Why those different names?

[Øyvind Granberg]

Hi...

Why does the different antivirus and malware software producer have
different names for the same virus, trojan horse and so on...?

When I am looking for a solution and go to Grisofts webpages I cannot find
what I am looking for, even though I know for certain that the threat in
question is in their list. I have to resort to Google or the more
comprehensive lex at www.nai.com

Her is a list from www.nai.com showing the different names for the same
trojan:
http://vil.nai.com/vil/content/v_150513.htm

Why the different names?
Shouldn't it be a lot more efficient countermalwarevice to operate with the
same naming policy?

--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

 

[Malke]

Øyvind Granberg wrote:

> Hi...
>
> Why does the different antivirus and malware software producer have
> different names for the same virus, trojan horse and so on...?

(snippage)

That's just the way it is. There have been numerous attempts to create a
unified malware/virus identification database but all have failed. You'd
have to ask each one of the av companies why. There's really nothing more
to say about this.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

 

[David H. Lipman]

From: "Øyvind Granberg"

| Hi...

| Why does the different antivirus and malware software producer have
| different names for the same virus, trojan horse and so on...?

| When I am looking for a solution and go to Grisofts webpages I cannot find
| what I am looking for, even though I know for certain that the threat in
| question is in their list. I have to resort to Google or the more
| comprehensive lex at www.nai.com

| Her is a list from www.nai.com showing the different names for the same
| trojan:
| http://vil.nai.com/vil/content/v_150513.htm

| Why the different names?
| Shouldn't it be a lot more efficient countermalwarevice to operate with the
| same naming policy?

| --

| Vennlig hilsen
| Øyvind Granberg

| tresfjording@live.no
| www.tresfjording.com



That's a GOOD question !

There is no standardization between comapnies. At best there is a naming convention.

Take the Zlob. You may have several companies identifying a given infector as the Zlob
but at the same time show them with different variant names.

Additionally there may be a given infector where none will give it the same name. For
example the Blaster worm was called Lovsan by McAfee.

This is a problem that had plagued the AV industry from the beginning. To try to deal
with this problem, MITRE was contracted by the US CERT to come up with a common naming
convention for malware that was deemed to have infected numerous systems. This the the
MITRE Common Malware Enumerator (CME) list. MITE will assign a CME number and provide a
cross-indexed listing. For example, MITRE assigned 711 to a given downloader trojan and
thus the name becomes, CME-711.

"CME-711 is a Trojan Downloader that is spread as an attachment to emails with news
headlines as the subject lines which downloads additional security threats,"

When this happens hopefully the AV company will append their name with !CME-711

http://cme.mitre.org/data/list.html

Unfortunately, I haven't seen MITRE keep up with the new threts so this has basically
failed.

This is a problem, I am afriad to see, will last.

However systems like Virus Total are helpful in that when you submit a malware sample you
can see who falsgs and what they flag it as and you can then, hopefully, use their
encyclopedia/dictionaries to see what the infector is and does.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[~BD~]

"David H. Lipman" wrote in message
news:ulFWEJAUJHA.6092@TK2MSFTNGP04.phx.gbl...
> From: "Øyvind Granberg"
>

>
> However systems like Virus Total are helpful in that when you submit a
> malware sample you
> can see who falsgs and what they flag it as and you can then, hopefully,
> use their
> encyclopedia/dictionaries to see what the infector is and does.
>
>

If I were a blackhat writing malware, once I had concocted a suitable
'draft', the first thing *I* would do would be to submit it to VirusTotal
for a check. If my new 'draft' was flagged, I'd simply re-write the code
until such time as it was NOT flagged by any of the sponsors of VirusTotal -
and only then release same into the wild.

Maybe some form of 'Registration' with operators like VirusTotal should be
invoked - in a, probably vain, attempt to restrict use to the good guys.

Any thoughts on this?

Dave

--

 

[David H. Lipman]

From: "~BD~"



| If I were a blackhat writing malware, once I had concocted a suitable
| 'draft', the first thing *I* would do would be to submit it to VirusTotal
| for a check. If my new 'draft' was flagged, I'd simply re-write the code
| until such time as it was NOT flagged by any of the sponsors of VirusTotal -
| and only then release same into the wild.

| Maybe some form of 'Registration' with operators like VirusTotal should be
| invoked - in a, probably vain, attempt to restrict use to the good guys.

| Any thoughts on this?

| Dave

Yes, you have no idea what you are talking about.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Øyvind Granberg]

I understand....

The problem for me as a ignorant victim of assorted virusattacks is that I
can have problems finding a cure.


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"David H. Lipman" skrev i nyhetsmeldingen:
ulFWEJAUJHA.6092@TK2MSFTNGP04.phx.gbl ...
> From: "Øyvind Granberg"
>
snippped-------------

 

[David H. Lipman]

From: "Øyvind Granberg"

| I understand....

| The problem for me as a ignorant victim of assorted virusattacks is that I
| can have problems finding a cure.


| --

| Vennlig hilsen
| Øyvind Granberg

Yes.... { sigh }
It makes things very difficult indeed. Even for those of us dealing with malware at a
different level. It is rare when every vendor declares the same infector with the same
name. in short... PITA !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[~BD~]

"David H. Lipman" wrote in message
news:exN0elCUJHA.5084@TK2MSFTNGP05.phx.gbl...
> From: "~BD~"
>
>
>
> | If I were a blackhat writing malware, once I had concocted a suitable
> | 'draft', the first thing *I* would do would be to submit it to
> VirusTotal
> | for a check. If my new 'draft' was flagged, I'd simply re-write the code
> | until such time as it was NOT flagged by any of the sponsors of
> VirusTotal -
> | and only then release same into the wild.
>
> | Maybe some form of 'Registration' with operators like VirusTotal should
> be
> | invoked - in a, probably vain, attempt to restrict use to the good guys.
>
> | Any thoughts on this?
>
> | Dave
>
> Yes, you have no idea what you are talking about.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

Mr Lipman,

You say in this thread " Even for those of us dealing with malware at a
different level .... " - which, to me, implies that rather than simply being
another 'user' helping your peers, you are here on this newsgroup answering
questions in some kind of professional capacity. In others words, as part of
your job.

Is this indeed so?

If it is, for what kind of organisation do you work? (You've said before
that it isn't Microsoft - hopefully it is not Al-Qaeda).

You also say to me ".... no idea what you are talking about". Perhaps you
are right - so, explain to me exactly *why* the bad guys CANNOT use the
likes of VirusTotal to 'check' their work before releasing it onto the
Internet. I'd really appreciate it. Thanks.

Dave

--

 

[none]

~BD~ wrote:
> "David H. Lipman" wrote in message
> news:exN0elCUJHA.5084@TK2MSFTNGP05.phx.gbl...
>> From: "~BD~"
>>
>>
>>
>> | If I were a blackhat writing malware, once I had concocted a suitable
>> | 'draft', the first thing *I* would do would be to submit it to
>> VirusTotal
>> | for a check. If my new 'draft' was flagged, I'd simply re-write the code
>> | until such time as it was NOT flagged by any of the sponsors of
>> VirusTotal -
>> | and only then release same into the wild.
>>
>> | Maybe some form of 'Registration' with operators like VirusTotal should
>> be
>> | invoked - in a, probably vain, attempt to restrict use to the good guys.
>>
>> | Any thoughts on this?
>>
>> | Dave
>>
>> Yes, you have no idea what you are talking about.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
> Mr Lipman,
>
> You say in this thread " Even for those of us dealing with malware at a
> different level .... " - which, to me, implies that rather than simply being
> another 'user' helping your peers, you are here on this newsgroup answering
> questions in some kind of professional capacity. In others words, as part of
> your job.
>
> Is this indeed so?
>
> If it is, for what kind of organisation do you work? (You've said before
> that it isn't Microsoft - hopefully it is not Al-Qaeda).
>
> You also say to me ".... no idea what you are talking about". Perhaps you
> are right - so, explain to me exactly *why* the bad guys CANNOT use the
> likes of VirusTotal to 'check' their work before releasing it onto the
> Internet. I'd really appreciate it. Thanks.
>
> Dave
>


Damn boy! You want to know an awful lot about a persons personal life.

Did it ever enter your small brain that, just maybe, some people who
post here have a real job in computer security, and that they come here
to help others in their spare time?

That would certainly place some at a different level - as compared to
you - who just comes here to be a pain in the ass!

 

[~BD~]

"none" wrote in message
news:eMs1IZKUJHA.3492@TK2MSFTNGP03.phx.gbl...
> ~BD~ wrote:
>> "David H. Lipman" wrote in message
>> news:exN0elCUJHA.5084@TK2MSFTNGP05.phx.gbl...
>>> From: "~BD~"
>>>
>>>
>>>
>>> | If I were a blackhat writing malware, once I had concocted a suitable
>>> | 'draft', the first thing *I* would do would be to submit it to
>>> VirusTotal
>>> | for a check. If my new 'draft' was flagged, I'd simply re-write the
>>> code
>>> | until such time as it was NOT flagged by any of the sponsors of
>>> VirusTotal -
>>> | and only then release same into the wild.
>>>
>>> | Maybe some form of 'Registration' with operators like VirusTotal
>>> should be
>>> | invoked - in a, probably vain, attempt to restrict use to the good
>>> guys.
>>>
>>> | Any thoughts on this?
>>>
>>> | Dave
>>>
>>> Yes, you have no idea what you are talking about.
>>>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>
>>>
>>
>> Mr Lipman,
>>
>> You say in this thread " Even for those of us dealing with malware at a
>> different level .... " - which, to me, implies that rather than simply
>> being another 'user' helping your peers, you are here on this newsgroup
>> answering questions in some kind of professional capacity. In others
>> words, as part of your job.
>>
>> Is this indeed so?
>>
>> If it is, for what kind of organisation do you work? (You've said before
>> that it isn't Microsoft - hopefully it is not Al-Qaeda).
>>
>> You also say to me ".... no idea what you are talking about". Perhaps you
>> are right - so, explain to me exactly *why* the bad guys CANNOT use the
>> likes of VirusTotal to 'check' their work before releasing it onto the
>> Internet. I'd really appreciate it. Thanks.
>>
>> Dave
>>
>
>
> Damn boy! You want to know an awful lot about a persons personal life.
>
> Did it ever enter your small brain that, just maybe, some people who post
> here have a real job in computer security, and that they come here to help
> others in their spare time?
>
> That would certainly place some at a different level - as compared to
> you - who just comes here to be a pain in the ass!

--


I'd prefer you not to swear here, Richard - no matter how stongly you feel.

Richard Urban (now posting as 'none' - why, Richard?)
Microsoft MVP
Windows Desktop Experience
c-24-98-57-125.hsd1.ga.comcast.net

Dave

--

 

[none]

~BD~ wrote:
> "none" wrote in message
> news:eMs1IZKUJHA.3492@TK2MSFTNGP03.phx.gbl...
>> ~BD~ wrote:
>>> "David H. Lipman" wrote in message
>>> news:exN0elCUJHA.5084@TK2MSFTNGP05.phx.gbl...
>>>> From: "~BD~"
>>>>
>>>>
>>>>
>>>> | If I were a blackhat writing malware, once I had concocted a suitable
>>>> | 'draft', the first thing *I* would do would be to submit it to
>>>> VirusTotal
>>>> | for a check. If my new 'draft' was flagged, I'd simply re-write the
>>>> code
>>>> | until such time as it was NOT flagged by any of the sponsors of
>>>> VirusTotal -
>>>> | and only then release same into the wild.
>>>>
>>>> | Maybe some form of 'Registration' with operators like VirusTotal
>>>> should be
>>>> | invoked - in a, probably vain, attempt to restrict use to the good
>>>> guys.
>>>>
>>>> | Any thoughts on this?
>>>>
>>>> | Dave
>>>>
>>>> Yes, you have no idea what you are talking about.
>>>>
>>>> --
>>>> Dave
>>>> http://www.claymania.com/removal-trojan-adware.html
>>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>>
>>>>
>>> Mr Lipman,
>>>
>>> You say in this thread " Even for those of us dealing with malware at a
>>> different level .... " - which, to me, implies that rather than simply
>>> being another 'user' helping your peers, you are here on this newsgroup
>>> answering questions in some kind of professional capacity. In others
>>> words, as part of your job.
>>>
>>> Is this indeed so?
>>>
>>> If it is, for what kind of organisation do you work? (You've said before
>>> that it isn't Microsoft - hopefully it is not Al-Qaeda).
>>>
>>> You also say to me ".... no idea what you are talking about". Perhaps you
>>> are right - so, explain to me exactly *why* the bad guys CANNOT use the
>>> likes of VirusTotal to 'check' their work before releasing it onto the
>>> Internet. I'd really appreciate it. Thanks.
>>>
>>> Dave
>>>
>>
>> Damn boy! You want to know an awful lot about a persons personal life.
>>
>> Did it ever enter your small brain that, just maybe, some people who post
>> here have a real job in computer security, and that they come here to help
>> others in their spare time?
>>
>> That would certainly place some at a different level - as compared to
>> you - who just comes here to be a pain in the ass!
>
> --
>
>
> I'd prefer you not to swear here, Richard - no matter how stongly you feel.
>
> Richard Urban (now posting as 'none' - why, Richard?)
> Microsoft MVP
> Windows Desktop Experience
> c-24-98-57-125.hsd1.ga.comcast.net
>
> Dave
>
> --
>
>

Then go away - PLEASE!

 

[~BD~]

"none" wrote in message
news:OddxPELUJHA.1172@TK2MSFTNGP03.phx.gbl...
> ~BD~ wrote:
>> "none" wrote in message
>> news:eMs1IZKUJHA.3492@TK2MSFTNGP03.phx.gbl...
>>> ~BD~ wrote:
>>>> "David H. Lipman" wrote in message
>>>> news:exN0elCUJHA.5084@TK2MSFTNGP05.phx.gbl...
>>>>> From: "~BD~"
>>>>>
>>>>>
>>>>>
>>>>> | If I were a blackhat writing malware, once I had concocted a
>>>>> suitable
>>>>> | 'draft', the first thing *I* would do would be to submit it to
>>>>> VirusTotal
>>>>> | for a check. If my new 'draft' was flagged, I'd simply re-write the
>>>>> code
>>>>> | until such time as it was NOT flagged by any of the sponsors of
>>>>> VirusTotal -
>>>>> | and only then release same into the wild.
>>>>>
>>>>> | Maybe some form of 'Registration' with operators like VirusTotal
>>>>> should be
>>>>> | invoked - in a, probably vain, attempt to restrict use to the good
>>>>> guys.
>>>>>
>>>>> | Any thoughts on this?
>>>>>
>>>>> | Dave
>>>>>
>>>>> Yes, you have no idea what you are talking about.
>>>>>
>>>>> --
>>>>> Dave
>>>>> http://www.claymania.com/removal-trojan-adware.html
>>>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>>>
>>>>>
>>>> Mr Lipman,
>>>>
>>>> You say in this thread " Even for those of us dealing with malware at a
>>>> different level .... " - which, to me, implies that rather than simply
>>>> being another 'user' helping your peers, you are here on this newsgroup
>>>> answering questions in some kind of professional capacity. In others
>>>> words, as part of your job.
>>>>
>>>> Is this indeed so?
>>>>
>>>> If it is, for what kind of organisation do you work? (You've said
>>>> before that it isn't Microsoft - hopefully it is not Al-Qaeda).
>>>>
>>>> You also say to me ".... no idea what you are talking about". Perhaps
>>>> you are right - so, explain to me exactly *why* the bad guys CANNOT use
>>>> the likes of VirusTotal to 'check' their work before releasing it onto
>>>> the Internet. I'd really appreciate it. Thanks.
>>>>
>>>> Dave
>>>>
>>>
>>> Damn boy! You want to know an awful lot about a persons personal life.
>>>
>>> Did it ever enter your small brain that, just maybe, some people who
>>> post here have a real job in computer security, and that they come here
>>> to help others in their spare time?
>>>
>>> That would certainly place some at a different level - as compared to
>>> you - who just comes here to be a pain in the ass!
>>
>> --
>>
>>
>> I'd prefer you not to swear here, Richard - no matter how stongly you
>> feel.
>>
>> Richard Urban (now posting as 'none' - why, Richard?)
>> Microsoft MVP
>> Windows Desktop Experience
>> c-24-98-57-125.hsd1.ga.comcast.net
>>
>> Dave
>>
>> --
>>
>>
>
> Then go away - PLEASE!

--

NO!

--

 

[Geoff]

On Thu, 27 Nov 2008 00:29:36 -0000, "~BD~"
wrote:

>
>"David H. Lipman" wrote in message
>news:ulFWEJAUJHA.6092@TK2MSFTNGP04.phx.gbl...
>> From: "Øyvind Granberg"
>>
>
>>
>> However systems like Virus Total are helpful in that when you submit a
>> malware sample you
>> can see who falsgs and what they flag it as and you can then, hopefully,
>> use their
>> encyclopedia/dictionaries to see what the infector is and does.
>>
>>
>
>If I were a blackhat writing malware, once I had concocted a suitable
>'draft', the first thing *I* would do would be to submit it to VirusTotal
>for a check. If my new 'draft' was flagged, I'd simply re-write the code
>until such time as it was NOT flagged by any of the sponsors of VirusTotal -
>and only then release same into the wild.
>

Some probably do. But they would be telegraphing their morphs to the very
systems from which they are trying to hide. Heuristic scanners look for
behaviors, op-codes and function calls or certain decompression and
self-decrypting files. It's futile to try to hide from a broad spectrum of
detectors all at once. The point is to exploit a vulnerability and disable
the detection on a specific class of target and not to slip past all
detectors all at once. Get in, get your malicious work done, don't care
what happens to your victim after that.

Nothing prevents a malware writer from testing his code against an isolated
machine running the A-V product he's trying to get past. He doesn't have to
do it online and he can do it at no cost without tipping off the
opposition.

>Maybe some form of 'Registration' with operators like VirusTotal should be
>invoked - in a, probably vain, attempt to restrict use to the good guys.
>

The goal of the site is to provide a wide spectrum detection service for
_regular_users_ to scan suspect files so they can identify the malware and
choose the proper removal method. Restriction is simple not feasible or a
reasonable goal. Opening it up to registration to keep "evil bad guys" out
is ridiculous. Prove you are who you say you are. Prove you are a "good
guy". Prove you are not a "bad guy". How will you do that online? Send a
scan of your drivers license, passport, social security card, national
health care ID and your address? Please.

 

[FromTheRafters]

"Geoff" wrote in message
news:tjoti4p8dn5fi0t5rckimeoriiasicqkkj@4ax.com...

> The point is to exploit a vulnerability

A virus doesn't need a vulnerability.

> and disable the detection on a specific class of target

One kind of virus does this, the computer retrovirus.

http://www.smartcomputing.com/editorial/di...pe=Encyclopedia

It was a relatively recent trend among worms too, but now hiding
from them via rootkit technology is becoming more popular. Why
use appkiller if you can stealth yourself.

> and not to slip past all detectors all at once.

Which in the earlier days of polymorphic viruses was exactly the point.
Detection came down to the ability to detect self-decryptors or to
emulate the target environment long enough and deep enough to get
the virus body to expose itself.

 

[~BD~]

"Geoff" wrote in message
news:tjoti4p8dn5fi0t5rckimeoriiasicqkkj@4ax.com...
> On Thu, 27 Nov 2008 00:29:36 -0000, "~BD~"
> wrote:
>
>>
>>"David H. Lipman" wrote in message
>>news:ulFWEJAUJHA.6092@TK2MSFTNGP04.phx.gbl...
>>> From: "Øyvind Granberg"
>>>
>>
>>>
>>> However systems like Virus Total are helpful in that when you submit a
>>> malware sample you
>>> can see who falsgs and what they flag it as and you can then, hopefully,
>>> use their
>>> encyclopedia/dictionaries to see what the infector is and does.
>>>
>>>
>>
>>If I were a blackhat writing malware, once I had concocted a suitable
>>'draft', the first thing *I* would do would be to submit it to VirusTotal
>>for a check. If my new 'draft' was flagged, I'd simply re-write the code
>>until such time as it was NOT flagged by any of the sponsors of
>>VirusTotal -
>>and only then release same into the wild.
>>
>
> Some probably do. But they would be telegraphing their morphs to the very
> systems from which they are trying to hide. Heuristic scanners look for
> behaviors, op-codes and function calls or certain decompression and
> self-decrypting files. It's futile to try to hide from a broad spectrum of
> detectors all at once. The point is to exploit a vulnerability and disable
> the detection on a specific class of target and not to slip past all
> detectors all at once. Get in, get your malicious work done, don't care
> what happens to your victim after that.
>
> Nothing prevents a malware writer from testing his code against an
> isolated
> machine running the A-V product he's trying to get past. He doesn't have
> to
> do it online and he can do it at no cost without tipping off the
> opposition.
>
>>Maybe some form of 'Registration' with operators like VirusTotal should be
>>invoked - in a, probably vain, attempt to restrict use to the good guys.
>>
>
> The goal of the site is to provide a wide spectrum detection service for
> _regular_users_ to scan suspect files so they can identify the malware and
> choose the proper removal method. Restriction is simple not feasible or a
> reasonable goal. Opening it up to registration to keep "evil bad guys" out
> is ridiculous. Prove you are who you say you are. Prove you are a "good
> guy". Prove you are not a "bad guy". How will you do that online? Send a
> scan of your drivers license, passport, social security card, national
> health care ID and your address? Please.

--


I appreciate your comments, Geoff.
Thank you for posting.

Dave

--

 

[~BD~]

"FromTheRafters" wrote in message
news:%235gNzjMUJHA.1360@TK2MSFTNGP05.phx.gbl...
>
> "Geoff" wrote in message
> news:tjoti4p8dn5fi0t5rckimeoriiasicqkkj@4ax.com...
>
>> The point is to exploit a vulnerability
>
> A virus doesn't need a vulnerability.
>
>> and disable the detection on a specific class of target
>
> One kind of virus does this, the computer retrovirus.
>
> http://www.smartcomputing.com/editorial/di...pe=Encyclopedia
>
> It was a relatively recent trend among worms too, but now hiding
> from them via rootkit technology is becoming more popular. Why
> use appkiller if you can stealth yourself.
>
>> and not to slip past all detectors all at once.
>
> Which in the earlier days of polymorphic viruses was exactly the point.
> Detection came down to the ability to detect self-decryptors or to
> emulate the target environment long enough and deep enough to get
> the virus body to expose itself.
>
--


My understanding is that some malware, if already resident in a machine can,
and will, render an 'anti-malware' facility useless, even as that facility
is first being loaded onto the computer. The user thereafter has a false
sense of security - being totally unaware that there may be a 'gremlin'
lurking within their machine.

Your post appears to confirm this FTR - thank you.

Dave

--