24 Apr Malware naming - a never ending story Roel
03 Feb CME - the good and the not-so-good Aleks
05 Nov More on malware classification Eugene
04 Nov New malware classification system Yury
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Last week there was some coverage about a new P2P worm, which is highly polymorphic and infects other files.
Many antivirus vendors detected this piece of malware as Polipos, and this name has been widely used.
But should the worm really be called this?
The body of the worm contains the following text:
Win32.Polipos v1.2 by Joseph
Calling this piece of malware Polipos, which most antivirus vendors are doing, raises an ethical dilemma.
On the one hand, there's a high degree of uniformity.
Changing the name could lead to a situation similar to that with Nyxem/Blackworm/CME-24; no one wants to see that naming confusion repeated.
On the other hand, there's a serious ethical dilemma: One of the antivirus industry's unwritten rules is that malware should never be called by the name the author intended.
We've therefore decided to rename this worm from Polipos to Polip, and I hope that other antivirus vendors will follow suit.
CME - the idea is a good one - a common identifier that will allow everyone - customers, admins, journalists - to understand that, for instance, Bozori and Zotob are the same worm, despite the completely different names. Kaspersky Lab is an active participant in this initiative.
So much for the good. As everyone probably knows by now, today is the day Nyxem.e is damaging data on infected machines.
Yesterday, I had a lot of journalists asking a lot of questions about Nyxem.e and what to expect here in Moscow. And among all the info I gave, I made a point of telling everyone the CME number (CME-24) for Nyxem.e and asked everyone to use it.
I got to the office today and started reading the press. Nobody, but nobody, even mentioned the CME number. Instead, I ran into other names for Nyxem: Kama Sutra, for instance. The journalists weren't interested in the CME number; instead they jumped on a dramatic name to replace Nyxem.e. They were obviously most interested in 'screaming' names that will catch readers' eyes.
In short, I think we have a long, long way to go in teaching journalists - let alone anyone else - about CME.
When we get a new virus/worm/trojan sample we need to name it. If we recognize that the new sample is just the next one in a "family", that is a modification of a virus we already know, we just add a new letter to the existing name. Thus we have Bagle.a, Bagle.b, e.t.c. When we get to 'z' , we start again from the beginning with double letters - "Bagle.aa" for example.
If we don't recognize the malicious program as being from an specific family, we usually just name it in a "generic" way: Backdoor.Win32.Agent, or TrojanDropper.Win32.Small, or Trojan.Win32.Dialer. And these generic names can have their own variants - we've already detected TrojanDownloader.Win32.Small.zm, so this "generic" name may soon have an 'aaa' variant.
In most cases (99.9%) new programs aren't a serious threat - for instance, a new program is just a new trojan which is infecting a small number of computers. This means there's no need to introduce a new name - it will fall into a family, or get a generic name.
If we see the case is important (for instance, a new email worm which looks likely to cause an epidemic), then we need to choose a name for it. Here we have two choices. Firstly, maybe another antivirus company already detects the malicious program and we just copy the name (if we agree with it). Most antivirus companies do this. If the program is named wrongly (a company or a virus expert can explain why it is wrong) the name is changed by voting in AV experts' email lists.
The second case will be when no other antivirus company detects the sample, and we need to introduce a new name. What we usually do is find a text which is specific for the sample. Usually there are text strings inside the malware sample - and the name will follow one of these strings. We don't like to use the exact text from a sample so we modify it a bit. For example, a recently discovered worm contained the text string "Bucheon" - so we named it "Buchon". Another examples is the 'Gavir' worm, which contained the text "c:\gamevir.txt".
There are also other reasons why we choose the names we do. For example, "Skybag" has this name because we understood that it's a mix of "NetSky" and "Bagle" worms. This gave us Sky+Bag.
The final note - we don't just open a dictionary at random to choose a name. In every case there is a specific reason for choosing the name for a malicious program.
Kaspersky Lab is currently switching to a new malware classification system.
The new system will make it easier to navigate the virus descriptions.
Naming of malicious programs
Each malicious program is given a name which has several parts.
Any program which is given a name containing the term VirWare, TrojWare, MalWare, RiskWare, AdWare or PornWare will be a malicious program.
The name of each malicious program can be broken down in the following way:
Verdict: verdict clarification
Verdict clarification includes the following categories:
Verdict: this is an umbrella description which covers the main characteristics of a virus sample: VirWare, TrojWare, MalWare, RiskWare, AdWare, PornWare, SPAM, or Attack.
Behaviour: this defines the malicious program's payload. Backdoor, Virus etc. are all examples of Behaviour. A less threatening behaviour will be subsumed by the most threatening behaviour. For example, if a program has a backdoor function, but also infects files, the behaviour will be classified as Virus. If in addition to these behaviours, the malicious program spreads via network connections, the behaviour will be classified as Worm.
Sub-behaviour: this category is only used if the malicious program has a sub-behavior. It defines the main behaviour further. For instance, a malicious program classified as Trojan-Spy has the sub-behaviour Spy and so on. The sub-behaviour term is separated from the behavior term by a dash.
In the case of worms, the sub-behaviour term will be a prefix to the main behaviour term: P2P-Worm, Net-Worm etc.
OS gives the operating system in which the malicious program functions eg. Win32, BAT, IRC etc.
Name: the name which the Virus Lab has given to the malicious program.
Modification: shows the different versions of a malicious program grouped under one name.
An example of a name under the new classification system would be Trojan-Dropper.Win32.Agent.a - a Trojan which drops another malicious program, operates in Win32. The Virus Lab has named this program Agent, and this particular program is modification a, the first in a series.
Names of malicious programs always include the Behaviour, OS, Name and Modification terms.