MALWARE HISTORY

Virus Naming. The “Who’s who” Dilemma (1)

Got new malware. What shall we call it?

Anyone who has ever created something new is granted the right to baptize it. However, given that they are born under the sign of destruction and disruption, viruses are an exception to this rule.

Normally, you would not expect anything in the “John jr.” vein. Any hint as to the identity of virus creators would probably get them into trouble.  Plus, in order to avoid adding to the glory of malware authors antimalware producers will probably re-name the malware samples they discover. And the naming trouble does not stop here. A scenario where several antimalware labs simultaneously conduct research on the same new malware sample is not that uncommon. In this case, the first to publicly announce the discovery gets to give it a name.

Aside from creativity and authorship, virus naming also raises the issue of utility. Confronted with an overwhelming malware population, researchers and antimalware producers have understood how important it is to approach the naming process systematically. All in all, simple logic calls for malware names that contain information the industry can recognize: the affected platform, the virus family name and its spreading method.

First regulatory attempt: the Caro System.

In a 1991 meeting of Computer AntiVirus Researcher Organization (CARO), a New Virus Naming Convention was agreed upon and it was supposed to provide a means of avoiding the confusion generated by the lack of uniform regulations in the virus naming process. According to this document, a full virus name should have the following format:

Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]

Here is an example
of a virus name that complies with this model:

Stoned. Michelangelo.A

Virus Names

Though it appears to provide a clear solution to the naming problem, this format is likely to raise uniformity- related issues as well. A first grey area that the authors of the convention admit to is the “family name” section: Every attempt is made to group the existing viruses into families, depending on the structural similarities of the viruses, but we understand that a formal definition of a family is impossible.”

Starting from this inherent fallacy of the system, the authors provide a few guidelines on how to choose a relevant family name:

–  the use of brand, company or individual’s names is forbidden (unless there is proof that the individual actually created the virus),

–   existing virus family names should be considered carefully to avoid confusion (does the virus belong to that family? is the sample actually new or does it belong to an existing
family?)

–  dates, geographic and numeric names should be avoided because they can be misleading

The principles of agreed authorship and of utility are clearly stated as a viable solution: If multiple acceptable names exist, select the original one, the one used by the majority of existing anti-virus programs or the more descriptive one.”
(to be continued)

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.