Backdoor

  • Thread starter Thread starter Shonk
  • Start date Start date
David H. Lipman said:
From: "Hoosier Daddy" <[email protected]>

|
|
|
| http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.family.html
|

That URL doesn't support not contradict Ian's statement.
Click to expand...

It does state "backdoor.delf.family" which does indicate "delf" as a family name
for this according to Symantec.
The other thing is what Kaspersky may call and infector Delf isn't neccesarily what Symantec
calls an infector Delf.
Click to expand...

Most of Kaspersky's writeups for backdoor delf's list Symantec's backdoor.delf.family as
an AKA.
 
From: "Hoosier Daddy" <[email protected]>


|>>
|>> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.family.html
|>>|
| It does state "backdoor.delf.family" which does indicate "delf" as a family name
| for this according to Symantec.
||
| Most of Kaspersky's writeups for backdoor delf's list Symantec's backdoor.delf.family as
| an AKA.
|

Yeah I have tried cross-referencing infectors and they are as often wrong as they are right.

Since you are doing the research, see WHY the the family Delf is called Delf. I'd be
interested in the results. :-)
 
David H. Lipman said:
From: "Hoosier Daddy" <[email protected]>


|>>
|>> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.family.html
|>>
|
| It does state "backdoor.delf.family" which does indicate "delf" as a family name
| for this according to Symantec.
|
|
| Most of Kaspersky's writeups for backdoor delf's list Symantec's backdoor.delf.family as
| an AKA.
|

Yeah I have tried cross-referencing infectors and they are as often wrong as they are right.

Since you are doing the research, see WHY the the family Delf is called Delf. I'd be
interested in the results. :-)
Click to expand...

I'm guessing that Ian is right so far as the name might indicate the programming
language used. It would not be unexpected that a malware author use the same
language with new versions. But I have to ask myself why there wouldn't be the
same effect with a name such as 'backdoor.C++.a".

Tried to find info on what I assumed would be the first one (the dot A one) and
didn't have much luck. Moving across the chasm between vendors (the names
are always different) I find

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DELF.A&VSect=T

confirming the language the programmer used was Borland's Delphi.

Is the programming language used, enough of a factor to warrant it being used as
a 'name' (albeit misspelled)? Part of a name I can see, but other than 'delf' there
is no other part of the string that could be used. I conclude that they used the
fact of language used to create the name 'delf' and it just so happens that other
related malware was written in the same language, and likely by the same author.

Do you agree that the name 'delf' is as good a name as 'sobig' is and that future
family members might not have the 'birthmark' that gave the family its name?
 
From: "Hoosier Daddy" <[email protected]>

|
|>>>> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.family.html
|>>>>|>>
|>> It does state "backdoor.delf.family" which does indicate "delf" as a family name
|>> for this according to Symantec.
|>>|>>
|>> Most of Kaspersky's writeups for backdoor delf's list Symantec's backdoor.delf.family as
|>> an AKA.
|>>|
| I'm guessing that Ian is right so far as the name might indicate the programming
| language used. It would not be unexpected that a malware author use the same
| language with new versions. But I have to ask myself why there wouldn't be the
| same effect with a name such as 'backdoor.C++.a".
|
| Tried to find info on what I assumed would be the first one (the dot A one) and
| didn't have much luck. Moving across the chasm between vendors (the names
| are always different) I find
|
| http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DELF.A&VSect=T
|
| confirming the language the programmer used was Borland's Delphi.
|
| Is the programming language used, enough of a factor to warrant it being used as
| a 'name' (albeit misspelled)? Part of a name I can see, but other than 'delf' there
| is no other part of the string that could be used. I conclude that they used the
| fact of language used to create the name 'delf' and it just so happens that other
| related malware was written in the same language, and likely by the same author.
|
| Do you agree that the name 'delf' is as good a name as 'sobig' is and that future
| family members might not have the 'birthmark' that gave the family its name?
|
Already the naming convention can use the following (based upon McAfee naming convention)

JS, JV -- Java
VB, VBS -- Visual Basic
CSC -- Corel Script
Perl -- OPerl Script
PHP -- PHP Script

Naming conventions vary so widely.
What one calls the Bagle another calls the Beagle.
What one calls the Licum another calls the Gael.
What one calls the Luhn another calls the Sklog.
What one calls the Toxic another calls the Tackag.

I can keep on going, but I won't you have the idea.
 
David H. Lipman said:
| Do you agree that the name 'delf' is as good a name as 'sobig' is and that future
| family members might not have the 'birthmark' that gave the family its name?
|
Already the naming convention can use the following (based upon McAfee naming convention)

JS, JV -- Java
VB, VBS -- Visual Basic
CSC -- Corel Script
Perl -- OPerl Script
PHP -- PHP Script
Click to expand...

Yes, but always when used in a name there is a manufactured name to go with. In
the case of "Backdoor.Win32.Delf.a" there is no other manufactured name than
'delf'. The "backdoor", "Win32", and "a" have real meaning and the 'delf' is a made
up word (like sobig).

It may be called "Delf" because the first of similarly constructed backdoors was
written in Delphi. It might not be necessary for all subsequent similarly coded
version to be written in the same language (though this may be a contributing
factor to the similarity).

If, for the Delphi backdoor, they had chosen the name "Phi" instead of 'Delf',
we wouldn't be having this discussion even if the writeups happened to say
it or they was or were written in Delphi.

The software (or hardware) platform is more important than the language.
Most of the other language based names you mention are probably used
because of the software environment component needed to execute the
malware.
 
Back
Top