Feeds

Is it a worm, a virus, or a trojan?

If the AV vendors can't agree, what hope for the rest of us?

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Opinion Russ Cooper is Chief Scientist at TruSecure Corporation and NTBugtraq Editor

Opinion Let's see, anyone remember the name of the worm that began on August 11th?

W32.Lovsan.worm, Win32.Poza, Lovsan, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Blaster, Win32.MSBlast.A, Worm/Lovsan.A, Worm.Win32.Blaster.6176, Worm.Win32.Lovesan, Blaster, W32/Blaster, Win32/MSBlast.A, W32/Blaster-A, W32.Blaster, Win32/Lovsan.A

And that's just the initial worm. Then we got variants; Lovsan.B and W32.Blaster.B.Worm, but they aren't the same variant; they each have differently named executables. Then we get W32/Lovsan.worm.b, W32/Blaster-B, Lovsan.B, then W32.Blaster.C.Worm, Lovsan.C, etc...need I go on?

A week later, we get W32/Nachi.Worm, Win32.Worm.Welchia.A, W32.Nachi.Worm, Welchi, Worm.Win32.Welchia.10240, Nachi.A, W32/Nachi-A, W32.Welchia.Worm and WORM_BLASTER.D. Notice that trend just treats Nachi as another variant of Blaster. The media picks up on quotes from the anti-virus industry and gives it two more names, "White Hat" and "Dirty Harry".

Am I the only one here who feels we have a serious problem communicating effectively to the consumers?

I don't think it is possible for consumers to protect themselves based purely on software or hardware. They need to understand more about malware, why it gets them, what to look for. For this to happen we have to create dialog; not security mailing lists like NTBugtraq, but real dialog where people actually talk face to face with others about these security events. If everyone in a neighbourhood is on the same DSL, and most got infected with Lovsan, why wouldn't they talk to their neighbours about it?

Unfortunately, we continue to sprinkle pixie dust on everything we do in an effort to market products. If the consumer thinks it's too complex for them to comprehend, and we enforce that theory by constantly confusing them, maybe they'll buy annual update contracts and our next single button solution to the problem. Some people in the industry seem surprised that for two weeks in August consumers were pummeled with viruses. After all, we told them to patch against the "RPC/DCOM" vulnerability. We told them to apply "MS03-026", which Windows Update calls "823980." We increased ThreatCon, AlertCon, and InfoCon Security Levels.

Clearly the approach we're using isn't working.

Several years ago I participated in an effort to create a single list of all vulnerabilities; it was called the Common Vulnerability Enumeration project. The idea was simple enough, enumerate all unique vulnerabilities; one enumeration for a given vulnerability which could be used across products which named things in different ways.

Alas, for some strange reason there was resentment to the idea that enumerations wouldn't be consecutive. What if we assigned a number to something but then it turned out to be nothing, the number would go unused. We can't have that now, can we? So instead of one number for each unique vulnerability, there had to be two. The first was assigned when the issue was first raised; it was called a Candidate Number. So you see vulnerability reports published with CAN-XXXX. When the candidate is finally accepted as unique, it's re-assigned another number, its final CVE-XXXX number by which it will be known as forever more. Of course SecurityFocus adds a Bugtraq ID and other companies add their ID numbers. In the end, what is the vulnerability most known as? Code Red, Nimda, Slammer, Blaster, Nachi, etc... We can't even communicate amongst ourselves effectively.

I can't think of another profession which needs, so desperately, to effectively communicate information to the general public, which also cannot even discuss the topic within its own industry to any reasonable level of commonality in terms. What's a "worm?" versus a "virus", versus a "trojan"?? What's the difference between a "buffer overrun", "buffer overflow", and a failure to properly validate input?

So clearly our first step is to agree amongst ourselves that we need to shape up. That, however, is the least of our problems. Once we do this, we must then figure out how we are going to work together to properly convey our message to the public.

We need some form of coordination between all parties involved in such events to ensure that the public is getting reasonable information in an understandable format. Someone discovers a new worm, they assign it the next word in the dictionary, starting from A and working towards Z. That's the name that stays with it through its lifetime. We agree on a standard definition for what a worm is, put it into terms the public can understand, and place it on our websites so anyone can find the same definition everywhere. The basic information is the same from everyone, if a reporter wants to get into details; everyone is free to say whatever they want. Microsoft renames the patch to reflect the worm name and Windows Update reflects the change. No matter where you turn any information about the worm contains the same name and same basic information.

I know, this is all very cumbersome and far more work than we do now, and we're all very busy with other things during security events. But just imagine what might happen if we make it simpler for the public to grasp these events, who knows, we might even get them to stop opening attachments!

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.