Is it spam? DHL package delivery phishing
Los Ataques Contra El Sistema De Nombres Dominios (Attacks Against the DNS)

Clever Malware Names: Feeding the Propensity to Ignore Systemic Issues

Charlie_Brown_FootBallMy patience with naming malware as if they were Marvel super heroes or X-Men is at an end. Slammer, Sasser, Flame, BlackEnergy. Instead of naming malware in ways that flatter or aggrandize the attackers, please let's use names that call attention to the systemic problem rather than the clever, tricksy software. For example,

WORM:Win32/TriedToWinAnIpodFromAControlSystem.A

TROJ:Win32/Surfed4PornFromARootAccount.C

WORM:Win32/ConnectedMyInfectedDeviceToIndustrialNetwork.A!sys

I was reminded yesterday of the Sun Tzu quote, 

"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

We're succumbing in nearly every battle, and increasingly it's not only because we don't know the enemy but that we don't know ourselves, or more accurately, that we are unwilling to admit to the myriad of ways that we fail to rigorously implement the most obvious, commonly known, widely recommended security measures.

Certain attacks of the weaponized malware kind can be contained or mitigated by isolating or restricting access from critical networks, by compartmentalizing services, by hardening administrative systems, or by prohibiting users from connecting general purpose clients or devices from critical business or infrastructure networks. These measures also protect against the affects of user who disregard or overlook recommended secure behaviors. 

A typical conversation that follows a successful exploit begins with, "have you read about the BurntUmberGoat attack against the Berzerkestan SCADA network?"

Name malware by the failure they exploit and your conversation now begins, "have you read about the Surfed4PornFromARootAccount MITB attack against the First Bank of Glovania?" 

Changing the naming convention may not alter the attack surface but it might make conversations a bit more educational. There may even be a shame factor to exploit here.

It's embarrassing enough for most folks to have an IT guy tell you, "Your computer was infected with BurntUmberGoat" in front of your office mates.

It's quite a bit different to have her say, "Your computer was infected with Surfed4PornFromARootAccount".

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)