Comments

Steve September 27, 2005 5:28 PM

Now if they start naming them something like “author_is_a_useless_little_twirp_1”, “author_is_a_useless_little_twirp_2”, etc., instead of giving them sexy names like “mydoom”, that’ll be real progress.

Davi Ottenheimer September 27, 2005 8:08 PM

Good news! I thought the example in the article is worth noting:

“on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named “W32.Lanieca.H@mm.”
However, Kaspersky Lab, another anti-virus company, named the same worm “Email-Worm.Win32.Tanatos.p,” McAfee Inc. called the threat “W32.Eyeveg.worm” and Trend Micro Inc. called it “WORM-WURMARK.P”

Hey, at least they all agreed that it should be called a worm.

@ Filias

Don’t know if you’ve tried this, but you might find it a more user-friendly way to avoid being (over)flashed:

http://flashblock.mozdev.org/

Lindalee Stuckey September 27, 2005 9:09 PM

Does this mean that viruses will get names like hurricanes? One for each letter of the alphabet?

mark September 28, 2005 1:32 AM

This is great news but will only be of value if the AV vendors commit to it and also use the naming standard.

David September 28, 2005 8:03 AM

@ Filias

Click on the link in the top right that says “go directly to eweek”.

It’s a stupid flash intro “screen”.

[I love adblock, flashblock and firefox so I don’t have to see something I’ll never ever click on].

David September 28, 2005 8:18 AM

Questions:

Who submits the malware to MITRE?

How is the malware desiminated to every other AV company in a timely basis (they need to respond within two hours, right?)?

How do they resolve the 24 hr time differences around the world?

How do they resolve when two or more competing companies are working on the analysis and definitions [before it’s submitted to or during the two hour window]?

How do they deal with flash worms (the last one only took 4 hours to fully propogate)?

Sounds simple on paper, but it is quite complicated in real life. There really is no simple answer to this issue, and it probably will require re-releases by AV companies of virus/malware/worm names (something that’s not so easy).

David September 28, 2005 8:23 AM

Oh, I forgot my favorite question:

What happens when one of the AV companies decides it’s in their best interest to release new definitions before waiting for the two hour window to expire (they can claim to be first to have a fix for any given exploit and everyone else has to wait, and possibly use their competitors defacto name)?

Matthew X. Economou September 28, 2005 8:33 AM

Re: Flash adverts

Internet Explorer configured with non-stupid security zone settings also neatly sidesteps the adverts. I recommend setting the Internet zone to “High” (or nearly high, by customizing the High setting to allow normal things like downloads, META REFRESH, and cut-and-paste/drag-and-drop), the Local Intranet zone to “Medium Low”, the Trusted Sites zone to “Medium”, and the Restricted zone to “Medium” but customized to only allow signed ActiveX controls and to prompt before running a control or applet. These security settings combined with the pop-up blocker set to “High” or “Medium” and with the cookie handler set to block all cookies except session cookies makes for a tightly-controlled web browsing experience. Security Zones are probably the IE feature that’s kept me using it all these years. In Mozilla, it’s just too cumbersome to keep enabling/disabling Java and JavaScript every time I browse to a different trusted/untrusted web site.

The described IE configuration has the added advantage of counteracting most redirection exploits (such as those listed at http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/), which usually depend on getting bootstrap code of some kind (e.g. JavaScript) to execute in the Internet zone prior to fooling the browser into executing their payload in the Local Intranet zone.

jammit September 28, 2005 10:52 AM

I have nothing to add except I’m happy for the unified naming system. Off topic: I use the Mozilla flashblock plugin. It simply replaces the flash with an icon, and when you click on it, it then loads in and runs the flash. You don’t have to wait for it to load in before you can click through.

No Nym September 28, 2005 11:41 AM

Uh, I thought making a list of bad things was one of the top 6 bad security ideas. Doesn’t this just reinforce that?

Bryan October 3, 2005 1:04 AM

I like this a lot. I hope it catches on.

@No Nym –

Well, yes and no. Yes AV software is about making lists of bad things to keep out rather than good things to permit.

But this is a good thing because it eliminates the confusion of one malware episode having 5 or more names. At least this way when we’re talking about a malware virus/worm/trojan/whatevr, we can all know we are talking about the same one!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.