Q&A - From The Labs

Malware Trivia: Episode 3

On what we do when we identify a new piece of malware and the most common causes for data corruption

 My PC has suddenly (nothing to do with this scan) stopped allowing me to download say, CCleaner etc. – Question asked by Barry Northan

First of all, make sure that the files you are downloading don’t get corrupted while fetching them from their website. Some software producers display the MD5 sum of the kits on their download page. You might want to download a file with a known MD5 sum, and then compare it to what your file actually displays. If there are differences in hashes, then most likely, these files get corrupted during download. If thir hash is identical, then you should probably run a system scan to see if you’re not infected with a piece of malware that prevents some applications from running in order to avoid detection. Also, please ensure that you are not trying to run an application that has been designed for 64-bit computers on a 32-bit operating system.

What happens from finding a malware sample till publishing a definition against it? How are the samples named and why don't all companies use a standardized naming convention? – Question asked by MM

As soon as the malware sample reaches BitDefender, it gets inspected by BitDefender malware researchers both statically (such as disassembling the piece of malware and tracing its every single instruction) and dynamically (i.e. by running it in a virtualized environment). If the file proves to behave maliciously, it is named using BitDefender’s naming structure, a variant of the CARO naming convention. If the malicious file is already known and detected by other vendors, it will be named similarly for consistency reasons. If not, it will be assigned a name, as suggested by the CARO naming convention.

It’s true that a piece of malware can be detected by other vendors with multiple names; this especially occurs when AV vendors issue signatures at approximately the same time. Since there is no known detection name for the sample, it is named as each vendor sees fit. Some other times, vendors treat the same piece of malware as belonging to different categories: while some label it as Trojan, others may call it Backdoor or even Worm. This is because some malware have a worm component, as well as a Trojan component that can open a backdoor, for instance.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.