Press On : A Work In Progress

It seems to be common sense that if 5 malware researchers identify, reverse engineer and publish results on the same threat it should have the same name.   Unfortunately, as SunBelt points out in their blog here, and as they quote from Panda, there are over 55k new threats each day, thats 20M a year!

The majority of consumers are imaginably confused by a dozen different names for the same piece of malware.  The majority of the key (aka damage inflicting) viruses I've encountered while doing operations and security were typically detected by heuristics or behavior based mechanisms.  The real nasty ones, those were caught purely by behavior.  

In late 2002 I was chasing an operational problem that started as CPU cycle spikes and proceeded to bandwidth degradation.  My network monitoring was able to watch the virus scan thousands of internal IPs in seconds and crawl from vulnerable device to device... I unplugged the uplink, isolated the VLAN, and contained the virus.

The AV and IDC heuristics caught it allowing us to stop it.  As a security professional I started my research with activity based discussions, not by Googling names.  When you push the security envelope and run operations such as those by the major banks (I personally have experience with many, none of whom come close to those of Fidelity out of Boston), you have to defend against threats invented moments before they hit your front door.

Even the US govt figured this out a few years ago and here's a few comments on the Einstein Program.  Threat mitigation starts with behavior detection and more.  Focusing on unification of threat behavior research and information would allow the thousands of researchers to collaborate... virus naming only seems to support marketing.