General02zzz.com

13October,2005VB'2005,Dublin,Ireland1CurrentStatusoftheCAROMalwareNamingSchemeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions