2009-06-01
Abstract
'At the rate malware is currently released ... it may be that the specific naming of malware is a dead concept.' Lysa Myers, West Coast Labs.
Copyright © 2009 Virus Bulletin
Naming has always been a contentious subject in the anti-malware community, but at the rate malware is currently released, and with the volume of detection automated systems are now adding, it may be that the specific naming of malware is a dead concept.
The original idea behind standardized naming was to allow customers to determine whether a certain virus was detected by their anti-virus product. This was particularly important during the era when the mass media reported on virus outbreaks and AV companies received floods of inquiries about the virus du jour. Since the recent surge of financially motivated malware, customers have started to use virus names to find online descriptions so they can assess what damage may have been done.
As researchers and resources are taxed to the limit by this onslaught of malware, online descriptions have suffered. If there is a choice between using researchers’ time to add detection or descriptions, it is arguably better to add detection. Remotely controlled and self-updating malware also make it more difficult to create descriptions: how do you create a static description of something which will have been updated by the time you finish writing it? The answer tends to be descriptions that are full of vague phrases such as ‘behaviour differs depending on plug-ins installed’ and ‘differing versions have differing file sizes’.
The alternative for anti-malware vendors is to generate descriptions automatically. This allows more descriptions to be created with a basic level of information. Automatically generated descriptions can easily detail the files that are added or modified and the network connections that are made by the malware. The downside is that an automated system cannot adapt to malware that requires more specific conditions, whereas a human can finesse a system into prompting additional malicious behaviour from a sample, and better imitate user behaviour.
Anti-malware vendors are already starting to move towards generic naming. A check of the top vendors’ malware description sites shows malware names such as ‘Troj/Agent’, ‘TROJ_SMALL’, or just ‘Generic Trojan’. This trend is likely to continue – if customers didn’t complain when it began, they’re unlikely to start now.
But the customer still wants to know what to do post infection to ensure their systems are completely cleaned, and what they can do to implement better protection in future. There are a number of options to address this, which boil down to either having someone or something which can forensically examine infected machines, or changing the nature of the ‘cleaning’ process.
There are many different network-monitoring technologies which provide information about network connections from infected machines. There are also services that examine infected machines forensically, or that offer a highly detailed analysis of captured malware. But, with the economic situation such as it is, it would be difficult to get customers to pay for new technologies or services when they perceive this as a service AV vendors already offer.
The other option is to change the nature of ‘cleaning’ to mean restoring a machine from a known-clean image or reformatting it entirely. This is certainly a drastic approach, but it is both quick and thorough.
A security representative for a local college used both options together: he would take a snapshot of the machine for forensic and possible data-recovery purposes, and then re-image the machine. He used this approach because he wanted to ensure there were no lingering traces of malware on his machines, and he found this to be the quickest way to get infected users back up and running, while providing detailed forensic data.
As the nature of anti-malware software changes, customers’ expectations must be managed accordingly. The AV products of yore dealt with slow-moving threats, and researchers had time to fully examine and document them before they became widespread. Now threats come and go more quickly than any man or machine can adequately handle. Perhaps what is most needed now is a coalition to determine the AV industry’s response to this change.
