Wednesday, May 05, 2004

Virus naming & The Public Good

This appears to be a case where publicity about a particularly nasty worm has suffered because it was named something different by all the major antivirus vendors. Gaobot, which appears to be the Symantec name for this family of worms, isn't even in the title of this document. Microsoft machines and NDemon/Phatbot/Agobot Worms -- 19 Apr 2004 [Updated: 2004.04.27] It would be helpful to their customers if the AntiVirus vendors would agree to a common naming convention, and certain other standards related to identity of malware threats. A checksum should be provided with all descriptions, as well as standardized means to reference the known capabilities of threats. This probably won't happen unless an open source project, perhaps related to ClamAV finds itself so strong that the weaker AntiVirus companies suddenly find it to their advantage to play along. It's more likely that Microsoft will kill off the weaker AntiVirus vendors before that happens. The stronger AntiVirus vendors will eventually get out of the market, too, leaving a defacto standard -- the Microsoft Way, whatever that will be. It'll probably change every 18 months anyway.

Technorati Tags: , , , , , , , , ,

1 comment:

kurt wismer said...

there already is a common naming convention among anti-virus companies, but that doesn't guarantee common names across vendors, only that they're all using the same naming system...

the vendor's first priority is getting signatures out to the customer, which means they don't have time to sit around figuring out who gets to name it... they do rename their signatures from time to time in order to agree with other vendors but that's not a particularly reliable process... also, when it's clear that a vendor has already named it, other vendors will use that name but that doesn't help if they're all working on the same thing at the same time...

the way this confusion is being mitigated now-a-days is with the common malware enumeration... malware which is felt to be significant to the public is given a number and when multiple vendors submit samples a process called deconfliction takes place that says X, Y, and Z are all the same thing and so all get the same number even if they have different names...