Network Working Group seak
Internet-Draft Kang. sandy
Intended status: Standards Track Antiy Labs
Expires: January 13, 2009 July 12, 2008
AntiVirus Markup Language(AVML)
draft-malware-avml-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 13, 2009.
seak & sandy Expires January 13, 2009 [Page 1]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
Abstract
This document describes the AntiVirus Markup Language(AVML). AVML is
common standards language for storage, interaction and statistics of
malicious software information. Malware information described by
AVML More easily is dealt in distributed system. At the same time,
people can read it . This document defines the AVML and explains the
elements in AVML.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirenments . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. The Role of AVML on the Web . . . . . . . . . . . . . . . 3
2. AVML Fundamentals . . . . . . . . . . . . . . . . . . . . . . 4
2.1. AVML Overview . . . . . . . . . . . . . . . . . . . . . . 4
2.2. AVML Examples . . . . . . . . . . . . . . . . . . . . . . 4
2.3. AVML Syntax and Grammar . . . . . . . . . . . . . . . . . 5
3. AVML Element . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Malware Source . . . . . . . . . . . . . . . . . . . . . . 6
3.2. Malware File Information . . . . . . . . . . . . . . . . . 6
3.3. Virus information . . . . . . . . . . . . . . . . . . . . 8
3.4. Malware behavior elements . . . . . . . . . . . . . . . . 8
4. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. schema of AVML . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 16
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
7. Informative References . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
Intellectual Property and Copyright Statements . . . . . . . . . . 20
seak & sandy Expires January 13, 2009 [Page 2]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
1. Introduction
1.1. Requirenments
The number and types of malicious software increased dramatically
[ksb2007].Interaction of malware Information becomes very difficult.
Different anti-virus vendors can not share the information, html
format of the malware analysis report is difficult to deal by
program. we need a unified information-description language for
large-scale network malware warning, defense and analysis.
1.2. Goals
In order to meet the diverse needs of the large-scale network
environment virus information extraction, exchange, AVML has been
designed with the following ultimate goals in mind.
plain text displays
descript a almost Virus Information
easily read by program and human
Facilitate the process of the Scientific statistics
Scalability
1.3. The Role of AVML on the Web
AVML can be used to collect malware information from large
Heterogeneous terminal.Through these information, the Central may
carry out large-scale comprehensive early warning, defense, disposal.
seak & sandy Expires January 13, 2009 [Page 3]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
2. AVML Fundamentals
2.1. AVML Overview
Antivirus Markup Languag(AVML) is an application of XML, it is used
to descript malware information in distributed system.
2.2. AVML Examples
see example,
<VxSample>
<Hash>
<PARENTMD5>
54ee11ec3aa13846d95314b6fea400fc
</PARENTMD5>
</Hash>
<FileInfo>
<Format>
Binary File
</Format>
<FileSize>63928</FileSize>
<HASH>
<MD5>848a0fe121f1ff0c06a1cd8ef30a230e</MD5>
</HASH>
<PEStruct>
<Detail>
<DigitalSignature>YES</DigitalSignature>
</Detail>
<LinkTime>2007-04-06 08:21</LinkTime>
<Section>
<Name>.text</Name>
<RawOffset>0x400</RawOffset>
<RawSize>0xB200</RawSize>
<VirtualOffset>0x1000</VirtualOffset>
<VirtualSize>0xB200</VirtualSize>
<Name>.rdata</Name>
<RawOffset>0xB600</RawOffset>
<RawSize>0x1400</RawSize>
<VirtualOffset>0xD000</VirtualOffset>
<VirtualSize>0x1370</VirtualSize>
<Name>.data</Name>
<RawOffset>0xCA00</RawOffset>
<RawSize>0x200</RawSize>
<VirtualOffset>0xF000</VirtualOffset>
<VirtualSize>0x1804</VirtualSize>
</Section>
<ImportTable>
seak & sandy Expires January 13, 2009 [Page 4]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
<DLL>ntoskrnl.exe</DLL>
<DLLName name = ntoskrnl.exe>
<API>strlen</API>
<API>strrchr</API>
<API>RtlUnicodeStringToAnsiString</API>
<API>ZwQueryValueKey</API>
<API>RtlInitUnicodeString</API>
</ntoskrnl.exe>
<DLL>HAL.dll</DLL>
<DLLName name =HAL.dll>
<API>ExReleaseFastMutex</API>
<API>KeGetCurrentIrql</API>
<API>KfRaiseIrql</API>
<API>KfLowerIrql</API>
<API>ExAcquireFastMutex</API>
</HAL.dll>
</ImportTable>
</PEStruct>
<Format>DOS Program</Format>
<Format>PE Program</Format>
</FileInfo>
<VirusInfo>
<AVL>
<VirusName>Backdoor.IRC.Elkcro</VirusName>
</AVL>
</VirusInfo>
</VxSample>
In this example, AVML root element is VxSample.
Only some file information in this AVML file The elements are define
in AVML schema see Appendix.
2.3. AVML Syntax and Grammar
AVML is an application of XML, or Extensible Markup Language, and as
such, its syntax is governed by the rules of XML syntax, and its
grammar is in part specified by a schema. In other words, the
details of using tags, attributes, entity references and so on are
defined in the XML language specification, and the details about AVML
element and attribute names, which elements can nested inside each
other, and so on are specified in the AVML schema.
seak & sandy Expires January 13, 2009 [Page 5]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
3. AVML Element
this section gives some element meaning in AVML. the all element see
AVML schema in Appendix
3.1. Malware Source
malware comes from different way such as antivirus software user
upload or captured by honeypot.Through these information, Anti-virus
organizations can forecast the outbreak trends of malware and trace
it's source.
SourceList: Malware Sample Source List.
Source Type:Source Type include User upload, honey pot, Antivirus
company,sample exchange.
Priority: Upload Priority. on behalf of this channel reported
priority. Note: a sample depends on the priority of all priorities
inside channel reported that a maximum.
FileNameList: Sample file name list
FileName: Sample file name
AttackIPList: Attack ip list
DateTimeFirst: Attack Start Time
DateTimeLast: Attack End Time
IPAddr: Attack Ip Address
RepeatCount: Attack Count
AttackWay: Attack Way .
3.2. Malware File Information
AVML File Information elements are about malware file basic
informatin,struct information and some Heuristic information
File Format : Such as Bin DOS PE
CompilerInfo : Compiler Infomation
FileSize : File Size
seak & sandy Expires January 13, 2009 [Page 6]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
MD5 : MD5
CRC32 : CRC32
SHA1 : SHA1
CreateTimeFile : File Create Time
ModifytimeFile : File Modify Time
Package : Package name
ShellInfor : Shell name
PEStructPE : File Struct information
DigitalSignatur : eexist digital signature
LinkTime : PE File Link Time
ImportTable : Import Table Information
DLL : Dynamic-link library
API : API name
section : Section
RawOffset : Section raw offset
RawSize : Secion Raw Size
VirtualOffset : Secion Virtual Offset
VirtualSize : Secion VirtualSize
URL : File contain URL Infomation
FileDetails : File Detail information
OriginalFilename: Original Filename
FileDescription : File Description
ProductName : Product Name
InternalName : Internal Name
seak & sandy Expires January 13, 2009 [Page 7]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
CompanyName : Company Name
LegalCopyright : LegalCopyright
ProductVersion : Product Version
FileVersion : File Version
ImageBase : PE Image Base
EntryPoint : program Entry Point
VCS: Heuristic characteristic signs
3.3. Virus information
VirusInfo: Virus Information
AVEngine: Antivirus scan engine
VirusName : Virus Name
ScanTime: Scan Time
3.4. Malware behavior elements
Behavior : malware event list .
Event: malware change system event.
EventType: net file rigister process memory etc
Who: malware process or dll module or other som active
Path: file path register path
Act: create, modify, delete etc
Status: success failure etc
Detail: some other information
seak & sandy Expires January 13, 2009 [Page 8]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
See malware behavior AVML example follow:
<VxSample>
<Behavior>
<Event>
<EventType>FILE</EventType>
<Who>xx.exe</Who>
<Path>Systme32%\atielf.dat </Path>
<Act>CREATE </Act>
<Status>SUCESS </Status>
</Event>
<Event>
<EventType>RIGISTER</EventType>
<Who>xx.exe</Who>
<Path>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Image File
Execution Options\aver.exe </Path>
<Act>CREATE </Act>
<Status>SUCESS </Status>
</Event>
......
<Behavior>
</VxSample>
.
seak & sandy Expires January 13, 2009 [Page 9]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
4. Appendix
4.1. schema of AVML
avml schema
<?xml version="1.0" encoding="ISO-8859-1" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Name" type="xs:string"/>
<xs:element name="Priority" type="xs:string"/>
<xs:element name="FileName" type="xs:string"/>
<xs:element name="EMail" type="xs:string"/>
<xs:element name="DateTimeFirst" type="xs:string"/>
<xs:element name="DateTimeLast" type="xs:string"/>
<xs:element name="IPAddr" type="xs:string"/>
<xs:element name="RepeatCount" type="xs:string"/>
<xs:element name="AttackWay" type="xs:string"/>
<xs:element name="FileNameList">
<xs:complexType>
<xs:sequence>
<xs:element ref="FileName"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Feedback">
<xs:complexType>
<xs:sequence>
<xs:element ref="EMail"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IPINFO">
<xs:complexType>
<xs:sequence>
<xs:element ref="DateTimeFirst"/>
<xs:element ref="DateTimeLast"/>
<xs:element ref="IPAddr"/>
<xs:element ref="RepeatCount"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttackIPList">
<xs:complexType>
<xs:sequence>
<xs:element ref="IPINFO" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="orderid" use="required"/>
</xs:complexType>
seak & sandy Expires January 13, 2009 [Page 10]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
</xs:element>
<xs:element name="Source">
<xs:complexType>
<xs:sequence>
<xs:element ref="Name"/>
<xs:element ref="Priority"/>
<xs:element ref="SrcFileName"/>
<xs:element ref="Feedback"/>
<xs:element ref="AttackIPList"/>
<xs:element ref="AttackWay"/>
</xs:sequence>
<xs:attribute ref="Type" use="required"/>
<xs:attribute ref="FeesBack" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="MD5" type="xs:string"/>
<xs:element name="CRC32" type="xs:string"/>
<xs:element name="SHA1" type="xs:string"/>
<xs:element name="Format" type="xs:string"/>
<xs:element name="CreateTime" type="xs:string"/>
<xs:element name="ModifyTime" type="xs:string"/>
<xs:element name="PELinkTime" type="xs:string"/>
<xs:element name="FileSize" type="xs:string"/>
<xs:element name="Package" type="xs:string"/>
<xs:element name="ShellInfor" type="xs:string"/>
<xs:element name="DigtialSignature" type="xs:string"/>
<xs:element name="OriginalFilename" type="xs:string"/>
<xs:element name="FileDescription" type="xs:string"/>
<xs:element name="ProductName" type="xs:string"/>
<xs:element name="InternalName" type="xs:string"/>
<xs:element name="CompanyName" type="xs:string"/>
<xs:element name="LegalCopyright" type="xs:string"/>
<xs:element name="PELinkTime" type="xs:string"/>
<xs:element name="ProductVersion" type="xs:string"/>
<xs:element name="FileVersion" type="xs:string"/>
<xs:element name="ImageBase" type="xs:string"/>
<xs:element name="EntryPoint" type="xs:string"/>
<xs:element name="DLL" type="xs:string"/>
<xs:element name="API" type="xs:string"/>
<xs:element name="Name" type="xs:string"/>
<xs:element name="VirtualSize" type="xs:string"/>
<xs:element name="VirtualOffset" type="xs:string"/>
<xs:element name="RawSize" type="xs:string"/>
<xs:element name="RawOffset" type="xs:string"/>
<xs:element name="URL" type="xs:string"/>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
seak & sandy Expires January 13, 2009 [Page 11]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
<xs:element ref="MD5"/>
<xs:element ref="CRC32"/>
<xs:element ref="SHA1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FileTime">
<xs:complexType>
<xs:sequence>
<xs:element ref="CreateTime"/>
<xs:element ref="ModifyTime"/>
<xs:element ref="PELinkTime"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ParentHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="MD5"/>
<xs:element ref="CRC32"/>
<xs:element ref="SHA1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ChildInfo">
<xs:complexType>
<xs:sequence>
<xs:element ref="MD5"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FileDetails">
<xs:complexType>
<xs:sequence>
<xs:element ref="OriginalFilename"/>
<xs:element ref="FileDescription"/>
<xs:element ref="ProductName"/>
<xs:element ref="InternalName"/>
<xs:element ref="CompanyName"/>
<xs:element ref="LegalCopyright"/>
<xs:element ref="ProductVersion"/>
<xs:element ref="FileVersion"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DLLname">
<xs:complexType>
<xs:sequence>
seak & sandy Expires January 13, 2009 [Page 12]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
<xs:element ref="API" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="ImportTable">
<xs:complexType>
<xs:sequence>
<xs:element ref="DLL" maxOccurs="unbounded"/>
<xs:element ref="DLLname"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Section">
<xs:complexType>
<xs:sequence>
<xs:element ref="Name"/>
<xs:element ref="VirtualSize"/>
<xs:element ref="VirtualOffset"/>
<xs:element ref="RawSize"/>
<xs:element ref="RawOffset"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="PEStruct">
<xs:complexType>
<xs:sequence>
<xs:element ref="Package"/>
<xs:element ref="ShellInfor"/>
<xs:element ref="DigtialSignature"/>
<xs:element ref="FileDetails"/>
<xs:element ref="ImageBase"/>
<xs:element ref="EntryPoint"/>
<xs:element ref="ImportTable"/>
<xs:element ref="Section"/>
<xs:element ref="URL" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="VCS" type="xs:string"/>
<xs:element name="VirusName" type="xs:string"/>
<xs:element name="ScanTime" type="xs:string"/>
<xs:element name="AVEngine" type="xs:string"/>
<xs:element name="AV">
<xs:complexType>
<xs:sequence>
<xs:element ref="VirusName"/>
<xs:element ref="ScanTime"/>
seak & sandy Expires January 13, 2009 [Page 13]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
<xs:element ref="AVEngine"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="VirusInfo">
<xs:complexType>
<xs:sequence>
<xs:element ref="AV" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="EventType" type="xs:string"/>
<xs:element name="EventName" type="xs:string"/>
<xs:element name="Protocal" type="xs:string"/>
<xs:element name="Signature" type="xs:string"/>
<xs:element name="Rating" type="xs:string"/>
<xs:element name="Accuracy" type="xs:string"/>
<xs:element name="NeTEvent">
<xs:complexType>
<xs:sequence>
<xs:element ref="EventType"/>
<xs:element ref="EventName"/>
<xs:element ref="Protocal"/>
<xs:element ref="Signature"/>
<xs:element ref="Rating"/>
<xs:element ref="Accuracy"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<element name="EventType" type="dEventType" />
<element name="Who" type="string" />
<element name=" Path " type="string"/>
<element name=" act " type="string" />
<element name=" status " type="string" />
<element name=" detail " type="string"/>
<xs:element name="Event">
<xs:complexType>
<xs:sequence>
<xs:element ref="EventType"/>
<xs:element ref="Who"/>
<xs:element ref="Path"/>
<xs:element ref="Act"/>
<xs:element ref="Status"/>
<xs:element ref="Detail"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Behaveor">
seak & sandy Expires January 13, 2009 [Page 14]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
<xs:complexType>
<xs:sequence>
<xs:element ref="Event" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
the elements are define in AVML schema can be add in
seak & sandy Expires January 13, 2009 [Page 15]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
5. Security Considerations
None.
seak & sandy Expires January 13, 2009 [Page 16]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
6. IANA Considerations
This document has no actions for IANA
seak & sandy Expires January 13, 2009 [Page 17]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
7. Informative References
[ksb2007] "Kaspersky Security Bulletin 2007: Malware evolution in
2007", Feb 2008.
seak & sandy Expires January 13, 2009 [Page 18]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
Authors' Addresses
seak
Antiy Labs
Email: seak@antiy.net
sandy
Antiy Labs
Email: kangkang@antiy.net
seak & sandy Expires January 13, 2009 [Page 19]
�
Internet-Draft AntiVirus Markup Language(AVML) July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
seak & sandy Expires January 13, 2009 [Page 20]
�