Is it a worm, a virus, or a trojan?
If the AV vendors can't agree, what hope for the rest of us?
Opinion Russ Cooper is Chief Scientist at TruSecure Corporation and NTBugtraq Editor
Opinion Let's see, anyone remember the name of the worm that began on August 11th?
W32.Lovsan.worm, Win32.Poza, Lovsan, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Blaster, Win32.MSBlast.A, Worm/Lovsan.A, Worm.Win32.Blaster.6176, Worm.Win32.Lovesan, Blaster, W32/Blaster, Win32/MSBlast.A, W32/Blaster-A, W32.Blaster, Win32/Lovsan.A
And that's just the initial worm. Then we got variants; Lovsan.B and W32.Blaster.B.Worm, but they aren't the same variant; they each have differently named executables. Then we get W32/Lovsan.worm.b, W32/Blaster-B, Lovsan.B, then W32.Blaster.C.Worm, Lovsan.C, etc...need I go on?
A week later, we get W32/Nachi.Worm, Win32.Worm.Welchia.A, W32.Nachi.Worm, Welchi, Worm.Win32.Welchia.10240, Nachi.A, W32/Nachi-A, W32.Welchia.Worm and WORM_BLASTER.D. Notice that trend just treats Nachi as another variant of Blaster. The media picks up on quotes from the anti-virus industry and gives it two more names, "White Hat" and "Dirty Harry".
Am I the only one here who feels we have a serious problem communicating effectively to the consumers?
I don't think it is possible for consumers to protect themselves based purely on software or hardware. They need to understand more about malware, why it gets them, what to look for. For this to happen we have to create dialog; not security mailing lists like NTBugtraq, but real dialog where people actually talk face to face with others about these security events. If everyone in a neighbourhood is on the same DSL, and most got infected with Lovsan, why wouldn't they talk to their neighbours about it?
Unfortunately, we continue to sprinkle pixie dust on everything we do in an effort to market products. If the consumer thinks it's too complex for them to comprehend, and we enforce that theory by constantly confusing them, maybe they'll buy annual update contracts and our next single button solution to the problem. Some people in the industry seem surprised that for two weeks in August consumers were pummeled with viruses. After all, we told them to patch against the "RPC/DCOM" vulnerability. We told them to apply "MS03-026", which Windows Update calls "823980." We increased ThreatCon, AlertCon, and InfoCon Security Levels.
Clearly the approach we're using isn't working.
Several years ago I participated in an effort to create a single list of all vulnerabilities; it was called the Common Vulnerability Enumeration project. The idea was simple enough, enumerate all unique vulnerabilities; one enumeration for a given vulnerability which could be used across products which named things in different ways.
Alas, for some strange reason there was resentment to the idea that enumerations wouldn't be consecutive. What if we assigned a number to something but then it turned out to be nothing, the number would go unused. We can't have that now, can we? So instead of one number for each unique vulnerability, there had to be two. The first was assigned when the issue was first raised; it was called a Candidate Number. So you see vulnerability reports published with CAN-XXXX. When the candidate is finally accepted as unique, it's re-assigned another number, its final CVE-XXXX number by which it will be known as forever more. Of course SecurityFocus adds a Bugtraq ID and other companies add their ID numbers. In the end, what is the vulnerability most known as? Code Red, Nimda, Slammer, Blaster, Nachi, etc... We can't even communicate amongst ourselves effectively.
I can't think of another profession which needs, so desperately, to effectively communicate information to the general public, which also cannot even discuss the topic within its own industry to any reasonable level of commonality in terms. What's a "worm?" versus a "virus", versus a "trojan"?? What's the difference between a "buffer overrun", "buffer overflow", and a failure to properly validate input?
So clearly our first step is to agree amongst ourselves that we need to shape up. That, however, is the least of our problems. Once we do this, we must then figure out how we are going to work together to properly convey our message to the public.
We need some form of coordination between all parties involved in such events to ensure that the public is getting reasonable information in an understandable format. Someone discovers a new worm, they assign it the next word in the dictionary, starting from A and working towards Z. That's the name that stays with it through its lifetime. We agree on a standard definition for what a worm is, put it into terms the public can understand, and place it on our websites so anyone can find the same definition everywhere. The basic information is the same from everyone, if a reporter wants to get into details; everyone is free to say whatever they want. Microsoft renames the patch to reflect the worm name and Windows Update reflects the change. No matter where you turn any information about the worm contains the same name and same basic information.
I know, this is all very cumbersome and far more work than we do now, and we're all very busy with other things during security events. But just imagine what might happen if we make it simpler for the public to grasp these events, who knows, we might even get them to stop opening attachments!