General02zzz.com
02zzz.com 时间:2021-04-08 阅读:()
13October,2005VB'2005,Dublin,Ireland1CurrentStatusoftheCAROMalwareNamingSchemeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
is13October,2005VB'2005,Dublin,Ireland2TheMalwareNamingMessGlut–250,000+malwareprogramsandrising–5,000newmalwareprogramspermonthLackofTimeandOtherResources–We'reoverloaded–Levelsof(in)competence–ChangingnamesisexpensiveLackofaCommonVirusNamingStandard–Sensible,Understandable,Usable13October,2005VB'2005,Dublin,Ireland3TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareIdentification–MyDoom.
BQorMyDoom.
ED–Sometoolsexist:F-VBACRCSCIRDPE-Info–ReferencecollectionMaintenanceAccess13October,2005VB'2005,Dublin,Ireland4TheNamingMess-ContinuedLackofReliableMeansforAutomaticMalwareClassification–MIRA–Nosuchtoolforbinaryviruses–AndwhataboutthepackersInabilitytoEnforceaParticularNamingScheme–CAROisnotanenforcementbody–Willingnesstodothejobdoesn'timplycompetence13October,2005VB'2005,Dublin,Ireland5AlternateNamingSchemesGeographicNaming–impractical,leadstoconfusionNamingaftertheInfectiveLength–Sometimesitisvariable–Sometimesitismeaningless–DifferentvirusescanhavethesamelengthDescriptiveNaming–Somemalwaredoesn'tdoanythingvisible–Differentmalwarecanhavethesameeffects–Thedescriptionissubjective–Requirestime-consumminganalysis13October,2005VB'2005,Dublin,Ireland6AlternateNamingSchemes-Cont.
NamingafterSomeTextFoundintheVirus–Notalwayspresent–Sometimeslibelousand/orobscene–Booststhemalwareauthor'segoBezrukov'sNamingScheme–RCE-1800A,BP-EB–Difficulttoremember–Differentvirusescanhavesimilarnames13October,2005VB'2005,Dublin,Ireland7AlternateNamingSchemes-Cont.
NumericNaming–Prettymuchmeaningless–Similarmalwarehasverydifferentnames–DifficulttorememberEntertheCARONamingScheme13October,2005VB'2005,Dublin,Ireland8HistoryoftheCAROMalwareNamingSchemeCreatedin1991byAlan,Fridrik&VessMalwaregroupedinfamiliesbycodesimilarityUpdatedin2002andre-describedbyNickNowandforeverhttp://www.
people.
frisk-software.
com/~bontchev/papers/naming.
html13October,2005VB'2005,Dublin,Ireland9TheCAROMalwareNamingSchemeGeneralFormat[://][/][.
][.
].
[][!
]–Thefullnamesareunique–Onlyandaremandatory13October,2005VB'2005,Dublin,Ireland10TheCARONamingScheme-Cont.
MalwareType–virus-recursiveself-replication–dropper-dropsmalware–intended-wannabevirus–trojan-pretendstobebenignbutismalicious–pws-stealspasswords–dialer-interceptsmaliciouslyDUNconnections–backdoor-providesunauthorizedaccess–exploit-demonstratessecurityflaws(useCAN/CVE)–tool-includingviruscreationkits–garbage-self-explanatory13October,2005VB'2005,Dublin,Ireland11TheCARONamingScheme-Cont.
Platform–Shortandlongforms–Environment-notfiletype–Seelist–DOSisdefault–Multi-platformmalwarevirus://{W97M,X97M}/Foo.
Avirus://O97M/Foo.
Avirus://Multi/Foo.
AW97M/Foo.
A&X97M/Foo.
A13October,2005VB'2005,Dublin,Ireland12Family–GeneralFormatcharset[A–Za–z0–9_–]Use"_And_"and"_Pct_"insteadof'&'and'%'Use"_"insteadofspacecaseinsensitiveupto20characters–RulesforConstructingProperFamilyNamesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland13ConstructingProperFamilyNames-Don'tsNocompanynames,brandnames,people'snamesNoexistingfamily,unlessappropriateNonewfamily,unlessnecessaryNoobscenitiesDon'tassumeNonumericfamiliesNogenericwords13October,2005VB'2005,Dublin,Ireland14ConstructingProperFamilyNames-Do'sAvoidthemalwareauthor'ssuggestionAvoidthefilenameAvoidtheactivationdateAvoidgeographicnamesIfmultipleacceptablenamesexist,selecttheonemostcommonlyusedalready13October,2005VB'2005,Dublin,Ireland15SpecialFamilyNamesHLLC-HighLevelLanguageCompanionHLLO-HighLevelLanguageOverwriterHLLP-HighLevelLanguageParasiticSillyB-SillyBootSectorVirusSillyC-SillyCOM-fileinfectorSillyCE-SillyCOM&EXEinfectorSillyCER-Memory-residentSillyCE13October,2005VB'2005,Dublin,Ireland16SpecialFamilyNames-Cont.
SillyCR-Memory-residentSillyCSillyE-SillyEXE-fileinfectorSillyER-Memory-residentSillyESillyOR-Memory-residentoverwriterSillyP-SillyMBRinfectorTrivial-Sillyoverwriter_-awaitingpropernaming13October,2005VB'2005,Dublin,Ireland17MalwareRelationshipIfpackedorencrypted-unpackanddecryptIgnorenon-codeFundamentaldifferences-differentfamiliesIFRelated(A,B)THENAandBareinthesamefamilyIFRelated(A,X)ANDRelated(B,X)THENA,BandXareinthesamefamilyIFF(A'andB'areinthesamefamily)ANDRelated(A,A')ANDRelated(B,B')THENAandBbelongtothesamefamily13October,2005VB'2005,Dublin,Ireland18Related(X,Y)Related(X,Y)::=Average(Substrings(X,Y,N)/(Length(Y)-N+1),Substrings(Y,X,N)/(Length(X)-N+1))>L;Substrings(u,v,t)isthenumberofallsubstringsofuoflengthtfoundwithinvLis≈0.
5-0.
613October,2005VB'2005,Dublin,Ireland19Group–Likeasub-family–Constructedthesameway–Mainlyforhistoricalpurposes;avoidLength–Number–Nolongersignificant–UseonlywhenmeaningfulTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland20Variant–VariantNamingA,B,…Z,AA,AB,…AZ,BA,BB,…BZ,CA,CB,…CZ,…ZZ,AAA,AAB,…ZZZ,AAAA,…etc.
Inorderofdiscovery-notinorderofcreation–VariantReportingOnlywhenproperlyidentifiedFuzzyvariantreporting-Foo.
{A-C,E}–DevolutionsNumbersappendedtothevariantnameOnlyformacrovirusesReportonlywhenproperlyidentifiedTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland21Modifiers–GeneralFormat[:][{@}]–LocaleOnlyformacromalwareOnlytherequiredLocale-notthesupportedoneEnglishisthedefaultPlatformmajorlocales-notcountryorlanguageSeelistMultiplelocalesTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland22Modifiers-continued–AtModifiersSpecifyimportantproperties-e.
g.
,@mmUseonlyifthepropertyisreallypresentSeelist(exp,i,irc,m,mm,p2p,s)ListmultipleinalphabeticalorderComment–freetextdevoidofwhitespaceTheCARONamingScheme-Cont.
13October,2005VB'2005,Dublin,Ireland23ConclusionQuestionsTheCARONamingScheme-Cont.
TheProblemsoftheCMEInitiativeVesselinBontchev,anti–virusresearcherFRISKSoftwareInternationalPostholf7180,127Reykjavik,ICELANDE–mail:bontchev@complex.
isTheProblemsCAN/CVE-73%ofthevulnerabilitiesintheSANS@RISKbulletinhavenoCAN/CVEnumbersZotob.
Ehas2differentCMEnumbers,accordingtoSymantec'ssiteTwo-hourstimeoutdoesn'tsolveanything.
WhatifthesamemalwareissubmittedagainthenextmonthTheProblems-ContinuedWhatdoesMS03-039do–Hint:"NoBlasters!
"Ascannerthatdoesn'tidentifyexactlycanreportaCMEnumberforthewrongthreatWhoisgoingtoassertthatsomethingisathreatHowwillnamesbechangedorrevokedifamistakeoccursHowarecross-referencesgoingtobemade(AVtesting)WhatwillhappenViruseswillappearwithoutCMEnumbersCMEnumberswillappearwithoutvirusesTheCMEnumberswillbelate(overload)ThesameviruswillgetmultipleCMEIDsDifferentAVproductswillreportdifferentCMEnumbersforthesamevirusNobodywillrememberwhichistheCME-nnnvirusWhatwillhappen-ContinuedEverybodywillclaimtobeusingCMEMITREwillslapitselfonthebackTheAnti–VirusindustrywillslapitselfonthebackUSgovernmentbureaucracywillincrease–ButthatwillhappenanywayConfusionwillincrease=TheuserswillloseWhatisneededExactidentificationManualandcompetentmalwareanalysisCompetentcollectionmaintainersCompetentAnti-VirustestersLotsoftheabove=AverygoodAnti-Viruscompany–andnotanoutsourcedoneButthatain'tgonnahappenConclusionIt'snotgoingtoworkButeverybodywillbeclaimingthatitis–Inotherwords-anotherWildListproblemTheuserswillbeleftbewilderedInotherwords-thesameoldstoryQuestions
- General02zzz.com相关文档
- 作者02zzz.com
- uk02zzz.com
- Paragraphs02zzz.com
- "湖北省城乡居民基本医疗保险参保登记表-学生(标题勿删,系统从第三行开始读取)"
- os02zzz.com
- Manual02zzz.com
弘速云香港VPSVPS线路有CN2+BGP、CN2 GIA,KVM虚拟化架构,裸金属月付564元
弘速云怎么样?弘速云是创建于2021年的品牌,运营该品牌的公司HOSU LIMITED(中文名称弘速科技有限公司)公司成立于2021年国内公司注册于2019年。HOSU LIMITED主要从事出售香港vps、美国VPS、香港独立服务器、香港站群服务器等,目前在售VPS线路有CN2+BGP、CN2 GIA,该公司旗下产品均采用KVM虚拟化架构。可联系商家代安装iso系统。点击进入:弘速云官方网站地址...
香港云服务器 1核 256M 19.9元/月 Mineserver Ltd
Mineserver(ASN142586|UK CompanyNumber 1351696),已经成立一年半。主营香港日本机房的VPS、物理服务器业务。Telegram群组: @mineserver1 | Discord群组: https://discord.gg/MTB8ww9GEA7折循环优惠:JP30(JPCN2宣布产品可以使用)8折循环优惠:CMI20(仅1024M以上套餐可以使用)9折循...
企鹅小屋:垃圾服务商有跑路风险,站长注意转移备份数据!
企鹅小屋:垃圾服务商有跑路风险!企鹅不允许你二次工单的,二次提交工单直接关服务器,再严重就封号,意思是你提交工单要小心,别因为提交工单被干了账号!前段时间,就有站长说企鹅小屋要跑路了,站长不太相信,本站平台已经为企鹅小屋推荐了几千元的业绩,CPS返利达182.67CNY。然后,站长通过企鹅小屋后台申请提现,提现申请至今已经有20几天,企鹅小屋也没有转账。然后,搞笑的一幕出现了:平台账号登录不上提示...
02zzz.com为你推荐
-
淘宝门户中国有哪些行业门户网站neworiental上海新东方有几个校区,分别是那几个?百度关键词价格查询百度关键字如何设定竟价价格?lunwenjiancepaperfree论文检测怎样算合格haokandianyingwang谁有好看电影网站啊、要无毒播放速度快的、在线等www.niuav.com给我个看电影的网站www.vtigu.com初三了,为什么考试的数学题都那么难,我最多也就135,最后一道选择,填空啊根本没法做,最后几道大题倒baqizi.cc曹操跟甄洛是什么关系hao.rising.cn电脑每次开机的时候,都会弹出“http://hao.rising.cn/?b=34” 但是这个时关键词分析怎么样分析关键词?