| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F3ABFD0.18669.5205231D@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: MSBLASTER - aka LOVESAN/POZA ? Darren Reed <avalon@...igula.anu.edu.au> to "cstone": > > yes. everyone picks their own name -- this happens pretty > > frequently with malware. <<snip>> Well, I doubt that we (or at least many of us, in AV) think it "makes sense" as Darren initially asked, but "cstone" is right that naming is something of a free for all. > Cripes. Someone needs to have a central authority on naming for > these things, like the CVP#'s that are available or just dispense > with names and use a centrally allocated number. Then I suppose > how do you have "extra" viruses that one company knows about but > another doesn't. It is not -- despite the appearance to "outsiders" that it seems otherwise -- that we haven't discussed this issue, battled with it and tried to improve things (though some of us are highly critical of the effort some AV researchers and developers make in trying to address the issues). Systems like CAN/CVE are fine for slow-moving, unchanging things and especially in a field where no-one actually uses the "official" name most of the time. But with viruses and related malware, there seems to be some "natural" predilection for them to be named and at the rate and speed the more interesting of them can appear, spread and disappear, by the time CAN/CVE form-filling is finished, the whole incident will be over and no-one will care about the name of that particular virus or worm... To see one of the differences between CAN/CVE and malware naming, consider this latest worm. Note how naturally everyone opted to refer to it as "the CAN-2003-0352 worm". Yes -- it is almost silly to suggest it isn't it, yet you are suggesting that some similar, but different, scheme could or should be made to work for viruses and worms. Don't get me wrong -- I'm not defending the currently extremely slack attitude in general the AV industry has to naming, or its equally slack attitude to the huge confusion that can ensue when every other AV developer decides to name the same thing something quite different from what all the other developers are calling it. But the flip side is that this is a somewhat tricky problem to resolve, particularly when so few developers are at all willing to step back and consider how to re- engineer their processes to even allow them to be naming-consolidation friendly, let alone consolidation _capable_... > Enough of a mess to make you want to vomit massively all over their > doorstops. And people wonder why computer security is a mess - not > even the necessary "responsible" vendors have enough sense to have > something resembling co-ordination & co-operation. Again, in many ways I agree with your comments regarding the naming mess and am on record repeatedly criticising typical malware naming practices (ask any established AV researcher you know who in the industry are the two or three most anal about naming issues and you're bound to get my name in that list). Unfortunately, one of the mechanisms we do use that tries hard to get (better) agreement on the "correct" name to use for especially high-profile malware such as at the heart of this worm incident failed us yesterday when a mailing list with researchers from around 20 AV developers went strangely AWOL coincidentally with a major computer outage (unrelated to the worm!) at the list admin's home (and, if I understand correctly he was on vacation, but would have been working had his PCs been...). By the time the list problems were all sorted and messages started flowing it was way too late for most of the developers to consider changing the names they had chosen because they had made press releases, done all kinds of media interviews, etc, etc, etc. And yes, I agree that those are _really sucky_ excuses for being slack- arsed about changing names, reducing confusion and otherwise increasing karmic balance, but unfortunately that's the way large parts of this industry operate. To top all that off, we are also increasingly seeing "new folk", who have little or no history in the industry, any idea of what names have already been used or of what is (roughly) agreed inside the industry as being "good" names, almost randomly choosing names for malware they have more or less randomly discovered as a result of being a "security expert" of some sort. This is exacerbated by their further copying of the "established industry players" by these new folk rushing off to the media with the stories and oddball names before consulting with others who may be better placed to reduce the naming mess. Devising a system that may be usable even by the interested existing and established players will hard enough... And _then_ you get the media, making up their own random names or choosing the "sexiest" but most inappropriate in the eyes of most established researchers and hyping (and usually grossly misleading) these "high visibility" incidents. However, you really do not want to get me started on that here... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists