After reading on Graham Cluley’s blog that the IEEE came up with a new standard [PDF] for malware interchange, I had to check it out immediately. As always, being a cranky old man, I found several problems with the proposed standard:
- Even though the presentation has a section abou “Re-Inventing the Wheel”, it fails to mention that such sample exchange has been going on for at least a decade at this point between participants of the AV industry
- It fails to address the issue which traditionally concerned the people the most: who should the samples be shared with?
- The specification is tied strictly to proprietary products, where at least comparable (if not better) open products exists, the adopting of which would ensure that these files can be easily processed on any platform: RAR and PGP. While they both are excellent products, their selection also means that there is a minimal license fee for anybody interested in producing such archives. Also, certain encryption schemes of PGP are not implemented in GnuPG because of patent concerns, but the document doesn’t mention this. A much better option would have been to go with 7-zip and GnuPG for example (and explicitly stating that patent encumbered encryption algorithms won’t be used).
- The strictly defined attributes (like md5, sha1, sha256) can be easily recalculated at the receiving end. You might argue that they provide an integrity check, however the presentation explicitly states that the archive provides this function – “RAR-archived (for integrity checking)”
- Some of the definitions are lacking in detail – for example they introduce a “classification” tag, but it doesn’t seem to include timestamp / engine version / signature version information. Without these, in todays dynamic world, the information is not very useful.
- Many of the fields are “free-form”, meaning that no complete automatic parsing can be done.
The conclusion? This format doesn’t bring anything new to the table and is (as it stands) just a poorly thought out waste of time.