[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <411A159D.21853.A4A4282E@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: (no subject)
Frank Knobbe to Valdis Kletnieks:
> > Software gets named over days/weeks. They crank out a new name for an element
> > every few years. These things need names in *MINUTES* - often while the various
> > A/V companies are looking at different copies of a polymorphic, multi-attack
> > piece of malware.
>
> Hey, I didn't say it would be easy, did I?
8-)
Oh good...
> > 5 blind men and an elephant time... and you want them to agree on a name before
> > they even agree they're looking at the same thing???
>
> Obviously not at time of research. But these days everyone is keeping an
> ear on the ground... I mean Internet... while they are doing research.
Actually, no.
Much AV research and analysis takes place in physically isolated labs
(for hopefully obvious reasons such as not contributing further to the
outbreak and ensuring the lab systems are in known states). The
analysts typically need relatively quiet surroundings to allow them to
concentrate closely on what they are doing so as, for example, to
bypass the various anti-debugging and other tricks used in much malware
specifically to slow its analysis and thus increase its initial spread
time. Folk working in such environments commonly have no access to
their Email, the web or other "normal" desktop resources (IM, corporate
IT systems, etc) -- they are networkologically isolated for a reason,
remember. Also, even if they do have access to such resources ("clean"
and "dirty" networks that are never allowed to mix by careful network
planning and lack of removable media in the workstations on the "clean"
network but located inside the "dirty" lab, say) they often do not
_want_ to break their own concentration.
Also, don't forget that they do this day in, day out, on sample after
sample after sample. Most of the things they see are much like each
other, yet of the hundreds and hundreds of new things that go through
such analysis each month, only a tiny handful -- a few dozen at most --
_EVER_ reach "significant" proportions. And, of those that do reach
"outbreak" scale, that is often not able to be determined till hours
(and sometimes days) after the analyst has moved on to other things.
> Once one company, which is working on a new strain they term BigNasty,
> finds out 3 others are discussion this (on the Internet or private AV
> channels) as the SuckThis virus, then they could adopt that name to
> avoid confusion.
This would be nice, but there are many language and trust barriers
between the researchers that work on such things. We cannot easily
solve the language issues but there are moves to improve inter-
researcher communication across (or even _despite_) inter-employer
boundaries. Also, it sounds very easy in theory, but many of the same
practicalities (as described above) that naturally "interfere" with
what some see as an ideal approach also apply here. And don't forget
to allow for the scale of things -- let's say 1000 new samples a month
between 10 analysts; makes for an average of three samples per day.
This is often spread out across several analysis centres around the
world so as to provide 24x7 coverage.
> I didn't say it was easy, but they could at least make an effort.
They do make an effort.
They could (and should!) make more of an effort, but there are often
procedural obstacles designed into the internal processes of each
specific developer too...
> Here we are a year later and still call it Bagle or Beagle, either one.
Well, one large vendor in particular is especially notorious for not
renaming malware, at least once it has released a non-beta DEF update
that includes a new family name or a variant ascription. This is not
peculiar to that particular developer, but is a heavily entrenched
practice due in no small part to an incredibly brain-dead
infrastructure underlying much of the non-detection collateral that
"follows" addition of a virus detection to their DEF files. Great
scads of support material, web descriptions and all manner of other
stuff that users really like are significantly based on the _name_ the
scanning engine reports when detecting a piece of malware, so once that
company "goes public" with a name it has an enormous amount of baggage
tied very closely to the name. This is, of course, entirely bad and
stupid "design". In fact, I'd argue it is a classic case of an abject
lack of any informed design process at all, as it ties far too much
"ephemeral"stuff (regardless of how useful/desirable to the user) to
what anyone with half a clue about antivirus processes knows in the
core of their being is an _entirely arbitrary and highly volatile_
identifier -- the chosen malware name...
> I'm still confused if MyDoom-O and MyDoom-M are the same thing or not.
Well, they darn well should be different. Only one scan engine uses
the (non-standard) "-<variant>" form so it should be the case that
detections of "-M" and "-O" "variants" of the same family are, in fact,
detections of two truly different variants. Of course, what Sophos
calls MyDoom-M may well be called MyDoom.O by some other scanner(s) for
one or more of the reasons likely to emerge from the situations already
described above, but that is a different matter.
> BTW: Perhaps the analogy to medicine was misplaced. I just thought in
> term of diseases. How many different names do we have for ...say...
> chicken pox or colitis or diabetes? Imagine you had 5 different names
> for the flu. I could come up with a dozen Monty Python sketches taking
> place in the doctors office....
Ahhhh yes, but so long as the doctor has the machine that goes BING
everything will be OK...
> I didn't say it was easy, but we should "encourage" the AV industry to
> work towards such a standardization. It may even be beneficial for them.
I agree, but having been inside it for a while and close to it for
about as long before that, I don't see anything likely to compel the
industry to address such issues as doing so will cost them money with
no apparent return on the investment. A very large government (or
group of governments) may be able to apply enough leverage through
terms of purchase for its departments, so long as a naming standard the
industry could more or less agree to can be developed to provide the
baseline for determining "correct" name reporting. And a possible
practical result of such a move may be that reported malware names
become much less "precise", in the sense that instead of reporting
"Bagle.AA" and "Bagle.AB", product developers may respond to naming
consensus requirements by simply reporting both as "Bagle" (though
internal to the product they will often still have to differentiate at
the a finer level for disinfection purposes).
> Sing with me Valdis....
> "I say tomato, you say tomato,
> I say potato, you say potato,
> I say Beagle, you say Bagle,
> and others are calling it something else."
Sadly, it doesn't scan...
[Damn, couldn't resist -- sorry...]
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists