Feeds

Is it a worm, a virus, or a trojan?

If the AV vendors can't agree, what hope for the rest of us?

  • alert
  • submit to reddit

High performance access to file storage

Opinion Russ Cooper is Chief Scientist at TruSecure Corporation and NTBugtraq Editor

Opinion Let's see, anyone remember the name of the worm that began on August 11th?

W32.Lovsan.worm, Win32.Poza, Lovsan, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Blaster, Win32.MSBlast.A, Worm/Lovsan.A, Worm.Win32.Blaster.6176, Worm.Win32.Lovesan, Blaster, W32/Blaster, Win32/MSBlast.A, W32/Blaster-A, W32.Blaster, Win32/Lovsan.A

And that's just the initial worm. Then we got variants; Lovsan.B and W32.Blaster.B.Worm, but they aren't the same variant; they each have differently named executables. Then we get W32/Lovsan.worm.b, W32/Blaster-B, Lovsan.B, then W32.Blaster.C.Worm, Lovsan.C, etc...need I go on?

A week later, we get W32/Nachi.Worm, Win32.Worm.Welchia.A, W32.Nachi.Worm, Welchi, Worm.Win32.Welchia.10240, Nachi.A, W32/Nachi-A, W32.Welchia.Worm and WORM_BLASTER.D. Notice that trend just treats Nachi as another variant of Blaster. The media picks up on quotes from the anti-virus industry and gives it two more names, "White Hat" and "Dirty Harry".

Am I the only one here who feels we have a serious problem communicating effectively to the consumers?

I don't think it is possible for consumers to protect themselves based purely on software or hardware. They need to understand more about malware, why it gets them, what to look for. For this to happen we have to create dialog; not security mailing lists like NTBugtraq, but real dialog where people actually talk face to face with others about these security events. If everyone in a neighbourhood is on the same DSL, and most got infected with Lovsan, why wouldn't they talk to their neighbours about it?

Unfortunately, we continue to sprinkle pixie dust on everything we do in an effort to market products. If the consumer thinks it's too complex for them to comprehend, and we enforce that theory by constantly confusing them, maybe they'll buy annual update contracts and our next single button solution to the problem. Some people in the industry seem surprised that for two weeks in August consumers were pummeled with viruses. After all, we told them to patch against the "RPC/DCOM" vulnerability. We told them to apply "MS03-026", which Windows Update calls "823980." We increased ThreatCon, AlertCon, and InfoCon Security Levels.

Clearly the approach we're using isn't working.

Several years ago I participated in an effort to create a single list of all vulnerabilities; it was called the Common Vulnerability Enumeration project. The idea was simple enough, enumerate all unique vulnerabilities; one enumeration for a given vulnerability which could be used across products which named things in different ways.

Alas, for some strange reason there was resentment to the idea that enumerations wouldn't be consecutive. What if we assigned a number to something but then it turned out to be nothing, the number would go unused. We can't have that now, can we? So instead of one number for each unique vulnerability, there had to be two. The first was assigned when the issue was first raised; it was called a Candidate Number. So you see vulnerability reports published with CAN-XXXX. When the candidate is finally accepted as unique, it's re-assigned another number, its final CVE-XXXX number by which it will be known as forever more. Of course SecurityFocus adds a Bugtraq ID and other companies add their ID numbers. In the end, what is the vulnerability most known as? Code Red, Nimda, Slammer, Blaster, Nachi, etc... We can't even communicate amongst ourselves effectively.

I can't think of another profession which needs, so desperately, to effectively communicate information to the general public, which also cannot even discuss the topic within its own industry to any reasonable level of commonality in terms. What's a "worm?" versus a "virus", versus a "trojan"?? What's the difference between a "buffer overrun", "buffer overflow", and a failure to properly validate input?

So clearly our first step is to agree amongst ourselves that we need to shape up. That, however, is the least of our problems. Once we do this, we must then figure out how we are going to work together to properly convey our message to the public.

We need some form of coordination between all parties involved in such events to ensure that the public is getting reasonable information in an understandable format. Someone discovers a new worm, they assign it the next word in the dictionary, starting from A and working towards Z. That's the name that stays with it through its lifetime. We agree on a standard definition for what a worm is, put it into terms the public can understand, and place it on our websites so anyone can find the same definition everywhere. The basic information is the same from everyone, if a reporter wants to get into details; everyone is free to say whatever they want. Microsoft renames the patch to reflect the worm name and Windows Update reflects the change. No matter where you turn any information about the worm contains the same name and same basic information.

I know, this is all very cumbersome and far more work than we do now, and we're all very busy with other things during security events. But just imagine what might happen if we make it simpler for the public to grasp these events, who knows, we might even get them to stop opening attachments!

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.