[ISN] Name That Worm - How Computer Viruses Get Their Names

From: InfoSec News (isnat_private)
Date: Wed Jan 09 2002 - 04:15:39 PST

  • Next message: InfoSec News: "Re: [ISN] Virus Writers Here to 'Help'"

    http://www.newsfactor.com/perl/story/15662.html
    
    By Jay Lyman
    NewsFactor Network 
    January 8, 2002 
    
    What's in a name? Plenty, if you ask a computer virus researcher who
    is responsible for designating the latest malicious code spreading on
    the Internet.
    
    Antivirus experts say there are specific guidelines for naming
    computer worms. Not surprisingly, the first rule dictates that the
    name should be anything other than what the virus writer wants it
    called. Beyond that, researchers look to the code, to its message, or
    the situation to name worms as they find them.
    
    Sometimes the process is more random. Who would have guessed that the
    Code Red virus got its name from an eEye Digital Security researcher's
    beverage of choice -- the cola variety of Mountain Dew soft drink --
    the night they picked through the corruptive code.
    
    No Names Or Dates
    
    Symantec Security Response senior director Vincent Weafer, who
    referred to Code Red's caffeine-based name, told NewsFactor that there
    are some things researchers do not use when naming worms:
    
    "We don't use the name of the virus writer because we don't want to
    give name recognition for something that's done for publicity, and we
    don't use the date because there are so many trigger dates and it's
    such an easy thing to change that it wouldn't make any sense," Weafer
    said.
    
    "After that, it comes down to the researcher and what they find unique
    about a particular virus," Weafer added.
    
    No Recognition
    
    Experts said virus writers almost always name their worms or offer
    clues as to what they want them named, and virus researchers almost
    always choose something else.
    
    "We look to rename it because we don't want to acknowledge them or
    play into what they're trying to accomplish," Network Associates
    director of antivirus research Vincent Gulotto told NewsFactor. "As
    far as what the virus writer wants it to be, I'm not really sure that
    we care."
    
    Symantec Security's Weafer said implications and connotations of virus
    names are also considered, referring to the Goner worm, which might
    have been called Pentagon but was dubbed Goner to eliminate
    association with last year's terrorist attack on the Washington D.C.  
    building.
    
    Weafer said that while researchers often look only at the code of a
    computer worm and not the e-mail message, Goner got its name from its
    references to "leaving" and "I have to go."
    
    Calling By Code
    
    Experts said virus names come from the researcher who first finds and
    announces them.
    
    "The name is typically driven by something they see in the code or
    something the virus does," Network Associates' Gulotto said.
    
    Weafer said most antivirus companies have policies and letter-number
    formulas for virus names, adding that researchers must check a new
    name against a database of existing names.
    
    "There are so many viruses now, trying not to use the same name is
    challenging," Weafer said, referring to some 58,193 viruses detected
    by Symantec's Norton antivirus software.
    
    Common Names
    
    Experts said it is common for worms to exist with more than one
    "alias" for some time before the accepted, common reference emerges.  
    Antivirus companies will then re-name viruses in their own advisories
    and listings to reduce confusion, researchers told NewsFactor.
    
    "Eventually, we'll all get back to the same name," Weafer said. "It's
    trying to balance scientific and education purposes of naming and the
    ability to communicate broadly. If you end up using an obscure name,
    that's a disservice."
    
    Weafer referred to "blended threats" -- viruses that combine worms
    with security exploits -- as another challenge for naming the latest
    threats because of two different naming schemes.
    
    Still, Gulotto said, the antivirus community's naming efforts have
    improved in recent years.
    
    "The process itself has become much better in the last couple of
    years," Gulotto said. "These days, more companies are calling viruses
    by the same name. When you take away the variants and the prefix, the
    virus name is the same."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:40:33 PST