From: fulldisc at ultratux.org (Maarten)
Subject: (no subject)

On Wednesday 11 August 2004 02:48, Nick FitzGerald wrote:
> Frank Knobbe to Valdis Kletnieks:

> > Obviously not at time of research. But these days everyone is keeping an
> > ear on the ground... I mean Internet... while they are doing research.
>
> Actually, no.
>
> Much AV research and analysis takes place in physically isolated labs
> (for hopefully obvious reasons such as not contributing further to the
> outbreak and ensuring the lab systems are in known states).  The
> analysts typically need relatively quiet surroundings to allow them to
> concentrate closely on what they are doing so as, for example, to
> bypass the various anti-debugging and other tricks used in much malware
> specifically to slow its analysis and thus increase its initial spread
> time.  Folk working in such environments commonly have no access to
> their Email, the web or other "normal" desktop resources (IM, corporate
> IT systems, etc) -- they are networkologically isolated for a reason,
> remember.  Also, even if they do have access to such resources ("clean"
> and "dirty" networks that are never allowed to mix by careful network
> planning and lack of removable media in the workstations on the "clean"
> network but located inside the "dirty" lab, say) they often do not
> _want_ to break their own concentration.

I'd suggest they're not so isolated as you claim.  For one thing, how do you 
suppose they get to hear new strains are found ?  Or receive samples ? 
So effectively, there is a layer between them and the internet that does 
communicate (it doesn't really matter whether that layer is social or 
technological).  And the analysts aren't the people naming the virii anyhow, 
that's probably some entirely other part of the AV company.

> Well, one large vendor in particular is especially notorious for not
> renaming malware, at least once it has released a non-beta DEF update
> that includes a new family name or a variant ascription.  This is not
> peculiar to that particular developer, but is a heavily entrenched
> practice due in no small part to an incredibly brain-dead
> infrastructure underlying much of the non-detection collateral that
> "follows" addition of a virus detection to their DEF files.  Great
> scads of support material, web descriptions and all manner of other
> stuff that users really like are significantly based on the _name_ the
> scanning engine reports when detecting a piece of malware, so once that
> company "goes public" with a name it has an enormous amount of baggage
> tied very closely to the name.  This is, of course, entirely bad and
> stupid "design".  In fact, I'd argue it is a classic case of an abject
> lack of any informed design process at all, as it ties far too much
> "ephemeral"stuff  (regardless of how useful/desirable to the user) to
> what anyone with half a clue about antivirus processes knows in the
> core of their being is an _entirely arbitrary and highly volatile_
> identifier -- the chosen malware name...

What's this ?  AV vendors can't work with variable substitution ??

# $thisvirus = vendor-200408121403
$thisvirus = MyDoom-AV

> > I'm still confused if MyDoom-O and MyDoom-M are the same thing or not.
>
> Well, they darn well should be different.  Only one scan engine uses
> the (non-standard) "-<variant>" form so it should be the case that
> detections of "-M" and "-O" "variants" of the same family are, in fact,
> detections of two truly different variants.  Of course, what Sophos
> calls MyDoom-M may well be called MyDoom.O by some other scanner(s) for
> one or more of the reasons likely to emerge from the situations already
> described above, but that is a different matter.

No.  It may not matter IF you only use one single brand of AV software.  But 
that is NOT how it works in the real world.  Companies tend to deploy 
multiple AV solutions on different layers so as to decrease the likelihood of 
some virus slipping through.  And maybe even more importantly, "Google 
research" is done all the time, which doesn't work well if a strain goes by 
many different names. 

> > BTW: Perhaps the analogy to medicine was misplaced. I just thought in
> > term of diseases. How many different names do we have for ...say...
> > chicken pox or colitis or diabetes? Imagine you had 5 different names
> > for the flu. I could come up with a dozen Monty Python sketches taking
> > place in the doctors office....
>
> Ahhhh yes, but so long as the doctor has the machine that goes BING
> everything will be OK...

You're missing the point.  Every doctor addresses the type II diabetes as 
being the type II diabetes.  There is no confusion whatsoever here.

> I agree, but having been inside it for a while and close to it for
> about as long before that, I don't see anything likely to compel the
> industry to address such issues as doing so will cost them money with
> no apparent return on the investment.  A very large government (or
> group of governments) may be able to apply enough leverage through
> terms of purchase for its departments, so long as a naming standard the
> industry could more or less agree to can be developed to provide the
> baseline for determining "correct" name reporting.  And a possible
> practical result of such a move may be that reported malware names
> become much less "precise", in the sense that instead of reporting
> "Bagle.AA" and "Bagle.AB", product developers may respond to naming
> consensus requirements by simply reporting both as "Bagle" (though
> internal to the product they will often still have to differentiate at
> the a finer level for disinfection purposes).

Every industry has, at some point, to start regulating itself.  Yes, that will 
cost money.  If an industry fails to do so, they will eventually end up BEING 
regulated instead of regulating themselves.  The second scenario is often not 
the desired one for the industry.  So choose your preferred poison...

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

Powered by blists - more mailing lists