On writing malware descriptions

Like any business, antivirus companies compete with each other. They do cooperate on several fronts (like information and sample sharing), but primarily they are competitors. And since they are purveyors of information, too, they don’t have a standard when presenting information.

AV companies present malware descriptions in rather different styles. They also differ on how to suppress information. Viruslist.com is Kaspersky’s blog, and in its post, it laments how a lack of standards in presenting information is harmful to everyone (and manages to hit competitors in the process is a bonus – alright, Kaspersky).

The malware in question is the ransomware GPCoder. I am linking the descriptions here:

Symantec – Trojan.Gpcoder.E
Trend Micro – TSPY_KOLLAH.F
Computer Associates – Win32/Kollah.AB
Kaspersky – Virus.Win32.Gpcode.ai
McAfee – GPCoder.h

The dilemma here is what information to disclose and not to disclose. And if you are going to disclose, how and how much?

Removing parts of a URL does not make sense. I think the rationale for URL blocking is to disclose information but not that much. Why disclose the URL at all? In the said blog post, Kaspersky was able to show the URL blocked by Symantec and Trend Micro by comparing the two descriptions. Now this is a lucky break, but just the same, the purpose for such partial disclosure is defeated.

(Why disclose URLs and email addresses? To inform IT security personnel on what URLs/email addresses to block. Why not disclose URLs? To prevent stupid users from accessing the URL/sending messages to email addresses.)

If you want to block URLs in the description, I think it is safer to block the left side portion, before the domain extension name. For example, in http://sample-domain.domain.com/file/file.ext, blocking or obfuscation should be http://{BLOCKED}.com/file/file.ext.

Or better yet, do not publish the URL. Makes more sense. Besides, displaying an obfuscated URL doesn’t add much to a description, isn’t it?

And please, AV companies: standardize. Heck, you cannot even agree on a single name for the same malware.

July 19th, 2007

1 Comment

Jump to comment form | Comments RSS | Trackback URI | Tags:
  • http://awbholdings.com/techwatch/?p=180 New Skype worm and rejoinder on URL obfuscation « TechWatch@AWBHoldings.com

    [...] Incidentally, in a previous post, I discussed the problems in lack of standards in making malware descriptions. Once again, the lack of standards defeat the purpose of obfuscating malicious URL. Both Trend Micro and F-Secure blog posts on the Skype worm published the malicious URLs that the worm sends. Both employed URL obfuscation, but with different output. [...]

  • Ads

  • Ads

    Cdjapan Manga

  • Sections

  • Entrecard

<