Open Letter to Anti-Virus Software Companies

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.

Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.

The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the
Internet Storm Center: http://isc.sans.org/index.php
Secunia’s Virus Information page: http://secunia.com/virus_information/,
VGrep Online http://www.virusbtn.com/resources/vgrep/index.xml,
MyITforum’s Security message boards http://myitforum.techtarget.com/forums/default.asp?catApp=2, and
AntiVirus e-mail list http://myitforum.techtarget.com/articles/14/view.asp?id=1301.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak.

With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

I think I can speak for everyone in the security community when I say; “dealing with it” is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected.
We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.

However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to accomplish this and keep your customers better informed about how they are protected.

Thank you for your time and attention.