http://www.newsfactor.com/perl/story/15662.html By Jay Lyman NewsFactor Network January 8, 2002 What's in a name? Plenty, if you ask a computer virus researcher who is responsible for designating the latest malicious code spreading on the Internet. Antivirus experts say there are specific guidelines for naming computer worms. Not surprisingly, the first rule dictates that the name should be anything other than what the virus writer wants it called. Beyond that, researchers look to the code, to its message, or the situation to name worms as they find them. Sometimes the process is more random. Who would have guessed that the Code Red virus got its name from an eEye Digital Security researcher's beverage of choice -- the cola variety of Mountain Dew soft drink -- the night they picked through the corruptive code. No Names Or Dates Symantec Security Response senior director Vincent Weafer, who referred to Code Red's caffeine-based name, told NewsFactor that there are some things researchers do not use when naming worms: "We don't use the name of the virus writer because we don't want to give name recognition for something that's done for publicity, and we don't use the date because there are so many trigger dates and it's such an easy thing to change that it wouldn't make any sense," Weafer said. "After that, it comes down to the researcher and what they find unique about a particular virus," Weafer added. No Recognition Experts said virus writers almost always name their worms or offer clues as to what they want them named, and virus researchers almost always choose something else. "We look to rename it because we don't want to acknowledge them or play into what they're trying to accomplish," Network Associates director of antivirus research Vincent Gulotto told NewsFactor. "As far as what the virus writer wants it to be, I'm not really sure that we care." Symantec Security's Weafer said implications and connotations of virus names are also considered, referring to the Goner worm, which might have been called Pentagon but was dubbed Goner to eliminate association with last year's terrorist attack on the Washington D.C. building. Weafer said that while researchers often look only at the code of a computer worm and not the e-mail message, Goner got its name from its references to "leaving" and "I have to go." Calling By Code Experts said virus names come from the researcher who first finds and announces them. "The name is typically driven by something they see in the code or something the virus does," Network Associates' Gulotto said. Weafer said most antivirus companies have policies and letter-number formulas for virus names, adding that researchers must check a new name against a database of existing names. "There are so many viruses now, trying not to use the same name is challenging," Weafer said, referring to some 58,193 viruses detected by Symantec's Norton antivirus software. Common Names Experts said it is common for worms to exist with more than one "alias" for some time before the accepted, common reference emerges. Antivirus companies will then re-name viruses in their own advisories and listings to reduce confusion, researchers told NewsFactor. "Eventually, we'll all get back to the same name," Weafer said. "It's trying to balance scientific and education purposes of naming and the ability to communicate broadly. If you end up using an obscure name, that's a disservice." Weafer referred to "blended threats" -- viruses that combine worms with security exploits -- as another challenge for naming the latest threats because of two different naming schemes. Still, Gulotto said, the antivirus community's naming efforts have improved in recent years. "The process itself has become much better in the last couple of years," Gulotto said. "These days, more companies are calling viruses by the same name. When you take away the variants and the prefix, the virus name is the same." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:40:33 PST