lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F3ABFD0.18669.5205231D@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: MSBLASTER - aka LOVESAN/POZA ?

Darren Reed <avalon@...igula.anu.edu.au> to "cstone":

> > yes.  everyone picks their own name -- this happens pretty
> > frequently with malware.
<<snip>>

Well, I doubt that we (or at least many of us, in AV) think it "makes 
sense" as Darren initially asked, but "cstone" is right that naming is 
something of a free for all.

> Cripes.  Someone needs to have a central authority on naming for
> these things, like the CVP#'s that are available or just dispense
> with names and use a centrally allocated number.  Then I suppose
> how do you have "extra" viruses that one company knows about but
> another doesn't.

It is not -- despite the appearance to "outsiders" that it seems 
otherwise -- that we haven't discussed this issue, battled with it and 
tried to improve things (though some of us are highly critical of the 
effort some AV researchers and developers make in trying to address the 
issues).  Systems like CAN/CVE are fine for slow-moving, unchanging 
things and especially in a field where no-one actually uses the 
"official" name most of the time.  But with viruses and related 
malware, there seems to be some "natural" predilection for them to be 
named and at the rate and speed the more interesting of them can 
appear, spread and disappear, by the time CAN/CVE form-filling is 
finished, the whole incident will be over and no-one will care about 
the name of that particular virus or worm...

To see one of the differences between CAN/CVE and malware naming, 
consider this latest worm.  Note how naturally everyone opted to refer 
to it as "the CAN-2003-0352 worm".  Yes -- it is almost silly to 
suggest it isn't it, yet you are suggesting that some similar, but 
different, scheme could or should be made to work for viruses and 
worms.

Don't get me wrong -- I'm not defending the currently extremely slack 
attitude in general the AV industry has to naming, or its equally slack 
attitude to the huge confusion that can ensue when every other AV 
developer decides to name the same thing something quite different from 
what all the other developers are calling it.  But the flip side is 
that this is a somewhat tricky problem to resolve, particularly when so 
few developers are at all willing to step back and consider how to re-
engineer their processes to even allow them to be naming-consolidation 
friendly, let alone consolidation _capable_...

> Enough of a mess to make you want to vomit massively all over their
> doorstops.  And people wonder why computer security is a mess - not
> even the necessary "responsible" vendors have enough sense to have
> something resembling co-ordination & co-operation.

Again, in many ways I agree with your comments regarding the naming 
mess and am on record repeatedly criticising typical malware naming 
practices (ask any established AV researcher you know who in the 
industry are the two or three most anal about naming issues and you're 
bound to get my name in that list).  Unfortunately, one of the 
mechanisms we do use that tries hard to get (better) agreement on the 
"correct" name to use for especially high-profile malware such as at 
the heart of this worm incident failed us yesterday when a mailing list 
with researchers from around 20 AV developers went strangely AWOL 
coincidentally with a major computer outage (unrelated to the worm!) at 
the list admin's home (and, if I understand correctly he was on 
vacation, but would have been working had his PCs been...).  By the 
time the list problems were all sorted and messages started flowing it 
was way too late for most of the developers to consider changing the 
names they had chosen because they had made press releases, done all 
kinds of media interviews, etc, etc, etc.

And yes, I agree that those are _really sucky_ excuses for being slack- 
arsed about changing names, reducing confusion and otherwise increasing 
karmic balance, but unfortunately that's the way large parts of this 
industry operate.

To top all that off, we are also increasingly seeing "new folk", who 
have little or no history in the industry, any idea of what names have 
already been used or of what is (roughly) agreed inside the industry as 
being "good" names, almost randomly choosing names for malware they 
have more or less randomly discovered as a result of being a "security 
expert" of some sort.  This is exacerbated by their further copying of 
the "established industry players" by these new folk rushing off to the 
media with the stories and oddball names before consulting with others 
who may be better placed to reduce the naming mess.  Devising a system 
that may be usable even by the interested existing and established 
players will hard enough...

And _then_ you get the media, making up their own random names or 
choosing the "sexiest" but most inappropriate in the eyes of most 
established researchers and hyping (and usually grossly misleading) 
these "high visibility" incidents.  However, you really do not want to 
get me started on that here...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ