General02zzz.com

02zzz.com  时间:2021-04-08  阅读:()
13October,2005VB'2005,Dublin,Ireland1CurrentStatusoftheCAROMalwareNamingSchemeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions

创梦云 香港沙田、长沙联通2核1G仅需29元一个月 挂机宝7元一个月

商家介绍:创梦云是来自国内的主机销售商,成立于2018年4月30日,创梦云前期主要从事免备案虚拟主机产品销售,现在将提供5元挂机宝、特惠挂机宝、香港云服务器、美国云服务器、低价挂机宝等产品销售。主打高性价比高稳定性挂机宝、香港云服务器、美国云服务器、香港虚拟主机、美国虚拟主机。官方网站:http://cmy0.vnetdns.com本次促销产品:地区CPU内存硬盘带宽价格购买地址香港特价云服务器1...

Kinponet是谁?Kinponet前身公司叫金宝idc 成立于2013年 开始代理销售美国vps。

在2014年发现原来使用VPS的客户需求慢慢的在改版,VPS已经不能满足客户的需求。我们开始代理机房的独立服务器,主推和HS机房的独立服务器。经过一年多的发展,我们发现代理的服务器配置参差不齐,机房的售后服务也无法完全跟上,导致了很多问题发生,对使用体验带来了很多的不便,很多客户离开了我们。经过我们慎重的考虑和客户的建议。我们在2015开始了重大的改变, 2015年,我们开始计划托管自己...

Letbox(35美元/年),美国洛杉矶VPS终身7折

Letbox 云服务商在前面的文章中其实也有多次介绍,这个服务商其实也算是比较老牌的海外服务商,几年前我也一直有使用过他们家的VPS主机,早年那时候低至年付15-35美元左右的VPS算式比较稀缺的。后来由于服务商确实比较多,而且也没有太多的网站需要用到,所以就没有续费,最近这个服务商好像有点活动就躁动的发布希望引起他人注意。这不有看到所谓的家中有喜事,应该是团队中有生宝宝了,所以也有借此来发布一些...

02zzz.com为你推荐
小度商城小度智能屏Air哪里可以买?大家都怎么入手的?2020双十一成绩单如何查找2020年小考六年级的成绩?百度关键词价格查询百度推广关键词怎么扣费?原代码什么是原代码蒋存祺蒋存祺的主要事迹丑福晋历史上真正的八福晋是什么样子的?丑福晋男主角中毒眼瞎毁容,女主角被逼当丫鬟,应用自己的血做药引帮男主角解毒的言情小说haole018.com为啥进WWWhaole001)COM怎么提示域名出错?囡道是haole001换地了吗javmoo.comjavbus上不去.怎么办avtt4.comwww.5c5c.com怎么进入
怎样注册域名 西安服务器租用 国外vps diahosting 国外服务器网站 isatap godaddy续费优惠码 shopex空间 免费网站监控 创宇云 搜狗12306抢票助手 空间服务商 中国特价网 云鼎网络 中国智能物流骨干网 cpanel空间 腾讯云分析 帽子云 搜索引擎提交入口 银盘服务是什么 更多