2004-11-09

Malware Nomenclature

A number of references have been made recently regarding the need for malware[?] name standards, including an open letter to Anti-Virus companies posted on the SANS Incident Storm Center's diary and authored by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. He states that "Sometime [...] earlier this year, your virus variant names got out of synch with other anti-virus software companies," and later challenges the companies to "work together as a community of security professionals and help out your customers at the same time."

Mr. Mosby not only hit the nail on the head, but also gives anti-virus firms too much credit.

While he speaks specifically of virus variants, this sort of name game has been going on for years, and is much more pronounced a problem than simply identifying variants. Notably in my mind is the "Welchia" / "Nachi" worm, which wreaked havoc on one network I had intimate familiarity with. We're not talking "Is this variant AA or AB" here, folks, this isn't even close. And in the dawning hours of a global virus outbreak, having to compare three major virus outlet's descriptions to make sure you're telling your VP the right information about something he read on CNN (that used a name you've never heard of) is an unacceptable time sink. That could be another 100 infected hosts - if you're lucky.

Mr. Mosby's concern over variants becomes a bigger problem when performing detailed forensics on a single infected system, however. Often times, to get the whole picture of what a piece of malicious code is capable of, one must visit websites of multiple vendors. Such detail is necessary when attempting to determine exposure. Without this information, it's hard to justify spending 40 man-hours to rebuild an Exchange server to a reluctant client or manager. And this type of information is nearly impossible to assemble when dealing with malware that has hundreds of variants.

Attempts have been made to establish information-sharing alliances, but unfortunately, like Microsoft's Virus Information Alliance, which met with a great deal of marketing hype in 2003 but whose official website now returns the equivalent of a "404 Not Found", many have been nothing more than that. Those that had genuine intentions have been under-funded, or had relied on the goodwill of a small group of individuals, like the Wild List, which unfortunately could not keep up with the torrent of new malware that began in 2001-2002 despite being the best out there at the time. VGrep seems to be a good tool to help the hapless security analyst, and beginning in 1991 there has been the CARO naming convention. Unfortunately, VGrep is a band-aid solution, and the CARO naming convention lacks widespread adoption (little to no authoritative information seems to be available on the web, and F-Secure is the only company I'm aware of that boasts of following the standard).

I know that communication channels exist between Symantec and McAfee (aka Network Associates) for code analysis. Trend is almost certainly in the mix as well. There's no reason that, while sharing information about the latest threats, they can't find some quick-n-dirty way to name whatever it is they're talking about.

And don't get me started on the industry confusing the definitions of basic terminology like "virus" and "worm"...

3 comments:

Anonymous said...

Good design!
[url=http://jibkhdaw.com/yhwm/phhi.html]My homepage[/url] | [url=http://ozgnpqkz.com/mqor/dxwn.html]Cool site[/url]

Anonymous said...

Well done!
My homepage | Please visit

Anonymous said...

Good design!
http://jibkhdaw.com/yhwm/phhi.html | http://fbhwjydk.com/vzkx/togg.html