Virus Naming Still a Mess
Each time a new or uniquely dangerous virus or worm surfaces online, the major anti-virus companies trip over themselves to come up with their own pet names for the bugs.
In some ways, this is a quaint holdover from an earlier, more innocent age, when the industry was young and most viruses were little more than harmless computer pranks or overt jabs at a certain dominant software maker in Redmond, Wash. At that time, many upstart anti-virus companies were trying to show off not just how quickly they could protect customers from the latest threats, but also how much better they understood the threat than any of the other vendors.
While the motivations, skills and resources of the online-criminal community have no doubt evolved over the years, certain practices of the anti-virus industry remain rather obviously behind the times. We now live in an era when most anti-virus companies are struggling just to keep pace classifying the dozens of new threats that online criminals unleash onto the Net each day.
Faced with such a Sisyphean chore, one might think that anti-virus vendors would see the value in coming up with common names for the same threats, if only to help their bewildered customers better understand whether they are protected from a particularly worrisome viral threat that appears to have a different name every hour.
Yet, like competing spies from different nations surveilling the same intelligence target in the field, the companies have largely refused to speak a common tongue when reporting home about the same viruses and worms.
This virtual Tower of Babel came crumbling down this past week as consumers and businesses struggled to figure out whether they needed to worry about the encroaching threat from a new worm that I hesitantly call "Blackworm" -- only because it is probably the most recognizable name this thing has garnered over the past few weeks -- even though, incredibly enough, none of the anti-virus companies acknowledge that name in their writeups.
To give you a small taste of how confusing this can be, check out all of the different names the anti-virus vendors assigned to the same worm:
These days, most viruses and worms are created to widen the wallets of online cyber criminals by enlisting infected PCs in myriad online schemes involving everything from spyware to phishing and spamming.
But Blackworm was something of a throwback to earlier, more base and overtly hostile threats. Its main purpose is destructive -- on the third day of each month it will methodically delete certain types of files on the host computer, including Adobe PDF documents, compressed ZIP and RAR file archives, and any documents created in Microsoft Word, Excel or Powerpoint.
Aside from its destructive payload, the only real interesting thing about Blackworm is that it stands as the first major test of a new U.S.-government funded intiative to introduce some sanity into the virus-naming business. Dubbed the "Common Malware Enumeration" (CME) project, its stated mission was to "reduce public confusion during malware outbreaks."
That goal may have been a tad too lofty. My interviews with security experts dealing with the Blackworm crises over the past two weeks indicate that virtually none of them expect the anti-virus industry to give up its willful naming practices.
Rather, the short-term goal of the CME, the experts I spoke with said, is to give a variously named nastygram a common name so that different security researchers could understand instantly that they were talking about the same piece of malware, without having to worry whether they were comparing notes on different threats.
This latest variant of "Blackworm" first surfaced around Jan. 17, but it wasn't until Jan. 24 that MITRE, a non-profit research group charged with overseeing the CME project, issued a number for the bug: CME 24.
Now, granted, "CME 24" isn't nearly as memorable as the other names this threat earned, such as "MyWife" or "Kama Sutra," but again we're talking more about ways to help the security community rapidly identify these threats. Most anti-virus customers don't care what a threat is called. They simply expect it to be flagged and summarily executed.
The problem was that the anti-virus companies and independent security researchers wanted to call public attention to this very serious threat, but lacking a common name, each picked the most memorable one they could find.
I've heard people who worked closely with MITRE on this particular effort say they weren't notified quickly enough about the seriousness of the situation, and didn't have malware samples until a day or two after the threat surfaced. I also heard from anti-virus companies who said they couldn't wait forever for MITRE to issue a CME number.
But near as I can tell, none of that matters -- because most of the antivirus vendors didn't add the CME reference to their advisories until Jan. 31, nearly a week after it was made available. In fact, at the time of this writing, the name "CME 24" is completely absent from the worm warning issued by Kaspersky Lab, and McAfee only added it to theirs on Thursday. Trend Micro even came up with an entirely new name for the worm, even though it appears to stem from the same family that Trend named "Blueworm" back in September 2004.
Lest dear Security Fix readers think this is a problem only for the techies in the trenches, I want to share an experience that I think shows how much the tech media would benefit from a common naming convention. The Washington Post published a story in the paper on Thursday that I wrote regarding the coming storm threatened by the worm, which we called "Nyxem," mainly because it fit nicely with a bit of historical data we mentioned later on in the story.
A few hours after I filed the piece, an editor from the Business section at the paper called me to ask why we hadn't chosen to call the thing "Blackworm," since that was what he was seeing in news reports in some -- but hardly all -- other news outlets. I told him that at the time, none of the anti-virus companies were calling it Blackworm, and that it was unclear who had actually come up with that name.
We ended up calling the threat "Nyxem.D" in the article because our research showed that the worm first surfaced in March 2004 and attempted to enlist infected computers in an online attack against the New York Mercantile Exchange. As it turns out, Joe Stewart, a security researcher at LURHQ Corp., gave it the name "Blackworm."
Stewart said he chose the name because, a) there was no common name for the threat and b) the viral code he was examining looked virtually identical to the code explained in a Sept. 2004 advisory from F-Secure Corp. That post identified one of the bug's
menacing filenames as "Blackworm."
Now, here's the part that really kills me: Stewart's choice runs counter to the naming conventions of the anti-virus community, which generally goes out of its way to bastardize the name it thinks the virus or worm author would like its creation to have. (For example, "Nyxem" was derived by transposing the letters "m" and "x" in "Nymex," which is the common shorthand term for the New York Mercantile Exchange, the worm's original target.)
"These companies say that to name a virus what the author intends it is pandering, but on the other hand, if you're taking the names they intend and twisting them around ... aren't you just antagonizing them?" Stewart said. "Should we call Al Qaeda 'El Daiquiri' because we don't like their ways? Are we pandering to the terrorists by calling them what they want to be called? This is really the only industry where you see this kind of dynamic happening."
Stewart said he's not surprised that the industry hasn't embraced the new virus-naming scheme. After all, he said, it's not really in the best interests of the companies to help it along. For one thing, consistent naming would make it easier for people to compare how quickly the different anti-virus companies roll out updates that allow their products to detect the latest threats.
"For most of [the vendors], this is like Esperanto: You can speak it if you want to, but everyone else is going to carry on babbling in their own native tongue, so it doesn't really matter," Stewart said.
The goal of CME was not to solve the naming problems of the anti-virus industry, said Steve Christey, a senior security engineer at MITRE. Still, Christey said he hopes the CME program can eventually help address that problem.
"This is the first real public event strongly associated with CME, and no doubt we will learn a lot from this and make improvements in the future," Christey said. "It will take some time for everyone to get this right, and we shouldn't expect perfection coming out of the gate."
Update, 1:27 p.m. ET: Someone just pointed me to another interesting discussion about this going on over at the blog run by the ESET anti-virus people (makers of NOD32).
Posted by: David | February 3, 2006 12:44 PM | Report abuse
Posted by: kurt | February 3, 2006 3:04 PM | Report abuse
Posted by: KnotATech | February 3, 2006 5:29 PM | Report abuse
Posted by: ConstableBrew | February 3, 2006 5:32 PM | Report abuse
Posted by: Grant Hutchins | February 3, 2006 6:11 PM | Report abuse
Posted by: The point on my head | February 3, 2006 6:23 PM | Report abuse
Posted by: Wooden | February 3, 2006 6:55 PM | Report abuse
Posted by: Patrick Glennon | February 3, 2006 7:03 PM | Report abuse
Posted by: Anal retentive fella | February 3, 2006 10:40 PM | Report abuse
Posted by: Nick Black | February 3, 2006 11:34 PM | Report abuse
Posted by: DM | February 4, 2006 12:10 AM | Report abuse
Posted by: ScratchMonkey | February 4, 2006 3:39 AM | Report abuse
Posted by: Dave 2 | February 4, 2006 7:12 AM | Report abuse
Posted by: DM | February 4, 2006 8:16 AM | Report abuse
Posted by: Dave | February 4, 2006 3:41 PM | Report abuse
Posted by: Dave 2 | February 4, 2006 6:32 PM | Report abuse
Posted by: David Wolff | February 4, 2006 9:21 PM | Report abuse
Posted by: ConstableBrew | February 6, 2006 10:59 AM | Report abuse
Posted by: John Hash | June 26, 2006 1:27 PM | Report abuse
The comments to this entry are closed.