Tag Archives: iBot

The Name Game – Duh…

[Update: well, Sophos have, it seems, gone official on the name iPh/Duh, which I find quite unreasonably irritating. However, Paul’s latest blog (link below) includes some very useful info.]

http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/

Paul Ducklin, what have you done?

Well, it’s not exactly Paul’s fault, as much as the industry’s: he referred at http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/ to the iBot thingie (yes, that again…) as Duh, since there’s no standardized name for it, and “because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm”.

And so, already we have various media sources referring to the Duh worm or Ikee.B. Well, if naming really mattered, I suppose we’d have all the various iPhone malware bits and pieces properly categorized and named by now. Historically, every vendor would have used a different name, of course, but there would have been some minimal cross-referencing and a semi-standard CARO-ish alternative. And probably the latest example (I really don’t like to describe it as a variant) would not have been called Duh because we tend to avoid using the form of name the malware author might have wanted.

Well, I haven’t changed my mind about naming, in general. In most cases, it’s largely irrelevant and often misleading, certainly in the Windows context. When you have many tens of thousands of unique binary samples coming in on a daily basis, accurately cross-referencing and naming them doesn’t seem much of a priority. (See  one of these papers for a more complete picture of why I say that.)

http://www.eset.com/download/whitepapers/cfet2009naming.pdf 
http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf

So most companies don’t seem to have bothered to name these  at all, even though iPhone malware was obviously going to excite some media interest. Well, exact naming for fairly low-impact threats wasn’t an issue I could raise much interest in either. But the fact is, that journalists and their audiences need a name to hang a malware story on, and they don’t care about the complexities of CARO-like naming (why should they?). So Duh will do, I suppose, especially since Paul as good as endorsed it. (“Perhaps, in fact, Duh is a good name for this virus.”)

What worries me is that at some point, someone is going to point to this as another example of how the AV industry can’t get its act together on naming, even on a platform with few enough threats to count on one hand. Well, we could have sorted this one out easily enough (and still could, in principle), but it will always be Duh now, so we probably won’t bother.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Definitely not speaking for the AV industry…

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Advertisements

iPhone botnet

It seems to me that, like it or not, Apple is moving slowly but remorselessly closer to joining the rest of us in the 21st century threatscape.  Their products may never be subject to the sheer volume of problems (especially malware problems) that we enjoy in the Wonderful World of Windows, but the time when Apple could say with any conviction “we don’t have security issues” is long, long gone.

The iPhone bot is another small but significant step on that road: it demonstrates that the bad guys are paying serious attention.

Blogged at more length at
 http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/