Name That Worm - How Computer Viruses Get Their Names

[InfoSec News <isn () c4i org>]

http://www.newsfactor.com/perl/story/15662.html

By Jay Lyman
NewsFactor Network 
January 8, 2002 

What's in a name? Plenty, if you ask a computer virus researcher who
is responsible for designating the latest malicious code spreading on
the Internet.

Antivirus experts say there are specific guidelines for naming
computer worms. Not surprisingly, the first rule dictates that the
name should be anything other than what the virus writer wants it
called. Beyond that, researchers look to the code, to its message, or
the situation to name worms as they find them.

Sometimes the process is more random. Who would have guessed that the
Code Red virus got its name from an eEye Digital Security researcher's
beverage of choice -- the cola variety of Mountain Dew soft drink --
the night they picked through the corruptive code.

No Names Or Dates

Symantec Security Response senior director Vincent Weafer, who
referred to Code Red's caffeine-based name, told NewsFactor that there
are some things researchers do not use when naming worms:

"We don't use the name of the virus writer because we don't want to
give name recognition for something that's done for publicity, and we
don't use the date because there are so many trigger dates and it's
such an easy thing to change that it wouldn't make any sense," Weafer
said.

"After that, it comes down to the researcher and what they find unique
about a particular virus," Weafer added.

No Recognition

Experts said virus writers almost always name their worms or offer
clues as to what they want them named, and virus researchers almost
always choose something else.

"We look to rename it because we don't want to acknowledge them or
play into what they're trying to accomplish," Network Associates
director of antivirus research Vincent Gulotto told NewsFactor. "As
far as what the virus writer wants it to be, I'm not really sure that
we care."

Symantec Security's Weafer said implications and connotations of virus
names are also considered, referring to the Goner worm, which might
have been called Pentagon but was dubbed Goner to eliminate
association with last year's terrorist attack on the Washington D.C.  
building.

Weafer said that while researchers often look only at the code of a
computer worm and not the e-mail message, Goner got its name from its
references to "leaving" and "I have to go."

Calling By Code

Experts said virus names come from the researcher who first finds and
announces them.

"The name is typically driven by something they see in the code or
something the virus does," Network Associates' Gulotto said.

Weafer said most antivirus companies have policies and letter-number
formulas for virus names, adding that researchers must check a new
name against a database of existing names.

"There are so many viruses now, trying not to use the same name is
challenging," Weafer said, referring to some 58,193 viruses detected
by Symantec's Norton antivirus software.

Common Names

Experts said it is common for worms to exist with more than one
"alias" for some time before the accepted, common reference emerges.  
Antivirus companies will then re-name viruses in their own advisories
and listings to reduce confusion, researchers told NewsFactor.

"Eventually, we'll all get back to the same name," Weafer said. "It's
trying to balance scientific and education purposes of naming and the
ability to communicate broadly. If you end up using an obscure name,
that's a disservice."

Weafer referred to "blended threats" -- viruses that combine worms
with security exploits -- as another challenge for naming the latest
threats because of two different naming schemes.

Still, Gulotto said, the antivirus community's naming efforts have
improved in recent years.

"The process itself has become much better in the last couple of
years," Gulotto said. "These days, more companies are calling viruses
by the same name. When you take away the variants and the prefix, the
virus name is the same."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.