funsec mailing list archives
Re: another VX site?
From: "dudevanwinkle () gmail com" <dudevanwinkle () gmail com>
Date: Sat, 07 Jan 2006 13:29:32 -0800
Drsolly wrote:
Put a sock in it.
Done! =P
At the time, we sorted out the names for all the viruses there were (maybe 1000?), and laid down naming conventions, that are still being followed. The essential problem remains. You get a new "thing", you want to make detection for it immediately, so you need a name for it, and you don't really want to spend a week with 1000 other AV companies etc, working out whether the file that you have in front of you is the same malware as the one they have (remembering that you can have the same malware in different files) before including it in the product. And afterwards, reconciling the names that 1000 companies have chosen, is really non-trivial, expecially if there's 1000 new malwares per month.
Ja, no offense to the AV industry, or Dr Solomon in general ;-) , but attempting to come up with unique names for variants of 65,000 known viri is kind of a hopeless task, and even if names were contrived, those of us without the benefit of photographic memories would soon lose track. Shoot even the AV industry has given up, calling everything Sober, MyDoom and Klez. I would suggest (as I would guess others have before) that we name the viri by their md5sum or some such naming signature. maybe if our numbering scheme is successfully (maybe a md5 of the malicious payload, followed by the md5 of the exploit(s) it uses to propagate, followed by the md5 of the "schlock" (eg: "greetz to my diapers") then we could even have a DNS-esq scheme for mapping those nasty long numbers to nifty short names based on autovariant detection. One would hope the viri DNS system would base the naming convention on points of entry or payload sections of viri rather than the schlock part. I am assuming that this has already been discussed and dismissed, does anyone know why? -JP "what was that word again... oh yeah! photographic memory!" -JP writing this email _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: another VX site?, (continued)
- RE: another VX site? Drsolly (Jan 07)
- RE: another VX site? Oliver Schneider (Jan 07)
- Re[2]: another VX site? Pierre Vandevenne (Jan 07)
- Re: Re[2]: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Gadi Evron (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Gadi Evron (Jan 07)
- Re: another VX site? Barrie Dempster (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? Oliver Schneider (Jan 07)
- Re: another VX site? Drsolly (Jan 07)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Drsolly (Jan 08)
- Re: another VX site? dudevanwinkle () gmail com (Jan 07)
- Re: another VX site? Barrie Dempster (Jan 08)
- Re: another VX site? Drsolly (Jan 08)