Open Letter to Anti-Virus Software Companies

Open Letter to Anti-Virus Software Companies

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.

Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.

The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the
Internet Storm Center: http://isc.sans.org/index.php
Secunia’s Virus Information page: http://secunia.com/virus_information/,
VGrep Online http://www.virusbtn.com/resources/vgrep/index.xml,
MyITforum’s Security message boards http://myitforum.techtarget.com/forums/default.asp?catApp=2, and
AntiVirus e-mail list http://myitforum.techtarget.com/articles/14/view.asp?id=1301.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak.

With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

I think I can speak for everyone in the security community when I say; “dealing with it” is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected.
We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.

However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to accomplish this and keep your customers better informed about how they are protected.

Thank you for your time and attention.

Wonder if anyone blogged this EXCELLENT recommentation

The ISC did: http://isc.sans.org//diary.php?date=2004-11-05



Rod Trent did as well: http://msmvps.com/rodtrent/archive/2004/11/05/18028.aspx

Also, there is a article in the works for SearchSecurity.com. I will let you all know when it is available.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

I was having a hard time keeping up with the variants and names during that outbreak. I was going to post a rant with this chart, but I got tied up with more important problems. The chart gives you an idea of how ridiculous this naming convention problem is.


http://links.virusintel.com/Bagle.htm

P.S. The chart is based on the groupings from Secunia.com

That is a great link, thanks for posting!

www.newsnow.co.uk/cgi/NGoto/75451554?-2622

Here is an article on this issue on SearchSecurity.com. I gave an interview for this earlier in the week.

Caught in the virus name game
By Bill Brenner, News Writer
11 Nov 2004 | SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1024919,00.html

Here we go again..

From F-Secure' s weblog:

http://www.f-secure.com/weblog/#00000351

Thursday, November 11, 2004
Some MyDooms renamed to Bofra Posted by Gergo @ 13:18 GMT

--------------------------------------------------------------------------------


Even though they seem to originate from the same source code, some samples we called MyDoom earlier have been renamed to Bofra. More specifically this affects MyDoom.AG, MyDoom.AH and MyDoom.AI.

The Bofra family of worms uses a different way of propagation which we explained in this earlier post.

A link page for the Bofra family has been posted to

http://www.f-secure.com/v-descs/bofra.shtml

http://securityresponse.symantec.com/avcenter/reference/virus.and.vulnerability.pdf

Virus and Vulnerability Classification Schemes: Standards and Integration. by Sarah Gordon Senior Research Fellow at Symantec.

Good info!

Looks like my letter is getting some more attention, this is posted on the front page of SearchWin2000.com this morning...

Antivirus industry needs to get its act together
http://searchwin2000.techtarget.com/columnItem/0,294698,sid1_gci1026622,00.html

The wife and I just got back from Thanksgiving Vacation with my folks a little bit ago, so I was checking out what I missed since Wednesday (yes, almost five days with no internet!!). Take a look at what I found on the Internet Storm Center’s diary for the 23rd…

http://isc.sans.org/diary.php?date=2004-11-23

Open Letter To Anti-Virus Software Companies - A Response

On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an " Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:

http://isc.sans.org/diary.php?date=2004-11-05

Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:

http://isc.sans.org/diary.php?date=2004-11-08

Yesterday, we received the following response from members of the USCERT' s CME (Common Malware Enumeration) initiative. While we don' t have any policy about providing " equal time" , we thought that their response was also interesting enough to publish:

------------------begin letter------------------

As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.

As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.

As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.

As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.

We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”

Desiree Beck, CME Technical Leader
US-CERT

Andy Purdy, Acting Director NCSD
Department of Homeland Security

Larry Hale, Deputy Director NCSD
Department of Homeland Security

Jimmy Kuo
McAfee Fellow - McAfee, Inc.

Matthew Braverman, Program Manager
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Mady Marinescu, Development Lead
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Randy Treit, Program Manager
Microsoft Corporation
Security Business and Technology Unit - Antivirus Team

Vincent Weafer, Senior Director, Symantec Security Response
Symantec Corporation

Oscar Chang, Executive Vice President
Trend Micro, Incorporated

Joe Hartmann, Director North American
Anti-virus Research Group
Trend Micro, Incorporated
-------------------end letter-------------------

All I can say is….WOW!!

Here is an article talking about the response...

US-CERT proposes common virus naming scheme
http://www.virusthreatcenter.com/permalink.aspx?BlogId=95

And one more for the books,,,,,,

http://www.virusbtn.com/news/virus_news/2004/12_23.xml

Thanks for finding that one!!

Virus Name Game - Is it game over?

It sure has been a while since this was brought up. Glad to see something is finally being done.

Indeed. I' d pretty much given up on any real improvement.

Chris - Maybe you and many others have made a difference with the new CME standard For example, Sober.R is CME-151 everywhere (although when multiple variants packed slightly different emerge it could still get a little confusing. Still, it' s one step forward in the right direction.

The home page is noted below

Common Malware Enumeration (CME)
http://cme.mitre.org/data/list.html