[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F3ABFD0.18669.5205231D@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: MSBLASTER - aka LOVESAN/POZA ?
Darren Reed <avalon@...igula.anu.edu.au> to "cstone":
> > yes. everyone picks their own name -- this happens pretty
> > frequently with malware.
<<snip>>
Well, I doubt that we (or at least many of us, in AV) think it "makes
sense" as Darren initially asked, but "cstone" is right that naming is
something of a free for all.
> Cripes. Someone needs to have a central authority on naming for
> these things, like the CVP#'s that are available or just dispense
> with names and use a centrally allocated number. Then I suppose
> how do you have "extra" viruses that one company knows about but
> another doesn't.
It is not -- despite the appearance to "outsiders" that it seems
otherwise -- that we haven't discussed this issue, battled with it and
tried to improve things (though some of us are highly critical of the
effort some AV researchers and developers make in trying to address the
issues). Systems like CAN/CVE are fine for slow-moving, unchanging
things and especially in a field where no-one actually uses the
"official" name most of the time. But with viruses and related
malware, there seems to be some "natural" predilection for them to be
named and at the rate and speed the more interesting of them can
appear, spread and disappear, by the time CAN/CVE form-filling is
finished, the whole incident will be over and no-one will care about
the name of that particular virus or worm...
To see one of the differences between CAN/CVE and malware naming,
consider this latest worm. Note how naturally everyone opted to refer
to it as "the CAN-2003-0352 worm". Yes -- it is almost silly to
suggest it isn't it, yet you are suggesting that some similar, but
different, scheme could or should be made to work for viruses and
worms.
Don't get me wrong -- I'm not defending the currently extremely slack
attitude in general the AV industry has to naming, or its equally slack
attitude to the huge confusion that can ensue when every other AV
developer decides to name the same thing something quite different from
what all the other developers are calling it. But the flip side is
that this is a somewhat tricky problem to resolve, particularly when so
few developers are at all willing to step back and consider how to re-
engineer their processes to even allow them to be naming-consolidation
friendly, let alone consolidation _capable_...
> Enough of a mess to make you want to vomit massively all over their
> doorstops. And people wonder why computer security is a mess - not
> even the necessary "responsible" vendors have enough sense to have
> something resembling co-ordination & co-operation.
Again, in many ways I agree with your comments regarding the naming
mess and am on record repeatedly criticising typical malware naming
practices (ask any established AV researcher you know who in the
industry are the two or three most anal about naming issues and you're
bound to get my name in that list). Unfortunately, one of the
mechanisms we do use that tries hard to get (better) agreement on the
"correct" name to use for especially high-profile malware such as at
the heart of this worm incident failed us yesterday when a mailing list
with researchers from around 20 AV developers went strangely AWOL
coincidentally with a major computer outage (unrelated to the worm!) at
the list admin's home (and, if I understand correctly he was on
vacation, but would have been working had his PCs been...). By the
time the list problems were all sorted and messages started flowing it
was way too late for most of the developers to consider changing the
names they had chosen because they had made press releases, done all
kinds of media interviews, etc, etc, etc.
And yes, I agree that those are _really sucky_ excuses for being slack-
arsed about changing names, reducing confusion and otherwise increasing
karmic balance, but unfortunately that's the way large parts of this
industry operate.
To top all that off, we are also increasingly seeing "new folk", who
have little or no history in the industry, any idea of what names have
already been used or of what is (roughly) agreed inside the industry as
being "good" names, almost randomly choosing names for malware they
have more or less randomly discovered as a result of being a "security
expert" of some sort. This is exacerbated by their further copying of
the "established industry players" by these new folk rushing off to the
media with the stories and oddball names before consulting with others
who may be better placed to reduce the naming mess. Devising a system
that may be usable even by the interested existing and established
players will hard enough...
And _then_ you get the media, making up their own random names or
choosing the "sexiest" but most inappropriate in the eyes of most
established researchers and hyping (and usually grossly misleading)
these "high visibility" incidents. However, you really do not want to
get me started on that here...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists