Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

Virus Naming. The "Who's who?" Dilemma (1)

Got new malware. What shall we call it?

Anyone who has ever created something new is granted the right to baptize it. However, given that they are born under the sign of destruction and disruption, viruses are an exception to this rule.

Normally, you would not expect anything in the "John jr." vein. Any hint as to the identity of virus creators would probably get them into trouble.  Plus, in order to avoid adding to the glory of malware authors antimalware producers will probably re-name the malware samples they discover. And the naming trouble does not stop here. A scenario where several antimalware labs simultaneously conduct research on the same new malware sample is not that uncommon. In this case, the first to publicly announce the discovery gets to give it a name.

Aside from creativity and authorship, virus naming also raises the issue of utility. Confronted with an overwhelming malware population, researchers and antimalware producers have understood how important it is to approach the naming process systematically. All in all, simple logic calls for malware names that contain information the industry can recognize: the affected platform, the virus family name and its spreading method.

First regulatory attempt: the Caro System. In a 1991 meeting of Computer AntiVirus Researcher Organization (CARO), a New Virus Naming Convention was agreed upon and it was supposed to provide a means of avoiding the confusion generated by the lack of uniform regulations in the virus naming process. According to this document, a full virus name should have the following format:

Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]

Here is an example of a virus name that complies with this model:

Stoned. Michelangelo.A

Though it appears to provide a clear solution to the naming problem, this format is likely to raise uniformity- related issues as well. A first grey area that the authors of the convention admit to is the "family name" section: "Every attempt is made to group the existing viruses into families, depending on the structural similarities of the viruses, but we understand that a formal definition of a family is impossible."

Starting from this inherent fallacy of the system, the authors provide a few guidelines on how to choose a relevant family name:

  -  the use of brand, company or individual's names is forbidden (unless there is proof that the individual actually created the virus),

  -   existing virus family names should be considered carefully to avoid confusion (does the virus belong to that family? is the sample actually new or does it belong to an existing family?)

  -  dates, geographic and numeric names should be avoided because they can be misleading

The principles of agreed authorship and of utility are clearly stated as a viable solution: "If multiple acceptable names exist, select the original one, the one used by the majority of existing anti-virus programs or the more descriptive one." (to be continued)