lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <411A159D.21853.A4A4282E@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: (no subject)

Frank Knobbe to Valdis Kletnieks:

> > Software gets named over days/weeks.  They crank out a new name for an element
> > every few years. These things need names in *MINUTES* - often while the various
> > A/V companies are looking at different copies of a polymorphic, multi-attack
> > piece of malware.
> 
> Hey, I didn't say it would be easy, did I?

8-)

Oh good...

> > 5 blind men and an elephant time... and you want them to agree on a name before
> > they even agree they're looking at the same thing???
> 
> Obviously not at time of research. But these days everyone is keeping an
> ear on the ground... I mean Internet... while they are doing research.

Actually, no.

Much AV research and analysis takes place in physically isolated labs 
(for hopefully obvious reasons such as not contributing further to the 
outbreak and ensuring the lab systems are in known states).  The 
analysts typically need relatively quiet surroundings to allow them to 
concentrate closely on what they are doing so as, for example, to 
bypass the various anti-debugging and other tricks used in much malware 
specifically to slow its analysis and thus increase its initial spread 
time.  Folk working in such environments commonly have no access to 
their Email, the web or other "normal" desktop resources (IM, corporate 
IT systems, etc) -- they are networkologically isolated for a reason, 
remember.  Also, even if they do have access to such resources ("clean" 
and "dirty" networks that are never allowed to mix by careful network 
planning and lack of removable media in the workstations on the "clean" 
network but located inside the "dirty" lab, say) they often do not 
_want_ to break their own concentration.

Also, don't forget that they do this day in, day out, on sample after 
sample after sample.  Most of the things they see are much like each 
other, yet of the hundreds and hundreds of new things that go through 
such analysis each month, only a tiny handful -- a few dozen at most -- 
_EVER_ reach "significant" proportions.  And, of those that do reach 
"outbreak" scale, that is often not able to be determined till hours 
(and sometimes days) after the analyst has moved on to other things.

> Once one company, which is working on a new strain they term BigNasty,
> finds out 3 others are discussion this (on the Internet or private AV
> channels) as the SuckThis virus, then they could adopt that name to
> avoid confusion.

This would be nice, but there are many language and trust barriers 
between the researchers that work on such things.  We cannot easily 
solve the language issues but there are moves to improve inter-
researcher communication across (or even _despite_) inter-employer 
boundaries.  Also, it sounds very easy in theory, but many of the same 
practicalities (as described above) that naturally "interfere" with 
what some see as an ideal approach also apply here.  And don't forget 
to allow for the scale of things -- let's say 1000 new samples a month 
between 10 analysts; makes for an average of three samples per day.  
This is often spread out across several analysis centres around the 
world so as to provide 24x7 coverage.

> I didn't say it was easy, but they could at least make an effort.

They do make an effort.

They could (and should!) make more of an effort, but there are often 
procedural obstacles designed into the internal processes of each 
specific developer too...

> Here we are a year later and still call it Bagle or Beagle, either one.

Well, one large vendor in particular is especially notorious for not 
renaming malware, at least once it has released a non-beta DEF update 
that includes a new family name or a variant ascription.  This is not 
peculiar to that particular developer, but is a heavily entrenched 
practice due in no small part to an incredibly brain-dead 
infrastructure underlying much of the non-detection collateral that 
"follows" addition of a virus detection to their DEF files.  Great 
scads of support material, web descriptions and all manner of other 
stuff that users really like are significantly based on the _name_ the 
scanning engine reports when detecting a piece of malware, so once that 
company "goes public" with a name it has an enormous amount of baggage 
tied very closely to the name.  This is, of course, entirely bad and 
stupid "design".  In fact, I'd argue it is a classic case of an abject 
lack of any informed design process at all, as it ties far too much 
"ephemeral"stuff  (regardless of how useful/desirable to the user) to 
what anyone with half a clue about antivirus processes knows in the 
core of their being is an _entirely arbitrary and highly volatile_ 
identifier -- the chosen malware name...

> I'm still confused if MyDoom-O and MyDoom-M are the same thing or not.

Well, they darn well should be different.  Only one scan engine uses 
the (non-standard) "-<variant>" form so it should be the case that 
detections of "-M" and "-O" "variants" of the same family are, in fact, 
detections of two truly different variants.  Of course, what Sophos 
calls MyDoom-M may well be called MyDoom.O by some other scanner(s) for 
one or more of the reasons likely to emerge from the situations already 
described above, but that is a different matter.

> BTW: Perhaps the analogy to medicine was misplaced. I just thought in
> term of diseases. How many different names do we have for ...say...
> chicken pox or colitis or diabetes? Imagine you had 5 different names
> for the flu. I could come up with a dozen Monty Python sketches taking
> place in the doctors office.... 

Ahhhh yes, but so long as the doctor has the machine that goes BING 
everything will be OK...

> I didn't say it was easy, but we should "encourage" the AV industry to
> work towards such a standardization. It may even be beneficial for them.

I agree, but having been inside it for a while and close to it for 
about as long before that, I don't see anything likely to compel the 
industry to address such issues as doing so will cost them money with 
no apparent return on the investment.  A very large government (or 
group of governments) may be able to apply enough leverage through 
terms of purchase for its departments, so long as a naming standard the 
industry could more or less agree to can be developed to provide the 
baseline for determining "correct" name reporting.  And a possible 
practical result of such a move may be that reported malware names 
become much less "precise", in the sense that instead of reporting 
"Bagle.AA" and "Bagle.AB", product developers may respond to naming 
consensus requirements by simply reporting both as "Bagle" (though 
internal to the product they will often still have to differentiate at 
the a finer level for disinfection purposes).

> Sing with me Valdis....
> "I say tomato, you say tomato,
> I say potato, you say potato, 
> I say Beagle, you say Bagle,
> and others are calling it something else."

Sadly, it doesn't scan...

[Damn, couldn't resist -- sorry...]


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ