Thursday, January 25, 2007

eEye on malware naming

y'know, when you're in a position where you're supposed to be an authority on a subject and you're talking about something seemingly related to that subject, it behooves you to either know what you're talking about or stop talking...

in marc maiffret's case neither of those paths were taken... it's amazing to me that the chief technology officer at eEye would say something like this:
"In the vulnerability world, we have CVEs [Common Vulnerabilities and Exposures] as a way to know that we're all talking about the same vulnerability regardless of what we might have named it in our product. In the anti-virus world, there's not really anything like that."
has he been asleep for the past year or more?* because the CME (common malware enumeration) has been around since october 2005 (actually 2005 this time)...

it's difficult to take anything he says seriously after such an incredible gaffe but it's also difficult to let such clear (and frankly surprising considering his position) false authority syndrome slide...

you see, marc would have us believe that the vendors are fighting over who gets to name what and that because they're making "really good money" that they have no incentive to address the naming confusion and give users what they "are actually asking for"... apparently in marc's experience if you just put your mind to it you should be able to get 20-30 companies who operate independently (necessarily so since they're producing signatures for use with different technologies) to co-ordinate the naming of hundreds of malware samples per day while not compromising their top priority of getting detection capabilities (which necessarily require a name, any name, good or bad, to identify what is detected) to users as fast as possible...

that was sarcasm, of course... you can't co-ordinate malware naming without slowing down the process of getting signatures to customers and thus compromising that top priority - and i'm pretty sure that most people would choose a speedy signature turn-around (which directly aids in prevention) over harmonized naming (which doesn't)... while you're waiting for for those 20-30 companies to figure out if they already have a copy of your to-be-co-ordinated sample and which of their many samples that is, your analysts have already finished their analysis and have created signatures to be pushed out to customers...

what they can do (and the main CME page indicates they have done on occasion) is rename the malware after the fact, either to adopt the name other companies are using or to append the CME identifier to the name... unfortunately, this still requires time and effort to co-ordinate a harmonized name and thus cannot possibly be done for each of the hundreds of samples anti-virus companies process each day - especially when most of those hundred samples are complete flops in the wild (making the work to harmonize their names wasted effort)... even without explicitly renaming their samples, the CME lists the various names associated with particular CME id's and that resolves much of the naming ambiguity end users are likely to encounter...

so next time you see someone attributing the malware naming mess to lack of interest or petty rivalry, take a moment to consider the realities of the situation and ask yourself how or even if those logistical problems can be overcome (without fundamentally changing the anti-malware landscape, since obviously naming wouldn't be a problem if there were magically only one company)...

ADDENDUM: i've been informed by marc maiffret that he was misquoted in the article in question, at least a far there being nothing like the CVE in the malware world (maybe other things too?)... as such, i apologize for characterizing marc as suffering from false authority syndrome (and for being asleep for a year or more) since it's no longer clear that's the case... it seems the article's author, scott m. fulton, may be more responsible for the false picture that article painted... i do stand by my criticism of the notions put forth in that article though - the problems associated with malware naming are not easily overcome, nor trivially attributable to character flaws in the vendors...

2 comments:

InfoSec Sellout said...

"In the vulnerability world, we have CVEs [Common Vulnerabilities and Exposures] as a way to know that we're all talking about the same vulnerability regardless of what we might have named it in our product. In the anti-virus world, there's not really anything like that."

How can that be a misquote? The typical misquote is usually something like; "he said the sky was brown" when really it was "he said the sky was blue" NOT "he said there was no sky".

If it was a misquote we would see a retraction printed would we not? But no, we see this;

"[UPDATE: Later, Marc Maiffret told us he didn't mean to imply that there is no standards group among security vendors. He referred us to the Mitre organization, which maintains the Common Malware Enumeration list, as a key example.]"

So it was not a misquote. It an obvious oversight that was corrected after he read your post. Sleeping in deed.

kurt wismer said...

at the time i posted my addendum there was no update on the original article...

i agree that it now looks like he did say what he was originally quoted as saying, but i'll leave it to marc maiffret and scott fulton to argue over who said what... it really doesn't matter all that much to me, the important thing is that the article presents a false view and to at least some degree marc is not standing behind the words originally published...