Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Administrivia: Which virus is this?

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: Administrivia: Which virus is this?
Date: Tue, 30 Nov 2004 11:12:18 +1300 
Jose Nazario wrote:


as a followup to marc's excellent reminder of links, a couple of links
related to this that people may want to know about ...

      vgrep:  http://www.virusbtn.com/resources/vgrep/
      CME (from MITRE, forthcoming):
              
http://www.cbronline.com/article_news.asp?guid=11D11704-DE5B-45BD-AF4B-45D8F44E055C

vgrep is a great way to track virus names across vendors.  ...


Indeed, but is even less likely to be of use to folk asking "What does 
foobar.exe do?"-style questions, as they either do not have a (working, 
current) virus scanner, or have something their scanner does not 
detect, so don't have a _malware name_ to start searching from...


...  the CME one
would just standardize the names and provide a common handle much like the
CVE does (at least it appears so at this point according to the article).


CME is not about names.

   Common
   Malware
   Enumeration

See -- "enumeration".  It's more about cataloging or indexing.  The 
idea is that there will be a universal referrent for (major, important) 
malware that can be used by any and all, regardless of the "human 
friendly" name that any or all may also attach to the beast.

A slightly better link on the CME angle because it is is not filtered 
through the clue-factor of a CBR journalist (everything in the title 
and first paragraph of the CBR article is simply wrong) is this recent, 
archived SANS Handler's Diary page:

   http://isc.sans.org/diary.php?date=2004-11-23

Scroll down to the item "Open Letter To Anti-Virus Software Companies - 
A Response" where you can see the entire letter reported in the CBR 
article Jose cited.  _Before_ reading that though, follow the back-
links in this Handler's Diary to the two earlier items -- a original 
letter from Chris Mosby bemoaning the lack of naming standardization 
and co-ordination between vendors (a letter that, IMNSHO, shows a 
singular lack of grip from a supposed/self-appointed expert who advises 
others about antivirus issues, but I digress -- maybe I'll address that 
more fully later/elsewhere) and SANS CTO Johannes Ullrich's response to 
Mosby's letter.

Anyway, if you read the "CME letter", you will see that 

   ... Limited operational capability is expected 1Q05; this phase will
   concentrate on the most important threats, including the recent
   Beagle/Bagle variants. The role of US-CERT will be to assign a CME
   identifier (e.g., CME-1234567) to each new, unique threat and to
   include additional incident response information when available. ...

As the CME identifier is a number, it does not address the _name_, and 
vendors are quite free to (and you can be sure they will continue to) 
keep using whatever other identifying names they choose for each piece 
of malware.  In short, CME is (to use a local NZ/Australian idiom) a 
Claytons naming standardization; "the naming standardization you have 
when you are not having naming standardization".  McAfee will still 
call members of the Bagle family, Bagle and Symantec will still call 
them Beagle (of course, to be churlish to my churlish comment, Symantec 
may just go and finally change this family name, but as a 
generalization across other families, the point will still stand).

This likely explains why McAfee and Symantec are so favourably disposed 
to CME.  Being the naming standardization you have when you are not 
having naming standardization, these vendors can unashamedly claim that 
they are "working together to solve the challenges surrounding the 
'Virus Name Game'", while continuing doing pretty much the same as they 
always have...

That's the beauty of Claytons solutions...


ideally some effort (maybe the CME) would contain info on ports bound and
services used, we'll see. i'm hopeful that someone will get a network
signature in the entries, as most AV vendors often lack detail on that
sort of thing (in favor of detail on effects on the host, ie registry keys
changed and DLL injections performed).


My understanding of the CME is that some basic descriptive material 
will be included in its entries, though the precise content and level 
of detail likely to be recorded is not clear to me at the moment.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Administrivia: Which virus is this?, Jose Nazario
Previous by Thread:  Re: Administrivia: Which virus is this?, Jose Nazario
Indexes:  [Date] [Thread] [Top] [All Lists]