General02zzz.com
02zzz.com 时间:2021-04-08 阅读:()
13October,2005VB'2005,Dublin,Ireland1CurrentStatusoftheCAROMalwareNamingSchemeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
- General02zzz.com相关文档
- 作者02zzz.com
- uk02zzz.com
- Paragraphs02zzz.com
- "湖北省城乡居民基本医疗保险参保登记表-学生(标题勿删,系统从第三行开始读取)"
- os02zzz.com
- Manual02zzz.com
hostkey荷兰/俄罗斯机房,GPU服务器
hostkey应该不用说大家都是比较熟悉的荷兰服务器品牌商家,主打荷兰、俄罗斯机房的独立服务器,包括常规服务器、AMD和Intel I9高频服务器、GPU服务器、高防服务器;当然,美国服务器也有,在纽约机房!官方网站:https://hostkey.com/gpu-dedicated-servers/比特币、信用卡、PayPal、支付宝、webmoney都可以付款!CPU类型AMD Ryzen9 ...
域名注册需要哪些条件(新手注册域名考虑的问题)
今天下午遇到一个网友聊到他昨天新注册的一个域名,今天在去使用的时候发现域名居然不见。开始怀疑他昨天是否付款扣费,以及是否有实名认证过,毕竟我们在国内域名注册平台注册域名是需要实名认证的,大概3-5天内如果不验证那是不可以使用的。但是如果注册完毕的域名找不到那也是奇怪。同时我也有怀疑他是不是忘记记错账户。毕竟我们有很多朋友在某个商家注册很多账户,有时候自己都忘记是用哪个账户的。但是我们去找账户也不办...
易探云:买香港/美国/国内云服务器送QQ音乐绿钻豪华版1年,价值180元
易探云产品限时秒杀&QQ音乐典藏活动正在进行中!购买易探云香港/美国云服务器送QQ音乐绿钻豪华版1年,价值180元,性价比超级高。目前,有四大核心福利产品推荐:福利一、香港云服务器1核1G2M,仅218元/年起(香港CN2线路,全球50ms以内);福利二、美国20G高防云服务器1核1G5M,仅336元/年起(美国BGP线路,自带20G防御);福利三、2G虚拟主机低至58.8元/年(更有免费...
02zzz.com为你推荐
-
vc组合洛天依的组合都有谁openeuleropen与close的区别及用法冯媛甑尸城女主角叫什么名字rawtoolsTF卡被写保护了怎么办?www.bbb551.com广州欢乐在线551要收费吗?www.kaspersky.com.cn卡巴斯基杀毒软件有免费的吗?稳定版的怎么找?www.36ybyb.com有什么网址有很多动漫可以看的啊?我知道的有www.hnnn.net.很多好看的!但是...都看了!我想看些别人哦!还有优酷网也不错...yinrentangWeichentang正品怎么样,谁知道?dadi.tv智能网络电视smartTV是什么牌子机器蜘蛛《不思议迷宫》四个机器蜘蛛怎么得 获得攻略方法介绍