Very often we're being asked a question, why don't you provide useful malware descriptions? Wouldn't it be better for everyone? Don't you people understand how important and useful is it for us when we know what exactly the malware is doing, when it is described in a human-readable language? And if it also mentioned relevant CVE# so we know which vulnerabilities it exploited? We'd also like this analysis to cover the possible sources of malware, similarities between different malware, see the full list of files it creates, and have the detailed instructions of how to remove it. Don't you think this would be useful?
And we always answer – yes, we do understand its usefulness. But unfortunately, the economic reality ensures this is not going to happen.Let's first start with the question: who should be writing that malware description? Obviously it has to be someone with the engineering background. But even this person wouldn't know much about the malware unless he/she is a malware researcher, or works directly with the one. In any case, the details about malware, if not the complete description, should come from someone who is capable of doing malware research, has reverse-engineering experience and deep knowledge about malware.And the malware researchers are rare and expensive. To make someone, who is already a senior software engineer with knowledge of Assembler, reverse engineering and many languages, a malware researcher would take additional 6-12 months of training. Thus those people are precious, limited and rare resource.
They are also usually busy, as their responsibilities typically include things such as:
- Adding detections for new malware;
- Improving existing generic and heuristic-based detections;
- Adding or improving disinfection procedures;
- Fixing engine crashes, bugs and false positives;
- It is possible to provide you with automated details of what the malware is doing when run in an automated sandbox. Those would be highly technical and of little value to anyone who is not familiar with OS API calls, but generating them would not require human effort.
Two problems with this solution are: expected increase in support calls when the users would ask to explain what this particular text means, “I just used a (competitor vendor), but got infected with this malware, and I read your description and don't understand how to remote it, please tell me”. Another problem is that this would provide valuable information to some security companies, which attempt to compete with Bitdefender without proper resources into taking the time to research malware for themselves”
- It is possible to provide automated human-readable description based on malware name. For example, something like “Win32.Trojan.Ransomware.Locky” can generate something like:
Depending on who's asking, “you” could mean either “Bitdefender” or “anti-malware companies”, as this is common situation with all security companies.