The proliferation of three new Bagle variants two weeks ago and two new Mydoom variants Monday has once again thrown...
the security industry into confusion as AV vendors failed to follow any sort of naming convention.
Lenny Zeltser tried with difficulty to sort out the Bagle variants two weeks ago. For Zeltser, an independent IT security consultant and handler for the Bethesda, Md.-based SANS Internet Storm Center, the problem was antivirus vendors assigning too many different names and variant extensions to the same strains.
"When companies assign different names to a particular strain, I think it generates a lot of confusion among IT managers," Zeltser said. "With the last Bagle outbreak, I felt frustrated because I would see different names across vendor sites and I'd have to go back and do more research to determine which was which, and it took a lot of time."
That day, Zeltser tried to map out which names represented which variants. As far as he could tell, Bagle-AV, Bagle-AQ, Bagle-BB, Bagle-BC, Bagle-AP, Beagle-AT and Bagle-AT was one variant; Bagle-BC and Bagle-AU was another and Beagle-AW, Bagle-AR and Bagle-BD was yet another.
Chris Mosby, Systems Management Server administrator for a regional bank and moderator of the MyITforum security message board, said the confusion made both jobs difficult.
"Vendors weren't even on the same page as to how many variants were floating around, and with all the confusion over what was what, I couldn't really do much until late in the day," he said. "The panic and confusion was worse than the actual outbreak."
It happened again this week with the Mydoom family. AV vendors are still squabbling over whether the two latest additions are variants or so substantially different that Mydoom-AG and Mydoom-AH should be renamed Bofra-A and Bofra-B. In the meantime, Mydoom-AI began circulating.
Experts from Lynnfield, Mass.-based Sophos and Santa Clara, Calif.-based McAfee Inc. said during an outbreak, the first priority is to ensure they're offering the right protection.
"It's more important to get the protection out there than have a conference call with everyone to agree on what to call it," said Graham Cluley, senior technology consultant for Sophos. "In the heat of battle, there's no time for that."
Vincent Gullotto, vice president of McAfee Anti-Virus Emergency Response Team, agreed. "For the most part, [virus] family names are consistent across vendors. Multiple variants is where it can get tricky," he said. "Sometimes one company may discover two variants during an outbreak while another discovers four. That also leads to different names."
Gullotto said vendors try to maintain consistency through distribution lists. "When something new is found a researcher will give the worm a name and report it to different companies," he said. "But some companies on the distribution list still call it something else and that can be frustrating."
In fairness, he said companies are bound to stray from the distribution list and come up with different names in the heat of an attack. "We've strayed as well," Gullotto said. "We initially called Blaster Lovsan, but changed it to Blaster after the heat died down."
To make things less confusing, most antivirus firms now include aliases -- different names competitors assign to the same virus -- in their alerts. Zeltser and Mosby agree that has helped and that it's not easy for vendors to get on the same page during outbreaks. But they said firms can take steps to diminish confusion.
"They should assign a quick name at the beginning, then go back later, talk to other vendors and agree on a more common name," Zeltser said. "This would allow for quick analysis, but then we could have consistency in names after the dust settles. When the next outbreak happens, IT managers won't have to spend so much time researching earlier variants and comparing them to new strains because there would be more consistency of names across sites."
Mosby believes wider use of RSS feeds would help. "There are companies that make an RSS feed available to their customers. I think more companies should offer a feed where they can update what they have and also update customers on what competitors have come up with," he said. "That would help a lot."