3 min read

Virus Naming. The "Who's who?" Dilemma (2)

Sabina DATCU

March 29, 2010

Virus Naming. The "Who's who?" Dilemma (2)

First regulatory attempt: the Caro System(continued)

An updated version of the CARO System was created in 1999, as a private initiative, and it was offered as a suggestion to be adopted by the entire antivirus industry. This update was intended to accommodate into the CARO naming system malware types that affected other platforms than MS-DOS. As stated by the author of the document, this change was triggered by the appearance of WM/Concept.A, the first macro virus to spread through Microsoft Word. Therefore, a proposal was made for the adoption of an extended form of the Caro standard: platform.type/caro-name [message]. In an attempt to further reflect the diversity of the malware population, the document also suggested considering the term “virus” as a default type and including other malware denominations in the Caro system: Trojan, dropper, worm, Joke, germ, etc. Other elements intended to make the malware name as clearly descriptive as possible were the language identifiers and the short message that was supposed to clarify to the end user the malicious nature of the program.

Here is an example of a malware name that follows this model:Win32.MSNWorm.Rachel.A

Figure 2:Virus name based on the updated Caro model (1999)

The Wildlist Approach

In his statement on How Scientific Naming Works,Joe Wells, CEO of Wildlist Organization International approaches the inconvenients of virus naming from a very practical point of view. In the absence of a scientific naming system, such as in biology, and of a unified collection of virus samples that any researcher in this domain can access, a virus name should not be viewed as correct/wrong and all the existing names of a virus should be considered to be equally valid.

He points out an extremely important aspect that tends to be disregarded in this debate: the ultimate purpose is to warn the end-users of the threat, no matter what the name this threat is presented under. As the accuracy of virus identification (is it new? is it a variant of an existing one?, etc.) becomes the main focus, naming remains a secondary issue. To put it simply, any malware sample should be identified by its Caro name, if not, by what the majority calls it, if not, by what the first person to discover it called it.

Towards a Common Malware Denomination

In 2005, during a Virus Bulletin Conference, a new attempt was made to bring order into the malware denomination system. This is when the CME initiative was born, bringing together several major players in the data security industry that aimed “[…] to provide a common name for high profile threats in the hope that customers will be able to protect their computers from malware attacks more effectively.”

The organizations that signed up to the CME agreed on a common malware identifier format, namely: CME- N, where N is an integer between 1 and 999. As illustrated by the CME list, one CME-N identifier corresponds to several aliases of the same malware sample. For instance CME-416 is the same as:

 Trojan.Downloader.AOW (BitDefender)

 Email-Worm.Win32.Warezov.dc (Kaspersky)

 W32/Stration.dr (Mcafee)

 W32/Stratio-AW( Sophos), etc.  

In addition to that, in keeping with its encyclopedic aim, the list provides a description of the malware sample and the date of its activation. 

Despite its capacity to bring more clarity into the matter of malware classification, some voices were skeptical about this system’s ability to keep up with the tremendous speed at which the antimalware industry works. The need to deliver a solution to counter each threat as soon as possible will most likely prevail over this new naming requirement, which will probably only be applied post factum. In other words, in the identification stage, there will be just as many malware sample aliases, but in the classification stage, there will be a way for several aliases to be reunited under a distinct CME-N identifier. 

Although efforts have been made towards reaching a consensus on virus naming rules, diversity seems to hold the upper hand for the moment. Therefore, when trying to figure out the principles behind virus naming, sheer inspiration appears to be the answer. (to be continued)

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read