Malware Naming Hell Part 1: Taming the mess of AV detection names

[harlan4096]

Everyone who deals with malware will know this: Malware names are a convoluted mess. AV scanners will show different detection names for the same file. This confusion is also reflected in media coverage. Is there a way out of this mess?


Before we start our expedition into this muddled place, let's get the terminology right. "Malware name" might refer to one of the following:

1.- AV detection name
Those are the names an Antivirus product will show in a pop-up or log screen if it found an infection on the system. Those are also the names you see on multi scanning services like Virustotal.com.

2.- Malware family name
A malware family describes all malicious samples whose payloads have the same or similar source code as origin. There is no clear line when a derivation of the malware source code creates a new family or when it is another variant of the same family.
The family name can be, but doesn't have to be, part of the AV detection name.

The first part of our series examines Antivirus detection names. The second part is a dive into malware family names.

1. The past: CARO virus naming conventions (1991)

The first attempt to make malware naming consistent was in 1991, when a committee at CARO created A New Virus Naming Convention. This was a time where all or almost all existing malware was also a virus. The naming scheme has influenced today's detection names. Most AV vendors use the same or similar components that CARO suggested but often with their own terminology and ordering.

The full name of a virus consists of up to four parts, desimited by points (‘.’). Any part may be missing, but at least one must be present. The general format is Family_Name.Group_Name.Major_Variant.Minor_Variant[[:Modifier]

(CARO, 1991, A New Virus Naming Convention)

This article will not describe all of these components in detail but highlight some points. The best description is in the conventions themselves on CARO's website.

The Family_Name portion of the detection name doesn't always denote an actual malware family. CARO's conventions provide four umbrella names for insignificant viruses:

"Trivial" for viruses smaller than 100 bytes of code. The infective length is appended as number to the Family_Name.
"Silly" for viruses that "do not contain anything particular that can be used to name them". Modifiers are appended to Family_Name to denote boot sector viruses or types of files that are infected by Silly, e.g., SillyRC for resident viruses that infect COM files, or SillyB for DOS boot sector infectors
"HLLO" for overwriting viruses written in high-level languages.
"HLLC" for companion viruses written in high-level languages.

Continue Reading