funsec mailing list archives

Re: another VX site?

From: Drsolly <drsollyp () drsolly com>
Date: Sun, 8 Jan 2006 16:48:47 +0000 (GMT)

Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier] maybe
should be updated to a few different standards that share the same type
format (eg
1:OS_Name.OS_Version.App_Name.App_Version.File_Name.File_Version
2:Some_Name.Some_Version.Other_Name.Other_version, etc., format just
like ip became ipv6 due to increased demand, Caro (and CVE,CME, etc)
needs to be re-evaluated, updated, and fine tuned, just like any system
that is worth keeping.

  "All overwriting viruses written in a high-level programming
   language are grouped in a single family, called HLLO. "

Arent most of the 65k viri* written with a high level programming
language? we could have something like
OS_Name.OS_Version.App_Name.App_Version.File_Name.File_Version, but
should also try and guess what the viri of the future will look like,
and plan for a naming standard that has room for growth and could be
added on to as the needs arise (eg: Encryption_Family.Encryption_Type or
Polymorphic_Some.Polymorphic_Thing :-)


You should look for a more recent version of the Caro naming scheme.

Hmm, I was assuming that a virus is based on a file somewhere, that has
exploit code, a payload, and a propagation method.


Wrong assumption.

Even if the payload
is polymorphic, isnt there an algorithm or encryption method that the
badware uses to conceal itself that could be used in the naming?


Yes, but you still need a virus map, and that's non-trivial.

By the way, there's no such word as "viri", and people who refer to "viri" 
put themselves firmly in a group that you possibly don't want to be seen 
as being a member of.

Just called my sisters wife, who is a PhD in english on a tenure track
at a college in Washington DC... she said "viri" was correct english, if
new english. English needs updating on occasion too. so there :-)


She's wrong, you can have the fun of telling her. But you go right ahead 
and use the word "viri", it tells everyone how 1337 you are.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Viruseseseseses, (continued)
- - - Re: Viruseseseseses Valdis . Kletnieks (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Nick FitzGerald (Jan 07)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 08)
    - Re: another VX site? Drsolly (Jan 09)
    - Re: another VX site? Valdis . Kletnieks (Jan 09)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 09)
    - Re: another VX site? Valdis . Kletnieks (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 07)

(Thread continues...)