The wild WildList

2007-07-01

Mary Landesman

About.com, USA
Editor: Helen Martin

Abstract

'The WildList is more pertinent than ever - particularly given today's threat landscape.' Mary Landesman, About.com.


When the WildList was formed in 1993, it was with the noble intention of protecting users by slicing through marketing hype and identifying the actual threats that anti-virus scanners should detect. In the 14 years hence, the WildList - or more precisely, the WildCore - has become the de facto standard by which all reputable anti-virus scanners are measured. But despite its wide adoption, the WildList has struggled to gain respect and has seldom been without controversy. And some say, deservedly so.

A common complaint surrounding the WildList concerns the type of malware represented: only self-replicating viruses and worms make it onto the list - trojans, PUPs, backdoors, bots, adware, rootkits, exploits and nearly half a dozen others need not apply. With such a short list of threats eligible for participation, and such a long list of grievous offenders denied entrance, some question the relevance of the WildList.

Locale-specific malware may impact thousands or even tens of thousands of users. However, the dual reporting requirements of the WildList could prevent a geographically confined outbreak from being properly represented.

Whatever demands the most attention, gets the most attention. Malware that is detected using generics, or is otherwise easily handled by the scanner, will likely be under-reported. Conversely, threats missed by competitors might be over-reported.

Having aired the dirty laundry of the WildList, is it time to pack it in and go home? Are the critics right - does the WildList lack relevance with today's threats and is there a nepotistic management style reminiscent of an old boys' club? Worse, are tests based on the WildList too easy to pass?

As much fun as it is to take cheap potshots and sling similes, the fact is the WildList is more pertinent than ever - particularly given today's threat landscape. By setting a standard, definable bar, the WildList has consistently improved detection across the board. Reputable anti-virus vendors must work (hard) to gain credibility, participating fully in order to engage in the sample sharing necessary to build the library of threats required to score well on the tests. But what WildList testing really offers today is a measure of trust.

The pertinence and sustainability of the WildList is due in no small part to its extensibility. The chief certification bodies - Virus Bulletin, ICSA Labs, and Checkmark - each use the WildList in some fashion as part of their overall certification procedure. This extensibility and widespread adoption has led to considerable credibility for the WildList. That credibility has, in turn, fostered trust. It is this trust that has led to the continued success of the WildList today.

Today's malware isn't a prank. It's not for fun, or for challenge, or to overcome boredom. The imagined idle pastimes of yesteryear's discontented youth are far behind us. Today's malware is about money. And social engineering - the art of tricking the user into infecting themselves - has never been stronger than it is today. One of the favourite tricks for doing this is convincing the user that their system is infected and that 'Scanner X' is the saviour they need. In violation of this trust, Scanner X drops other malware or entices the user fraudulently into paying to remove malware that doesn't actually exist.

Now take away the WildList. Absent any credible, definable, easy-to-understand and widely accepted test criteria. Who are users to believe? Try explaining to your parents - or better yet, your grandparents - why Scanner X is bad and Scanner Y is good. The WildList, and the credibility it brings to the table, is the single best measure we have to draw these distinctions.

Do away with the WildList and we do away with unbiased certification agencies. Do away with the WildList and we do away with the very trust that protects the user. The shortcomings of the WildList can be solved through technology, money, and better management. But trust has to be earned. And the WildList has earned the trust of millions. Let's not consider doing away with that, just when our users need us most.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.