[funsec] another VX site?
Joe Jaroch (Tera Innovations, Inc.)
security at terainnovations.com
Sat Jan 7 16:12:06 CST 2006
The problems with the MD5 naming scheme are:
1) Users will have no idea what the virus is. 'User-friendly' naming
schemes are important, tho, not entirely necessary.
2) You are thinking mostly of trojans and static worms. While these
types of malware are very prevalent over their virulent counterparts,
they do not make up ALL of the samples out there, so, if some universal
naming scheme woudl be put into place, it could not be truly universal
as viruses would come out and not be named correctly.
What I think might work well would be a multi-vendor scanner base,
where, every time a definition is added, samples are rescanned in
realtime. This way, if a questionable sample is added by vendor X, a
first reponder, vendors Y and Z can learn about the name that X chose,
and everyone would have the same name.
What do y'all think? I think it wouldn't really be that hard to
implement and would be a service to everyone, using eachother to try and
get a definition out as fast as possible. It also allows for no human
interaction if the big vendors do not want to talk to the small vendors.
A simple system with tracking ids can be implemented and emails can be
sent out automatically.
Tera Innovations, Incorporated.
dudevanwinkle at gmail.com wrote:
>>Put a sock in it.
>>At the time, we sorted out the names for all the viruses there were (maybe
>>1000?), and laid down naming conventions, that are still being followed.
>>The essential problem remains. You get a new "thing", you want to make
>>detection for it immediately, so you need a name for it, and you don't
>>really want to spend a week with 1000 other AV companies etc, working out
>>whether the file that you have in front of you is the same malware as the
>>one they have (remembering that you can have the same malware in different
>>files) before including it in the product. And afterwards, reconciling the
>>names that 1000 companies have chosen, is really non-trivial, expecially
>>if there's 1000 new malwares per month.
>Ja, no offense to the AV industry, or Dr Solomon in general ;-) , but
>attempting to come up with unique names for variants of 65,000 known
>viri is kind of a hopeless task, and even if names were contrived, those
>of us without the benefit of photographic memories would soon lose
>track. Shoot even the AV industry has given up, calling everything
>Sober, MyDoom and Klez.
>I would suggest (as I would guess others have before) that we name the
>viri by their md5sum or some such naming signature. maybe if our
>numbering scheme is successfully (maybe a md5 of the malicious payload,
>followed by the md5 of the exploit(s) it uses to propagate, followed by
>the md5 of the "schlock" (eg: "greetz to my diapers") then we could even
>have a DNS-esq scheme for mapping those nasty long numbers to nifty
>short names based on autovariant detection. One would hope the viri DNS
>system would base the naming convention on points of entry or payload
>sections of viri rather than the schlock part.
>I am assuming that this has already been discussed and dismissed, does
>anyone know why?
>"what was that word again... oh yeah! photographic memory!"
>-JP writing this email
>Fun and Misc security discussion for OT posts.
>Note: funsec is a public and open mailing list.
More information about the funsec