General02zzz.com
02zzz.com 时间:2021-04-08 阅读:()
13October,2005VB'2005,Dublin,Ireland1CurrentStatusoftheCAROMalwareNamingSchemeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
- General02zzz.com相关文档
- 作者02zzz.com
- uk02zzz.com
- Paragraphs02zzz.com
- "湖北省城乡居民基本医疗保险参保登记表-学生(标题勿删,系统从第三行开始读取)"
- os02zzz.com
- Manual02zzz.com
ZJI全新上架香港站群服务器,4C段238个IP月付1400元起
ZJI本月新上线了香港葵湾机房站群服务器,提供4个C段238个IPv4,支持使用8折优惠码,优惠后最低每月1400元起。ZJI是原Wordpress圈知名主机商家:维翔主机,成立于2011年,2018年9月更名为ZJI,提供中国香港、台湾、日本、美国独立服务器(自营/数据中心直营)租用及VDS、虚拟主机空间、域名注册等业务,所选数据中心均为国内普遍访问速度不错的机房。葵湾二型(4C站群)CPU:I...
CloudCone:KVM月付1.99美元起,洛杉矶机房,支持PayPal/支付宝
CloudCone的[2021 Flash Sale]活动仍在继续,针对独立服务器、VPS或者Hosted email,其中VPS主机基于KVM架构,最低每月1.99美元,支持7天退款到账户,可使用PayPal或者支付宝付款,先充值后下单的方式。这是一家成立于2017年的国外VPS主机商,提供独立服务器租用和VPS主机,其中VPS基于KVM架构,多个不同系列,也经常提供一些促销套餐,数据中心在洛杉...
美国云服务器 1核 1G 100M 10G防御 39元/月 物语云计算
物语云计算(MonogatariCloud)是一家成立于2016年的老牌国人商家,主营国内游戏高防独服业务,拥有多家机房资源,产品质量过硬,颇有一定口碑。本次带来的是美国圣何塞 Equinix 机房的高性能I9-10980XE大带宽VPS,去程CN2GIA回程AS9929,美国原生IP,支持解锁奈飞等应用,支持免费安装Windows系统。值得注意的是,物语云采用的虚拟化技术为Hyper-V,资源全...
02zzz.com为你推荐
-
h连锁酒店什么连锁酒店好比肩工场大运比肩主事,运行长生地是什么意思?杰景新特谁给我一个李尔王中的葛罗斯特这个人物的分析?急 ....先谢谢了xyq.163.cbg.com梦幻西游藏宝阁www.544qq.COM跪求:天时达T092怎么下载QQwww.45gtv.com登录农行网银首页www.abchina.com,www.toutoulu.comWWW【toutoulu】cOM怎么搜不到了?到哪里能看到toutoulu视频?www4399com4399网站是什么机器蜘蛛《不思议迷宫》四个机器蜘蛛怎么得 获得攻略方法介绍www.dm8.cc有谁知道海贼王最新漫画网址是多少??