Comments on: Ahhh.. Mega-D == Cutwail et al. http://asert.arbornetworks.com/2008/02/ahhh-mega-d-cutwail-et-al/ A weblog dedicated to educating the community on security threats that matter Fri, 21 Nov 2008 13:53:49 +0000 http://wordpress.org/?v=abc By: Chris http://asert.arbornetworks.com/2008/02/ahhh-mega-d-cutwail-et-al/#comment-65426 Chris Tue, 05 Feb 2008 06:00:28 +0000 http://asert.arbornetworks.com/2008/02/ahhh-mega-d-cutwail-et-al/#comment-65426 As to the malware classification/naming conundrum... there are several reasons (I can come up with) that malware gets misnamed/misclassified/poorly-dealt-with, not the least of which is it's not in the AV vendor's best interest to cooperate in the naming/classification game. The researchers and operators get left trying to run multiple engines against single samples with the vain hope that some may agree on a name or partial name. Then arranging a story around why vendorX and vendorY say this is FOO but vendorA and vendorB can't agree if it's BAR or BAZ :( The best setup for this classification I've seen so far is the Family/Genus/Species model dragged back to the source-code of the malware in question, done by a neutral third party (is that possible in this game?) and used across the board. One would hope that the AV folks would rid themselves of their current ostrich-syndrome and make this problem better, but... As to the malware classification/naming conundrum… there are several reasons (I can come up with) that malware gets misnamed/misclassified/poorly-dealt-with, not the least of which is it’s not in the AV vendor’s best interest to cooperate in the naming/classification game. The researchers and operators get left trying to run multiple engines against single samples with the vain hope that some may agree on a name or partial name. Then arranging a story around why vendorX and vendorY say this is FOO but vendorA and vendorB can’t agree if it’s BAR or BAZ :(

The best setup for this classification I’ve seen so far is the Family/Genus/Species model dragged back to the source-code of the malware in question, done by a neutral third party (is that possible in this game?) and used across the board. One would hope that the AV folks would rid themselves of their current ostrich-syndrome and make this problem better, but…

]]>