Why VDBs > AV Industry

Posted by jericho Wed, 08 Feb 2006 11:40:42 GMT

Remember the recent Microsoft Windows WMF vulnerability that made news? You know, the “Shimgvw.dll SETABORTPROC function crafted WMF arbitrary code execution” issue? This was assigned OSVDB 21987, CVE 2005-4560, CERT VU 181038, BID 16074, FRSIRT ADV-2005-3086, OVAL 1433, SECTRACK 1015416, and Secunia 18255. While the vulnerability has a dozen different tracking numbers, they all correspond to the same issue, and many of them cross reference each other to avoid confusion. This issue is different than the “WMF processing ExtEscape POSTSCRIPT_INJECTION function overflow DoS” or the “WMF processing ExtCreateRegion function overflow DoS”, each identified by unique numbers for many of the VDBs.

Familiar with the CME-24/BlackWorm worm making the rounds? Oh, maybe you know it as W32/Kapser.A@mm? No, how about Worm/KillAV.GR? Maybe Win32/Blackmal.F? No?! Come on.. you have to know it by something? Check this handy list based on the Anti-Virus software you use:

Authentium: W32/Kapser.A@mm AVIRA: Worm/KillAV.GR CA: Win32/Blackmal.F Fortinet: W32/Grew.A!wm F-Secure: Nyxem.E Grisoft: Worm/Generic.FX H+BEDV: Worm/KillAV.GR Kaspersky: Email-Worm.Win32.Nyxem.e McAfee: W32/MyWife.d@MM Microsoft: Win32/Mywife.E@mm Norman: W32/Small.KI Panda: W32/Tearec.A.worm Sophos: W32/Nyxem-D Symantec: W32.Blackmal.E@mm TrendMicro: WORM_GREW.A

Yes, that many names for the same little program. For those that frown upon the VDB industry, at least we have our standards =)

Excellent analysis of the worm: http://www.caida.org/analysis/security/blackworm/

Blog entry that prompted this one: Virus Naming Still a Mess

Posted in  | 3 comments

Comments

Leave a response

  1. hi2005 said 12 days later:

    do you think the OSVDB will solve this problem? or mitigate it? i think the challenge to us is no one would not like to give up theirs, even the de-facto standard CVE can not unite the vul. naming.

  2. jericho said 13 days later:

    No, OSVDB (and every other VDB) will not solve the problem. Unless there is magically one database to rule them all, this may continue to be a problem. All we can really do is avoid the problem by maintaining consistancy within our own VDBs, and provide as many cross references as possible. This is an unfortunate side effect of many rings divided up =)

  3. jericho said about 1 month later:

    Virus names likely a lost cause http://www.securityfocus.com/news/11380

    CME Malware Naming System Never Had a Chance http://www.eweek.com/article2/0,1759,1936595,00.asp

    No Solution at Hand for the Malware Naming Mess http://www.eweek.com/article2/0,1895,1865136,00.asp

RSS feed for this post

(leave url/email »)

   Comment Markup Help Preview comment