September 24th, 2005, 12:36 AM
Uniformity in naming worms/exploits
Zotob.E, Tpbot-A, Rbot.CBQ and IRCbot.worm: all names given to a single worm that wreaked havoc in Windows 2000 systems last month. Among the plethora of identifiers, perhaps the most useful--CME-540--didn't make an impact.
But that's about to change. CME-540 was the tag attached to the worm by the Common Malware Enumeration initiative, which is just emerging from its test phase. Next month, the U.S. Computer Emergency Readiness Team plans to officially take the wraps off the effort, meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests.
Name that worm--plan looks to cut through chaos | CNET News.com
September 24th, 2005, 12:43 AM
Don't think it will work, though. The big companies are probably not willing to give up on their own naming systems in favour of some more generic one. It's a bit like deciding which way is the best technique to name variables in sourcecode. Hungarian notation? CamelCase? Under_scores? Everyone will have their personal favorite and I don't think they will ever agree on one single mechanism. It will just mean that we have yet another standard that many will just be ignoring... Besides, what sounds cooler? CME-666 or MyDoom@mm ?
September 24th, 2005, 07:24 AM
sry, we are talking about modular sourcecoded irc bots
regarding bots the AV companies' handling and end-user-information is still ridiculous
e.g. symantec makes their users thinking that such a program has everytime the same name
and would only try to connect to a specific ircd (url)
...but .. it takes just a minute to compile a new version using other names servers keys or whatever
the real problem is the detection of an exploit compiled into a optimized pe-packed or/and crypted
if you are not sure what i'm talking about you may request the agobot executable that hits our
company's net last month (and what i know about )
[the program will try to send a mail to an AOL account and will try to connect to a hacked ircd located in italia. however this may be monitored by FBI cos the worm crawled into networks
the people who compiled and started it do not know about yet]
==> (browse: http://www.foxnews.com/story/0,2933,165949,00.html
achja .. sorry fürs beschissene english