Malware Trivia: Episode 3

 My PC has suddenly (nothing to do with this scan) stopped allowing me to download say, CCleaner etc. – Question asked by Barry Northan

First of all, make sure that the files you are downloading don’t get corrupted while fetching them from their website. Some software producers display the MD5 sum of the kits on their download page. You might want to download a file with a known MD5 sum, and then compare it to what your file actually displays. If there are differences in hashes, then most likely, these files get corrupted during download. If thir hash is identical, then you should probably run a system scan to see if you’re not infected with a piece of malware that prevents some applications from running in order to avoid detection. Also, please ensure that you are not trying to run an application that has been designed for 64-bit computers on a 32-bit operating system.

What happens from finding a malware sample till publishing a definition against it? How are the samples named and why don't all companies use a standardized naming convention? – Question asked by MM

As soon as the malware sample reaches BitDefender, it gets inspected by BitDefender malware researchers both statically (such as disassembling the piece of malware and tracing its every single instruction) and dynamically (i.e. by running it in a virtualized environment). If the file proves to behave maliciously, it is named using BitDefender’s naming structure, a variant of the CARO naming convention. If the malicious file is already known and detected by other vendors, it will be named similarly for consistency reasons. If not, it will be assigned a name, as suggested by the CARO naming convention.

It’s true that a piece of malware can be detected by other vendors with multiple names; this especially occurs when AV vendors issue signatures at approximately the same time. Since there is no known detection name for the sample, it is named as each vendor sees fit. Some other times, vendors treat the same piece of malware as belonging to different categories: while some label it as Trojan, others may call it Backdoor or even Worm. This is because some malware have a worm component, as well as a Trojan component that can open a backdoor, for instance.