[funsec] another VX site?

Drsolly drsollyp at drsolly.com
Sat Jan 7 15:47:44 CST 2006


> >At the time, we sorted out the names for all the viruses there were (maybe
> >1000?), and laid down naming conventions, that are still being followed.
> >
> >The essential problem remains. You get a new "thing", you want to make 
> >detection for it immediately, so you need a name for it, and you don't 
> >really want to spend a week with 1000 other AV companies etc, working out 
> >whether the file that you have in front of you is the same malware as the 
> >one they have (remembering that you can have the same malware in different 
> >files) before including it in the product. And afterwards, reconciling the 
> >names that 1000 companies have chosen, is really non-trivial, expecially 
> >if there's 1000 new malwares per month.
> >  
> >
> Ja, no offense to the AV industry, or Dr Solomon in general ;-) , but
> attempting to come up with unique names for variants of 65,000 known
> viri is kind of a hopeless task,

Pretty easy, actually. We already agreed a naming scheme that's a bit like 
the scientific system for naming flora and fauna, where the problem is 
much bigger. Read the Caro naming document. Google caro naming.

> and even if names were contrived, those
> of us without the benefit of photographic memories would soon lose
> track. 

I'm lucky enough to have a memory like a goldfish; that's why I use a
computer to remember stuff like this.

> Shoot even the AV industry has given up, calling everything
> Sober, MyDoom and Klez.

Ah, you've spotted the familial-type naming system, whereby all the 
malware that's very similar to Sober is called Sober.something, which 
makes the naming system possible. 
 
> I would suggest (as I would guess others have before) that we name the
> viri by their md5sum or some such naming signature. maybe if our
> numbering scheme is successfully (maybe a md5 of the malicious payload,
> followed by the md5 of the exploit(s) it uses to propagate, followed by
> the md5 of the "schlock" (eg: "greetz to my diapers") then we could even
> have a DNS-esq scheme for mapping those nasty long numbers to nifty
> short names based on autovariant detection. One would hope the viri DNS
> system would base the naming convention on points of entry or payload
> sections of viri rather than the schlock part.
> 
> I am assuming that this has already been discussed and dismissed, does
> anyone know why?

To calculate an md5, you have to specify which bytes you're going to
include in the summation. If you think about viruses, for example, you'll
recollect that each instance of a virus-infected file, will have bytes in
the virus part that are variable, and depend on the conditions of the
computer at the moment of infection.

http://vx.netlux.org/lib/avb01.html (look under 4.Classification)

Two different analysts will come up with two different decisions as to
what to include, and what not to include. That's called a "virus map".

So, the AV industry would have to agree on which bytes to include, and
which to exclude, and to have this discussion, they have to start off by
being sure that everyone is referring to the same virus, which isn't as 
easy as you might think, since they're starting off without a way to 
exactly identify the virus.

In the past, very few AV products tried to apply a virus map; working out 
a virus map is quite time consuming on the analyst. And, as of 1995, 
Findvirus was the only product that used virus maps to do exact 
identification (the situation might be different now).

By the way, there's no such word as "viri", and people who refer to "viri" 
put themselves firmly in a group that you possibly don't want to be seen 
as being a member of.



More information about the funsec mailing list