2]: another VX site? Oliver Schneider (Jan 07)
    - Re: another VX site? Gadi Evron (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? Gadi Evron (Jan 07)
    - Re: another VX site? Barrie Dempster (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? Oliver Schneider (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? Oliver Schneider (Jan 07)
    - Re: another VX site? Drsolly (Jan 07)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Barrie Dempster (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)

(Thread continues...)