It has long been the practice that the first AV company to get the submission chooses the name and the others are supposed to fall in line. Things sometimes break a little faster than hoped though.
I remember Bagle/Beagle well , I believe Sophos called it one name and Symantec the other. I do empathise , it is incredibly frustrating to get high level alerts from different vendors about apparently different rogues , all within the space of a few hours.
I recall one company even decided to try to coem onboad with all the others and changed it's name , further confusing their own customers (if the same vendor has two different names , surely they are two different virii went the logic)
However that particular mixup was fairly rare and all of the vendors do include a section for alias on the write ups for each of the rogues to try to keep confusion to a minimum.There are also moves afoot to standardise the way the names are chosen,admitedly there is some resistance to that right now.
The majority of truly fast-responding customers will be on more advanced alerting system which has features which negate the impact of this type of confusion. The remainder can sometimes wait as much as a day or two to respond to low category threats and that's usually plenty of time to have any confusion iorned out.
Remember also that there is a high degree of cooperation between the vendors , they do share submissions. There are programs in place to facilitate this cooperation. It does need some work but it is there.
I certainly take your point, i've been woken up more times by alerts telling me "Virus X Renamed" but how long before someone calls a virus SOPHOS-SUCKS or GOATFELCHER! ? Are you going to be seeing that on a writeup on Datafellows or sent to a million pagers worldwide by Envoy ?
Depersonalising the experience really does have an effect on the kudos garnered by authors. Sometimes their hard work may never even make it as far as a human researcher , that part of the system can be automted , an automatic submission is picked up by heuristics and sent in by a customers quarantine server , systems at the vendor can see the changes made, record information such as hashes etc, pick the next logical increment in name , append the information to the current definition set, and have the def set sent to an automated QA. Defs can be on customers systems in hours (and sometimes a lot faster depending on just how beta they can accept them). There are many rogues out there that not only never casued any porblems but were never even looked at.
There is no kudos in that. But if your mom's name (or whatever)appears in the defintions sent by a big AV vendor you could maybe put some kind of 'leet' spin on it.
I'll back it up. It is the explicit (and logical) intention of AV comapanies not to name rogues in the fashion the author desires.
Symantec's Policy is as folloes Virus names consist of a Prefix, a Name, and often a Suffix.
* The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix. * The Name is the family name of the virus. * The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers denoting the size of the virus or letters.
The Code Red virus got its name from an eEye Digital Security researcher's beverage of choice -- the cola variety of Mountain Dew soft drink -- the night they picked through the corruptive code.
Symantec Security Response senior director Vincent Weafer, who referred to Code Red's caffeine-based name, told NewsFactor that there are some things researchers do not use when naming worms:
"We don't use the name of the virus writer because we don't want to give name recognition for something that's done for publicity, and we don't use the date because there are so many trigger dates and it's such an easy thing to change that it wouldn't make any sense," Weafer said.
"After that, it comes down to the researcher and what they find unique about a particular virus," Weafer added.
I am impressed by the scope of the project and the apparent ease with which it has been pulled off.
I've worked in and with several eastern european state sponsored organisations and it was the most godawful experience. Tenured civil servants with little impetues or motivation to change the status quo just love to block or ignore change until it either goes away or they retire. Co-ordinating between the number of people who need to sign off on even the most mundane aspects of organising just an infrastucture review can be one of the most challenging aspects to pulling this sort of project off.
Given that backround and the horrendously splintered and fractured set-up they appear to have had this project is nothing short of fantastic. It's the kind of thing we all read about in the text books and can make the correct arguements for. While switching an entire orgnaisation across is something we know to be possible and advantageous there are precious few opportunities for it to be implemented in the world.
So Bravo to the team , moving from fractured to streamlined centralised management , fine tuning processes and and trimming operations down is no small feat , particularly in the state environment.
On the Tech side , Bravo too , I would have stayed with the MS side but that's because it's my forte and I know I could have reduced costs in a comporable fashion. Hat's off though , such a shift in logic and thinking shows real.....em... balls!
The reasons why we are seeing a move away from the destructive payloads of yesteryear is that there is a lot more money to be made in compromising systems.
Whether the intention is to harvest a shedload of zombie remailers for spam markering or for some of the recently seen rogues capable of using a 'distributed computing' model for decrytpting databases there is lots of money in malware.
True , there is indeed a lot of money made by the AV companies for upgraded and improved software,stragey and infrasturcture consultation services. This is becasue companies are waking up to realise that they are no longer looking at script kiddies or disgruntled employees as the most likely vector but rather, well financed, educated professionals.
Companies could once upon a time hide behind the "why would anyone target us ? We're small" mentality. No longer.
"This isn't to say that there are mobos out there that are avalable to the public"
There may be MB support available but the fact is that multiproc computing is still far from being able to accomplish true multitasking with the current architectures. I believe that once we can have proper multitasking architechtures multi proc'd systems will really come into their own at the user level.
So in my travels this weekend I came across a Microsoft employee and talked him up about Xbox II... here are the facts I found out.
1) Hard Drive... Yes! There was some speculation that MS was going to take the HD out to make it more difficult to Mod.
2) Flash based HD... Yes!!! It was told to me that the HD was going to be flash based... small size fast access... BAM!
3) No Stupid Dongle DVD playback... Yes!!! The reason that the first Xbox didn't have built in DVD playback is a simple one, Sony owns the Intellectual Property rights for DVD playback. Nuf said...
4) Xbox II at E3... Hell Yes!!! There will be an Xbox II maybe more at E3 this year...
5) Xbox II release date announced at E3... another Hell Yes!!! MS will be announcing a release date for Xbox II...
Now this is not like the "rumors" about IBM before these are hard cold facts from the horses mouth...
Allrighty , a bit more information is available here : http://www.winsupersite.com/reviews/ms_antispyware _preview.asp
It's active protection feature is being couched in the same kind of language used by Bill G at RSA2003 to describe the NX style Dynamic System Protection that never made it into SP2.
I trust Symantec to come out with new rapid release definitons every few hours and automatically pull them down even at home.
The website indicates that the definitions will be updated monthly? On what planet will that be enough ? Is this an incremental update? Will the process do version checking ? How are new rogues submitted for analysis ? There is s lot of information not available anywhere I can see. Anyone ?
From an very quick initial look I see one dll that seems to have the list. A single point of failure updated only once a month ?
Custom application standardisation across the install base means that issue resolution can be standardised and tweaked to meet the response/support requirement. The certification and testing processes that most serious companies use to pass apps as fitting are both rigourous and not condusive to incorporating the latest 'app du jour'. And rightly so.
It's easy for tech saavy folks to deem these practices as a symptom of the narrow mindedness of lazy MCSE admins (who would appear to be some sort of subspecies of a real admins). It's easy to see this as an organisation being inflexible due to undereducation but I believe that that is not the case. A pestered admin will often give the sort of pseudo answer this user recieved.It's not good to fudge that way , but without taking a user step by step through the security policies and application certification documetnation, it's difficult to explain the why of decisions such as this.
It can be difficult to meet the job function requirements of diverse departments and maintain the steady balancing act that will ensure your SourceSafe users will be as compliant as the receptionist.
For this organisation it may be useful to do a business case analysis exploring the usefulness or otherwise of Firefox but as it is still in it's first iteration a lot of companies will be loathe to abandon the practices they have in place on a whim.
Aa firefox moves ever closer to a dominant position the pressure will become greater and things will change. It will also become more a target and I'm betting that this will begin getting longer and looking far more serious as more and more authors start realising the potential success to be had in taking Firefox on.
In a related fashion I recieved a sweetner in order to ensure compliance with the non competion clause. I worked in Finland for a manufacturer of Unified Messaging Systems. A lot of the telcos in Europe use their hardware and software and they were particularly sensitive to technical data being released in the public domain.
On my return to Ireland , I in all innocence accepted a position with a company for a role of a different nature. In talking to former colleagues in Finland I understood that a subsidiary of my new company were in direct competition.
Much wrangling later I was obliged to cancel my new contract but recieved the equivalent of 6 months pay as a "consultancy fee" from my original employers.
I moved from Dublin to Helsinki in February this year and I swapped one exciting city for another. Dublin with its "celtic tiger" economy at the moment has seen much foreign investment in the IT/COMMS sector. In turn we have seen a spate of home grown smaller industries spring up and perform very very well (IONA being perhaps the best example of how to quadruple your fortune) The analysist were prediciting a slowdown for a number of years ago but they have been thwarted by a continuing build up in capital momentum. There is a lot of money to be made in the game in Ireland. A highly skilled workforce coupled with high demand from powerhouses who are making huge returns means that the demand is constant . People with the right skills will find no shortage of work offers. Helsinki is where Dublin was perhaps 6// years ago and is showing all the signs of making a huge bounceback from the recession in the 80s. Comms is far more developed here as you would expect but the IT market is again showing signs of an imminent rapid expansion. I dont speak Finnish very well and part of the reason why that dosent look likely to change is taht everyone here finds it a novelty to speak english. Everyone from the beggar on the street to the bartenders and so on speak English very well. I could quite easily live here forever and would never have difficulty in making myself understood
Slashdot Mirror
My Lycos-fu is not what it used to be.
Closest I could come was this:
http://metrologyforum.tm.agilent.com/news2000.shtml
http://www.p45rant.net/boards/attachment.php?atta
It has long been the practice that the first AV company to get the submission chooses the name and the others are supposed to fall in line. Things sometimes break a little faster than hoped though.
,admitedly there is some resistance to that right now.
I remember Bagle/Beagle well , I believe Sophos called it one name and Symantec the other. I do empathise , it is incredibly frustrating to get high level alerts from different vendors about apparently different rogues , all within the space of a few hours.
I recall one company even decided to try to coem onboad with all the others and changed it's name , further confusing their own customers (if the same vendor has two different names , surely they are two different virii went the logic)
However that particular mixup was fairly rare and all of the vendors do include a section for alias on the write ups for each of the rogues to try to keep confusion to a minimum.There are also moves afoot to standardise the way the names are chosen
The majority of truly fast-responding customers will be on more advanced alerting system which has features which negate the impact of this type of confusion. The remainder can sometimes wait as much as a day or two to respond to low category threats and that's usually plenty of time to have any confusion iorned out.
Remember also that there is a high degree of cooperation between the vendors , they do share submissions. There are programs in place to facilitate this cooperation. It does need some work but it is there.
I certainly take your point, i've been woken up more times by alerts telling me "Virus X Renamed" but how long before someone calls a virus SOPHOS-SUCKS or GOATFELCHER! ? Are you going to be seeing that on a writeup on Datafellows or sent to a million pagers worldwide by Envoy ?
Depersonalising the experience really does have an effect on the kudos garnered by authors. Sometimes their hard work may never even make it as far as a human researcher , that part of the system can be automted , an automatic submission is picked up by heuristics and sent in by a customers quarantine server , systems at the vendor can see the changes made, record information such as hashes etc, pick the next logical increment in name , append the information to the current definition set, and have the def set sent to an automated QA. Defs can be on customers systems in hours (and sometimes a lot faster depending on just how beta they can accept them). There are many rogues out there that not only never casued any porblems but were never even looked at.
There is no kudos in that. But if your mom's name (or whatever)appears in the defintions sent by a big AV vendor you could maybe put some kind of 'leet' spin on it.
I'll back it up.
:m einfo.html/ t ory-start/
It is the explicit (and logical) intention of AV comapanies not to name rogues in the fashion the author desires.
Symantec's Policy is as folloes
Virus names consist of a Prefix, a Name, and often a Suffix.
* The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix.
* The Name is the family name of the virus.
* The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers denoting the size of the virus or letters.
The Code Red virus got its name from an eEye Digital Security researcher's beverage of choice -- the cola variety of Mountain Dew soft drink -- the night they picked through the corruptive code.
Symantec Security Response senior director Vincent Weafer, who referred to Code Red's caffeine-based name, told NewsFactor that there are some things researchers do not use when naming worms:
"We don't use the name of the virus writer because we don't want to give name recognition for something that's done for publicity, and we don't use the date because there are so many trigger dates and it's such an easy thing to change that it wouldn't make any sense," Weafer said.
"After that, it comes down to the researcher and what they find unique about a particular virus," Weafer added.
Quotes above from
http://securityresponse.symantec.com/avcenter/vna
http://www.newsfactor.com/perl/story/15662.html#s
http://users.tcworks.net/virus/naming.htm/
I am impressed by the scope of the project and the apparent ease with which it has been pulled off.
.....em... balls!
I've worked in and with several eastern european state sponsored organisations and it was the most godawful experience. Tenured civil servants with little impetues or motivation to change the status quo just love to block or ignore change until it either goes away or they retire. Co-ordinating between the number of people who need to sign off on even the most mundane aspects of organising just an infrastucture review can be one of the most challenging aspects to pulling this sort of project off.
Given that backround and the horrendously splintered and fractured set-up they appear to have had this project is nothing short of fantastic. It's the kind of thing we all read about in the text books and can make the correct arguements for. While switching an entire orgnaisation across is something we know to be possible and advantageous there are precious few opportunities for it to be implemented in the world.
So Bravo to the team , moving from fractured to streamlined centralised management , fine tuning processes and and trimming operations down is no small feat , particularly in the state environment.
On the Tech side , Bravo too , I would have stayed with the MS side but that's because it's my forte and I know I could have reduced costs in a comporable fashion. Hat's off though , such a shift in logic and thinking shows real
True-ish.
The reasons why we are seeing a move away from the destructive payloads of yesteryear is that there is a lot more money to be made in compromising systems.
Whether the intention is to harvest a shedload of zombie remailers for spam markering or for some of the recently seen rogues capable of using a 'distributed computing' model for decrytpting databases there is lots of money in malware.
True , there is indeed a lot of money made by the AV companies for upgraded and improved software,stragey and infrasturcture consultation services. This is becasue companies are waking up to realise that they are no longer looking at script kiddies or disgruntled employees as the most likely vector but rather, well financed, educated professionals.
Companies could once upon a time hide behind the "why would anyone target us ? We're small" mentality.
No longer.
Got Bandwidth ?
Got CPU ?
You are a target.
"This isn't to say that there are mobos out there that are avalable to the public"
t _dt_v1/tutorial/index.htmHyperthreading[/URL] ] for example . Pay attention to the section on Dual Proc'd Workstations. This is not multitasking , it's simply advanced thread scheduling.
There may be MB support available but the fact is that multiproc computing is still far from being able to accomplish true multitasking with the current architectures. I believe that once we can have proper multitasking architechtures multi proc'd systems will really come into their own at the user level.
Have a look at Intel's =http://or1cedar.intel.com/media/training/intro_h
I'm wary of these rumours too but having a mod restictive arcitechture does sound at least plausible from MS.
http://alexalbrecht.typepad.com/alex/2005/01/xbox_ ii.html
So in my travels this weekend I came across a Microsoft employee and talked him up about Xbox II... here are the facts I found out.
1) Hard Drive... Yes! There was some speculation that MS was going to take the HD out to make it more difficult to Mod.
2) Flash based HD... Yes!!! It was told to me that the HD was going to be flash based... small size fast access... BAM!
3) No Stupid Dongle DVD playback... Yes!!! The reason that the first Xbox didn't have built in DVD playback is a simple one, Sony owns the Intellectual Property rights for DVD playback. Nuf said...
4) Xbox II at E3... Hell Yes!!! There will be an Xbox II maybe more at E3 this year...
5) Xbox II release date announced at E3... another Hell Yes!!! MS will be announcing a release date for Xbox II...
Now this is not like the "rumors" about IBM before these are hard cold facts from the horses mouth...
Allrighty , a bit more information is available here : http://www.winsupersite.com/reviews/ms_antispyware _preview.asp
It's active protection feature is being couched in the same kind of language used by Bill G at RSA2003 to describe the NX style Dynamic System Protection that never made it into SP2.
Okay , well there is a submission tool included I see. Wonder where that goes ?
I trust Symantec to come out with new rapid release definitons every few hours and automatically pull them down even at home.
The website indicates that the definitions will be updated monthly? On what planet will that be enough ? Is this an incremental update? Will the process do version checking ? How are new rogues submitted for analysis ? There is s lot of information not available anywhere I can see. Anyone ?
From an very quick initial look I see one dll that seems to have the list. A single point of failure updated only once a month ?
Could not agree more.
Custom application standardisation across the install base means that issue resolution can be standardised and tweaked to meet the response/support requirement. The certification and testing processes that most serious companies use to pass apps as fitting are both rigourous and not condusive to incorporating the latest 'app du jour'. And rightly so.
It's easy for tech saavy folks to deem these practices as a symptom of the narrow mindedness of lazy MCSE admins (who would appear to be some sort of subspecies of a real admins). It's easy to see this as an organisation being inflexible due to undereducation but I believe that that is not the case. A pestered admin will often give the sort of pseudo answer this user recieved.It's not good to fudge that way , but without taking a user step by step through the security policies and application certification documetnation, it's difficult to explain the why of decisions such as this.
It can be difficult to meet the job function requirements of diverse departments and maintain the steady balancing act that will ensure your SourceSafe users will be as compliant as the receptionist.
For this organisation it may be useful to do a business case analysis exploring the usefulness or otherwise of Firefox but as it is still in it's first iteration a lot of companies will be loathe to abandon the practices they have in place on a whim.
Aa firefox moves ever closer to a dominant position the pressure will become greater and things will change. It will also become more a target and I'm betting that this will begin getting longer and looking far more serious as more and more authors start realising the potential success to be had in taking Firefox on.
http://www.microsoft.com/presspass/exec/bradsmith/ 05-08sasserarrest.asp
In a related fashion I recieved a sweetner in order to ensure compliance with the non competion clause. I worked in Finland for a manufacturer of Unified Messaging Systems. A lot of the telcos in Europe use their hardware and software and they were particularly sensitive to technical data being released in the public domain. On my return to Ireland , I in all innocence accepted a position with a company for a role of a different nature. In talking to former colleagues in Finland I understood that a subsidiary of my new company were in direct competition. Much wrangling later I was obliged to cancel my new contract but recieved the equivalent of 6 months pay as a "consultancy fee" from my original employers.
Damhna@hotmail.com
Indeed all true, but its raining today in Espoo and that is perfectly in tune with the miserable IPO Tecnomen had today. Sheesh
I moved from Dublin to Helsinki in February this year and I swapped one exciting city for another. Dublin with its "celtic tiger" economy at the moment has seen much foreign investment in the IT/COMMS sector. In turn we have seen a spate of home grown smaller industries spring up and perform very very well (IONA being perhaps the best example of how to quadruple your fortune) The analysist were prediciting a slowdown for a number of years ago but they have been thwarted by a continuing build up in capital momentum. There is a lot of money to be made in the game in Ireland. A highly skilled workforce coupled with high demand from powerhouses who are making huge returns means that the demand is constant . People with the right skills will find no shortage of work offers. Helsinki is where Dublin was perhaps 6// years ago and is showing all the signs of making a huge bounceback from the recession in the 80s. Comms is far more developed here as you would expect but the IT market is again showing signs of an imminent rapid expansion. I dont speak Finnish very well and part of the reason why that dosent look likely to change is taht everyone here finds it a novelty to speak english. Everyone from the beggar on the street to the bartenders and so on speak English very well. I could quite easily live here forever and would never have difficulty in making myself understood
Did you know that the entire DNA code for every individual in Iceland is owned by a private company?