On writing malware descriptions

Posted on by

Like any business, antivirus companies compete with each other. They do cooperate on several fronts (like information and sample sharing), but primarily they are competitors. And since they are purveyors of information, too, they don’t have a standard when presenting information.

AV companies present malware descriptions in rather different styles. They also differ on how to suppress information. Viruslist.com is Kaspersky’s blog, and in its post, it laments how a lack of standards in presenting information is harmful to everyone (and manages to hit competitors in the process is a bonus – alright, Kaspersky).

The malware in question is the ransomware GPCoder. I am linking the descriptions here:

Symantec – Trojan.Gpcoder.E
Trend Micro – TSPY_KOLLAH.F
Computer Associates – Win32/Kollah.AB
Kaspersky – Virus.Win32.Gpcode.ai
McAfee – GPCoder.h

The dilemma here is what information to disclose and not to disclose. And if you are going to disclose, how and how much?

Removing parts of a URL does not make sense. I think the rationale for URL blocking is to disclose information but not that much. Why disclose the URL at all? In the said blog post, Kaspersky was able to show the URL blocked by Symantec and Trend Micro by comparing the two descriptions. Now this is a lucky break, but just the same, the purpose for such partial disclosure is defeated.

(Why disclose URLs and email addresses? To inform IT security personnel on what URLs/email addresses to block. Why not disclose URLs? To prevent stupid users from accessing the URL/sending messages to email addresses.)

If you want to block URLs in the description, I think it is safer to block the left side portion, before the domain extension name. For example, in http://sample-domain.domain.com/file/file.ext, blocking or obfuscation should be http://{BLOCKED}.com/file/file.ext.

Or better yet, do not publish the URL. Makes more sense. Besides, displaying an obfuscated URL doesn’t add much to a description, isn’t it?

And please, AV companies: standardize. Heck, you cannot even agree on a single name for the same malware.

One thought on “On writing malware descriptions

  1. Pingback: New Skype worm and rejoinder on URL obfuscation « TechWatch@AWBHoldings.com

Comments are closed.