Righard Zwienenberg ESET
Richard Ford Florida Institute of Technology
Thomas Wegele Avira
download slides (PDF)
Tracking malware threats that users have encountered 'in the wild' has a long history, and is an excellent example of collaboration within the anti-virus industry. For over a decade, the industry has standardized on the WildList, founded by Joe Wells, and currently run by ICSALabs. For many years, this list of active threats has served testers, users, and developers well, but it is not devoid of problems. In particular, the change in the nature of online threats has left the WildList trailing the 'real-time' threat, making it unsuitable for effective 'in-the-wild' testing.
In this presentation we explore the shortcomings of the WildList, and introduce our solution, the Real Time Threat List (RTTL). This list, hosted and sponsored by AMTSO, is based upon Avira's sample sharing system, and is designed to provide a real-time view of threats as they are found in the wild. The list allows for customization of queries to provide testers with information about specific threats in specific regions, as well as several other interesting test scenarios.
The design of the RTTL is such that all AMTSO members can contribute samples to the system. Furthermore, the system lowers the workload for many vendors who already participate in the existing Avira system. As such, we believe it represents a more forward-looking way to track and catalogue in-the-wild threats.
During the talk, we will show the prototype system, and also discuss how we see the system evolving and the new test scenarios that the RTTL enables.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.