once more about the "naming"

Discussion in 'ESET Smart Security' started by stimulator32, Oct 6, 2010.

Thread Status:
Not open for further replies.
  1. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hello,

    1- regarding to the new ESET's labs strategy of malware naming , I didn't understand if the new long series of letters are belonging to the malware itself or indicate to another thing !

    For example, this detection :

    probably a variant of Win32/Agent.HKYSOZX trojan

    is "HKYSOZX" a variant of the trojan "Agent" ? And if yes, why I can't find "Win32/Agent.HKYSOZX" detection on the ESET's update details web page ?

    2- Are detections that begin with "N" letter special ones ? I ask because when I search for the variants of "Win32/KillAV" trojan , "Win32/Spy.Banker" trojan , or "Win32/PSW.OnLineGames" trojan , I note that they haven't variants' names begin with "previous to N" letters although they have variants' names begin with "N" letter !!

    Many Thanks in advanced ..
     
    Last edited: Oct 7, 2010
  2. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    you imagine how many variations there from Agent.AAAAAAA to Agent.ZZZZZZZ? = More than 17,249,876,309 variants!
    It is simply not possible to give specific description of each variant. but you can see the description of the important variants in that family (Win32/Agent.ABF, Win32/Agent.GCI, etc) or a general description of the family (Win32/Agent)

    this is only a hypothesis, but it would be interesting to view an ESET mod opinion.
     
  3. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    I meant that why this variant of agent trojan "Win32/Agent.HKYSOZX" isn't included in the Virus signature database updates here !

    If u go to this web page you can see a clear methodology of malwares naming of Kaspersky labs .. but here I can't understand ESET's new method of naming !

    Hope eset's mod to talk with us !
     
  4. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Waiting for a response from a moderator !

    Plz .. If I asked about an ESET secret .. or about thing that mustn't be disclosed .. close my thread now !

    ESET must clarify it's methodology about viruses naming .. and we (ESET's users) have the right to know that !!

    waiting for responsing or closing !!
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    When a threat is detected with "Probably a variant of" before a name.
    As far as I know, it usually is a Heuristic detection.

    Meaning that there are no Signature for that particular threat, yet.
    Wich will result in that when you make a search on the ThreatSense updates page you will get no results.

    So, AFAIK- Probably a variant of = Heuristic detection.
     
  6. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hi friend,

    I know that the prefixes 'probably a variant' , 'a variant of' , 'probably unknown' etc .. are indicating to heuristic detections, either passive or active heur., this is out of our discussion ..

    Usually, when eset says "a variant of Conficker.AE worm" that means the signature Conficker.AE is present and included in the signatures web page, and the 'by heur.' detected file is one of it's variants ..

    This is the point .. is (Win32/Agent.HKYSOZX) a signature that included in the signatures web page ?

    P.S. We used to be neglected by ESET's Moderators; they are the worst technical support among other Security companies !
     
  7. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I understand.

    Well, if you search for that specific name but still end up with zero results, then it's clear to me that it is not included in the Sig update list. :)

    But it might have been detected by Generic sigs?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Not every signature is listed in the update list for the reason mentioned above - a list containing millions of entries would not be of help. Especially signatures that are subject for replacement with generic ones and can be changed after a short time they were initially added.
     
  9. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    juju friend, I see you're very hungry for knowledge.

    For example, take a look at this taxonomy:

    Probably a variant of Linux/Exploit.Shell.Qpop.A trojan
    a variant of WMA/TrojanDownloader.GetCodec.D trojan
    HTML/Phishing.gen trojan
    LNK/Exploit.CVE-2010-2568 trojan


    key words "probably", "variant" and "Gen" suffix specify the heuristic approximation level to a known signature.

    In the signature,
    The first part refers to the platform
    The second part can include the family, a name and a variant

    The last part defines the threat´s classification.
    For malware -> (Trojan, Worm, Virus, etc).
    For greyware -> (Potentially Unwanted Application, Potentially Unsafe Application, etc).

    And finally, I understood that Win32 / Agent was something similar to a generic signature (heuristic) (as much malware was detected with this signature).

    signatures and heuristic methods are combined, and a signature detection can lead to a heuristic algorithm, or vice versa. That is, from a detection is made by signature database is possible to analyze the behavior of many threats and develop new heuristic algorithms that provide long term protection against new variants with similar patterns. It is also possible that certain threats detected by heuristics then be identified through signatures to create specific actions regarding the data on that threat.
    This ensures proper maintenance of the database and thus achieving high performance.
     
    Last edited: Oct 8, 2010
  10. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    The scenario is cleared now .. :thumb:

    many thanks to you all ..
     
Thread Status:
Not open for further replies.