lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <411A9DB6.13933.A6B7C3B1@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AV Naming Convention

Todd Towles wrote:

> Nowhere did I state that AV researchers were doing a crappy job and
> everything needs to change. I stated a shift is needed. A shift toward more
> sharing of information between AV companies is needed. 

Information sharing is not the main part of the problem.  We do lots of 
information sharing all the time.  One large part of the problem is 
simply that too many developers do not have (and never did) a 
sufficiently customer-centred focus.  If they did, these developers 
would realize that most corporate customers use multiple products from 
multiple vendors, and even the smallest of customers -- the one PC home 
or small business user -- gets their information about viruses from 
multiple _other_ resources than just their "favourite" AV developer.

Sadly, way too many AV developers have worked for far too long with an 
internal culture that did not see that reality and the obvious problems 
to arise from that failure to recognize such a problem.  Several of 
these developers evolved complex internal procedures that eased the 
processing of samples of suspect new malware flowing to their labs, but 
as naming was not seen as an issue, much less and important issue to 
prioritize, naming issues were not designed for or around.  As a 
result, some of these procedures are so crucially dependent on the 
choice of a name _AND_ require that to happen so early in the process 
that it is all but inconceivable for some of these developers to change 
a virus' name.

Thus, for example, no matter how often and how quickly it is realized 
that some new mass mailer is a Bagle variant and the analysts from two 
dozen or more AV companies discuss it in the hope that they can finally 
agree on a breaking point in the Bagle variant chain allowing all 
vendors to align future Bagle variants, at least one AV company will 
call it "Beagle.<something>" (they could actually call this latest one 
"Bagle.<whatever is agreed>" but that would be to admit all those 
others were wrong and all but unchangeable...).

<<snip>>
> I can tell you that the way viruses are named right now is meaningless to
> the public.  ...

So is the way their cars run but they seem to get along just fine...

> ...  Look at the newspaper; they just throw headlines with "MyDoom"
> and "Beagle" in them. They can't keep up with what version is or and who
> called this what.

Don't get me started on this...

As much as most of the industry may agree to not aggrandize some spotty 
faced, bad-breathed teenager's fantasies by not using the name the 
virus writer chose, the media will latch onto the one tiny, weird-arse, 
industry convention defying, publicity starved, former Eastern-bloc 
hopped up AV company that does use the "cute" or "catchy" or whatever 
name, and thereby greatly exacerbates the problem.  Worse, many 
journalists (or perhaps their editors) feel that they are  better 
qualified to make up virus names than antivirus researchers are and 
they will simply coin what they consider a catchy, snazzy, sexy, 
attention grabbing, etc name to make a good headline or some dodgy joke 
later in their copy.

If you depend on the media for your antivirus information, more fool 
you...

> Do you really believe that trying to improve the AV information process is
> meaningless? Just because we can't see the answer at this very second
> doesn't matter that one doesn't exist.

Absolutely, but I _seriously_ doubt that anything J. Random Full-
Disclosure Reader is going to suggest will come close to being useful 
given the intellect, experience and AV smarts that have already gone 
into trying to resolve this problem (or at least into considering what 
could be made to work given how AV and viruses really work).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ