Recent strains of computer virus have exploited a failing in the highly important process of virus detection – the business of naming and identifying them. Alex Shipp reviews a thorny problem that continues to plague security and IT managers, and suggests how their anti-virus vendors might be able to help.
On arrival at work each morning I take it for granted that the post will be on my desk, the coffee machine will be working and that, when I switch on my computer, I'll be able to access all the documents I want to without any pesky virus making life difficult for me.

However, the recent confusion with virus naming has meant that some people who thought they were protected have switched on their PCs and found that, somehow, a new virus has managed to sneak past their desktop detection and settled comfortably in the computer – ready to cause untold problems.

Given the increase in virus activity, the problem of identifying viruses has become similar to attending a bad line-up at the local police station. Everyone identifies different suspects, and sometimes the real culprit is released to cause problems for the public at large. The main problem facing security and IT managers is the lack of a universal virus naming convention that all anti-virus firms have to follow.

In the same way that the public expects the police to ensure their safety by correctly identifying and detaining villains, anti-virus firms need to ensure that they have the very best systems in place for the identification and detection of viruses. Most solutions require viruses to be correctly identified in order for people to know what they're being protected from. Recent outbreaks have meant that differences in naming schemes between anti-virus vendors could result in end users thinking that they're protected when in truth they aren't.

That could lead to a lack of vigilance, and yet more viruses slipping through the net.

Yaha: the classic example
The recent Yaha virus outbreak was a classic example. Three variants were released over a short period of time, resulting in confusion over virus naming.

Let's run through a possible scenario. Suppose that some vendors named these variants .K, .L and .J. This is likely to happen because vendors allocate variant letters to samples as they receive them. There's no central naming authority, and in general an anti-virus researcher doesn't have the time to contact every other anti-virus company in the world to see if a variant has already been assigned a variant letter.

Next up, a media report may highlight the fact that Yaha.K is spreading quickly. A customer may then check with their vendor that they are protected against Yaka.K. Their anti-virus vendor tells them that they are.

However, the variant actually being spread is called Yaha.L by their vendor, and the vendor hasn't yet released a signature to catch Yaha.L. Result? The customer thinks they're protected, but in truth they're not.

Given the increase in virus activity, the problem of identifying viruses has become similar to attending a bad line-up at the local police station. Everyone identifies different suspects, and sometimes the real culprit is released to cause problems for th

It's uncertain as to whether or not this was the intention of the virus writers, but I believe that as 2003 progresses this will probably become a favoured tactic. We'll see this pattern of virus release more often. Of course, this problem could be greatly reduced if some kind of centralised naming resource existed – available to all anti-virus concerns. That said, even with that kind of resource available the problem still exists in a lesser form because the process isn't instantaneous.

In reality, an anti-virus vendor isn't going to wait for the official name of a piece of malware to be decided upon if an outbreak is occurring. To protect their customers they will release detection first, and worry about any naming conventions thereafter.

Developing the CARO system
The problem of virus naming is by no means a recent one. In 1991, a committee comprising anti-virus experts decided to address the problem, and devised the CARO system. The CARO system works through the alphabet when naming virus variants, assigning the next unused letter to a new strain. Thus, after W32/Yaha.A comes W32/Yaha.B, then W32/Yaha.C and so on. Currently, most companies favour the CARO naming scheme.

Problems with the system have also needed addressing over time and, rather than wait for an improvement, most companies have started using their own non-standard extensions. As a result, a proposed update to the standard has now been published.

There are still some potential problems with the new system. Virus writers often use packing tools that create different versions of the virus. However, since these are all created from the same source, the new CARO standard specifies that the name remains the same. Thus it's perfectly possible to have three different files all containing Yaha.J.

Differing anti-virus products that are all claimed to catch the Yaha.J variant may detect one, two or all three of these. Thus, even if an anti-virus product is said to protect against a specific virus, different packed versions may well pass through undetected.

The Yaha author(s) also used this tactic, releasing several different packed variants of .J, .K and .L. Again, it's uncertain as to whether or not they knew the problems they'd cause by doing so. However, having caused a certain amount of chaos, other virus authors will have taken due note of that – and security professionals and their IT Departments can expect to see this happening again.

Looking at alternatives
To conclude, it's well worth noting that names don't matter if you always keep your anti-virus totally up-to-date. In this way, your organisation will be protected against all of the malware that your current solution can detect.

Source

SMT

Postscript

Alex Shipp is the senior anti-virus technologist at MessageLabs (www.messagelabs.com)