[Full-Disclosure] Asynchronous, industry-wide virus naming scheme proposed
From: Feher Tamas (etomcat_at_freemail.hu)
Date: 10/02/03
- Previous message: Paul Tinsley: "Re: [Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes"
- Next in thread: Michel Messerschmidt: "Re: [Full-Disclosure] Asynchronous, industry-wide virus naming scheme proposed"
- Reply: Michel Messerschmidt: "Re: [Full-Disclosure] Asynchronous, industry-wide virus naming scheme proposed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Thu, 2 Oct 2003 14:21:21 +0200 (CEST)
Dear IT Security Community,
The June 2003 issue of the Virus Bulletin paper (page 13) contains a
report about EICAR-2003 antivirus research conference in Copenhagen.
The third paragraph says:
"she called for the implementation of industry standards, beginning
with synergistic naming schemes. The suggestion of a numerical naming
scheme for viruses prompted discussion amongst delegates - many
agreed such a scheme would be a helpful solution, while others felt
that their users would not respond as well to warnings about a
numerically named virus as they would to viruses with more memorable
names."
The autumn 2003 conference of computer virus researchers in Toronto
also discussed malware ID woes, like conflicting names, media-flashy
names vs. numeric/structured names, voluntary or standardized
naming, privacy and copyright issues with virus names, etc. at great
depth , but apparently without any breakthrough.
These examples show the real-world need for a viable solution. Well, I
have a novel idea, which stems from the observation that zero-minute
coherent virus naming is impossible.
Let me reason:
Considering the free market competition in the AV industry and the
short timeframe between vendors receiving sample and releasing
detection, few hours are available for naming newly discovered viruses.
Considering the well-know computer science theorem, which says it is
impossible to write a software, that successfully compresses each and
any arbitirary file; it is impossible to coherently name viruses without
vendors sharing full samples with each other, because information
relevant to the process of naming malware may reside anywhere in the
sample or even the decompiled source.
As you know, AV vendors only share samples among each other
monthly. They guard their partially proprietary malware sample
collection sets strictly. This situation is legitimate and is not going to
change, period.
Yet, I propose a project that reduces its scope to reaching a uniform
and industry-wide virus name for any malware some 24-36h after the
first discovery is still feasible and realistic. I mean a virus name which
can then be cascaded down, back to even the desktop AV programs
and it will help alleviate the woes of the current name turmoil situation.
Yes, it would be a kind of a minimalistic concept, but I hold that it shall
be acceptable to all interested parties, which cannot be said of other
proposals.
Of course, I know there are several difficulties to solve, but I think this
system would blend well with the current, heavily segmented antivirus
arena. It is taken for granted that AV vendors would never succumb to
a monopoly-based standardized virus naming scheme, because it
would give too much control to Microsoft, CERT or FBI or whoever else
in control of the system.
My idea to solve the above dilemma is: why not implement a system for
industry-wide virus identification, called Virus Name System (VNS),
somewhat similar in its nature to the distributed Domain Name System
(DNS) of the Internet. Numerical (abstract) virus ID would be analogous
to the IP address and virus names replace the host name. Just like a
particular IP address can have several host names associated with it, a
numerical virus ID could absorb two, three or seven virus names from
different vendors and allow for a dismissal of less-favoured names over
the time to keep the single real one. Inter-vendor discussions
conducted across the phone or the coffe table as to which name fits a
particular malware the best is not addressed in this paper.
Just like the current Net system of 13 root level DNS servers and
thousands of lesser DNS servers, the virus naming network would be a
distributed one, but inevitably less open. A handful of "root virusname
servers" should be established, based on a geographical/cultural
divisions on the globe. For example, it is well known that Asia,
especially South Korea has a computer virus culture that is vastly
different from the rest of the world. Locale specific DOS virii are still
popular there, etc. Several root VNS servers can accomodate that.
Each of these "root" servers would be controlled by a voluntary group
composed of the major AV vendors, those who are most significant in
that geographical area and these servers would replicate among each
other, according to predefined rules.
(Considering the need for comparative virus detection rate testing, etc.
maybe a single super-root VNS server should be established, probably
in the hands of the current V-Grep staff or some other independent 3rd
party. But this should be a strictly write-only server, one that NEVER
serves the public, to prevent abuse of power).
Each AV vendor would have its very own virusname server(s), where
they upload their virus name and abstract ID record for all malware
they detect. When the virus samples's data and name is uploaded from
vendor server(s) to "root VNS" servers it becomes universally accepted.
Of course this step requires human supervision!
Just like the Net DNS system contains miscellanous info to help
identification, like owner name, owner's street address, domain
registrar's name, etc.; the virname system entries stored on root-VNS
servers should have records, formalized technical data, which is
verbose enough to determine if several differently named virus entries
submitted from diverse vendor virname servers are actually the same.
[I think this detail is most problematic, may even defy solution. Luckily,
this issue is only present in interoperation between vendor-VNS and
root-VNS servers. The interoperation between antivirus software and
vendor-VNS server is easy, as virus names are always unique and
directly related within a single AV vendor.
This cannot be said with guarantee when speaking of several vendors.
Therefore, formalized data must be maintained beyond each virus name
entry. This is complicated, both technically and legally, I could think of in
the likeness of a national registry of people's identity, where their
names and photos are backed by their DNA sample. I may have a
guess how to do this correctly, see the footnote (*) ]
Virus scanning software (the computer programs that customers buy)
should incorporate a new feature: when a malicious object is found, it
should ask the vendor-VNS server for the name of that malware, based
on a query with the virus name which is already hardcoded in its
signature database files. If the VNS server replies with another, more
authorative name (because the vendor-VNS has been synchronized
with Root-VNS, where another name has been choosen for that
particular malware) anti-virus software should display that industry-
wide name to the user, not the proprietary one.
If there is no match, it should fall back to the virus name which is found
hardcoded in its virus signature files. The substance is, the end user
and/or security administrator should be confronted with the most
authoritive name, whenever avilable.
Protocol spoken between antivirus software and vendor-VNS servers
should be a simple (probably http-based) one, where only vnames data
is discussed. However, full protocol conducted between VNS-servers
will be a more complex one (probably X.509/LDAP or SQL based)
because both virusnames and abstract malware data will need to be
negotiated. Whether or not conversation between anti-virus software
and abritrary VNS servers should be allowed remains to be seen, as
this would enhance complexity and raise security issues. The full
protocol access doesn't even need to be publicly available.
For demanding, high security or very big customers, the solution is to
field their own corporate VNS server, which may even have off-band
(non-Internet based) connection to vendors' VNS servers with reliability
or QoS guarantees. This extra service would be a new revenue stream
opportunity for AV vendors.
I would like to repeat, that this is a kind of a minimalistic concept, one
that allows reaching a uniform and industry-wide virus name for any
malware probably some 24-36h after fist finding. Of course, during the
first day, virus naming confusion and chaos may still rule. I'm not sure if
the proposed solution can solve the media FUD (a.k.a. CNN factor),
which problem was emphasized in the Toronto antivirus conference.
Thanks for your attention, Sincerely: Tamas Feher from Hungary.
(*)
Footnote: Sorry, this is not included in the posting to full-disclosure
mailing list, because it is too weird for the public and/or could hurt some
AV-vendors.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Paul Tinsley: "Re: [Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes"
- Next in thread: Michel Messerschmidt: "Re: [Full-Disclosure] Asynchronous, industry-wide virus naming scheme proposed"
- Reply: Michel Messerschmidt: "Re: [Full-Disclosure] Asynchronous, industry-wide virus naming scheme proposed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
