Network News

X My Profile
View More Activity

Virus Naming Still a Mess

Each time a new or uniquely dangerous virus or worm surfaces online, the major anti-virus companies trip over themselves to come up with their own pet names for the bugs.

In some ways, this is a quaint holdover from an earlier, more innocent age, when the industry was young and most viruses were little more than harmless computer pranks or overt jabs at a certain dominant software maker in Redmond, Wash. At that time, many upstart anti-virus companies were trying to show off not just how quickly they could protect customers from the latest threats, but also how much better they understood the threat than any of the other vendors.

While the motivations, skills and resources of the online-criminal community have no doubt evolved over the years, certain practices of the anti-virus industry remain rather obviously behind the times. We now live in an era when most anti-virus companies are struggling just to keep pace classifying the dozens of new threats that online criminals unleash onto the Net each day.

Faced with such a Sisyphean chore, one might think that anti-virus vendors would see the value in coming up with common names for the same threats, if only to help their bewildered customers better understand whether they are protected from a particularly worrisome viral threat that appears to have a different name every hour.

Yet, like competing spies from different nations surveilling the same intelligence target in the field, the companies have largely refused to speak a common tongue when reporting home about the same viruses and worms.

This virtual Tower of Babel came crumbling down this past week as consumers and businesses struggled to figure out whether they needed to worry about the encroaching threat from a new worm that I hesitantly call "Blackworm" -- only because it is probably the most recognizable name this thing has garnered over the past few weeks -- even though, incredibly enough, none of the anti-virus companies acknowledge that name in their writeups.

To give you a small taste of how confusing this can be, check out all of the different names the anti-virus vendors assigned to the same worm:

Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

These days, most viruses and worms are created to widen the wallets of online cyber criminals by enlisting infected PCs in myriad online schemes involving everything from spyware to phishing and spamming.

But Blackworm was something of a throwback to earlier, more base and overtly hostile threats. Its main purpose is destructive -- on the third day of each month it will methodically delete certain types of files on the host computer, including Adobe PDF documents, compressed ZIP and RAR file archives, and any documents created in Microsoft Word, Excel or Powerpoint

Aside from its destructive payload, the only real interesting thing about Blackworm is that it stands as the first major test of a new U.S.-government funded intiative to introduce some sanity into the virus-naming business. Dubbed the "Common Malware Enumeration" (CME) project, its stated mission was to "reduce public confusion during malware outbreaks."

That goal may have been a tad too lofty. My interviews with security experts dealing with the Blackworm crises over the past two weeks indicate that virtually none of them expect the anti-virus industry to give up its willful naming practices.

Rather, the short-term goal of the CME, the experts I spoke with said, is to give a variously named nastygram a common name so that different security researchers could understand instantly that they were talking about the same piece of malware, without having to worry whether they were comparing notes on different threats.

This latest variant of "Blackworm" first surfaced around Jan. 17, but it wasn't until Jan. 24 that MITRE, a non-profit research group charged with overseeing the CME project, issued a  number for the bug: CME 24.

Now, granted, "CME 24" isn't nearly as memorable as the other names this threat earned, such as "MyWife" or "Kama Sutra," but again we're talking more about ways to help the security community rapidly identify these threats. Most anti-virus customers don't care what a threat is called. They simply expect it to be flagged and summarily executed.

The problem was that the anti-virus companies and independent security researchers wanted to call public attention to this very serious threat, but lacking a common name, each picked the most memorable one they could find.

I've heard people who worked closely with MITRE on this particular effort say they weren't notified quickly enough about the seriousness of the situation, and didn't have malware samples until a day or two after the threat surfaced. I also heard from anti-virus companies who said they couldn't wait forever for MITRE to issue a CME number.

But near as I can tell, none of that matters -- because most of the antivirus vendors didn't add the CME reference to their advisories until Jan. 31, nearly a week after it was made available. In fact, at the time of this writing, the name "CME 24" is completely absent from the worm warning issued by  Kaspersky Lab, and McAfee only added it to theirs on Thursday. Trend Micro even came up with an entirely new name for the worm, even though it appears to stem from the same family that Trend named "Blueworm" back in September 2004.

Lest dear Security Fix readers think this is a problem only for the techies in the trenches, I want to share an experience that I think shows how much the tech media would benefit from a common naming convention. The Washington Post published a story in the paper on Thursday that I wrote regarding the coming storm threatened by the worm, which we called "Nyxem," mainly because it fit nicely with a bit of historical data we mentioned later on in the story.

A few hours after I filed the piece, an editor from the Business section at the paper called me to ask why we hadn't chosen to call the thing "Blackworm," since that was what he was seeing in news reports in some -- but hardly all -- other news outlets. I told him that at the time, none of the anti-virus companies were calling it Blackworm, and that it was unclear who had actually come up with that name.

We ended up calling the threat "Nyxem.D" in the article because our research showed that the worm first surfaced in March 2004 and attempted to enlist infected computers in an online attack against the New York Mercantile Exchange. As it turns out, Joe Stewart, a security researcher at LURHQ Corp., gave it the name "Blackworm." 

Stewart said he chose the name because, a) there was no common name for the threat and b) the viral code he was examining looked virtually identical to the code explained in a Sept. 2004 advisory from F-Secure Corp. That post identified one of the bug's menacing filenames as "Blackworm."

Now, here's the part that really kills me: Stewart's choice runs counter to the naming conventions of the anti-virus community, which generally goes out of its way to bastardize the name it thinks the virus or worm author would like its creation to have. (For example, "Nyxem" was derived by transposing the letters "m" and "x" in "Nymex," which is the common shorthand term for the New York Mercantile Exchange, the worm's original target.)

"These companies say that to name a virus what the author intends it is pandering, but on the other hand, if you're taking the names they intend and twisting them around ... aren't you just antagonizing them?" Stewart said. "Should we call Al Qaeda 'El Daiquiri' because we don't like their ways? Are we pandering to the terrorists by calling them what they want to be called? This is really the only industry where you see this kind of dynamic happening."

Stewart said he's not surprised that the industry hasn't embraced the new virus-naming scheme. After all, he said, it's not really in the best interests of the companies to help it along. For one thing, consistent naming would make it easier for people to compare how quickly the different anti-virus companies roll out updates that allow their products to detect the latest threats.

"For most of [the vendors], this is like Esperanto: You can speak it if you want to, but everyone else is going to carry on babbling in their own native tongue, so it doesn't really matter," Stewart said.

The goal of CME was not to solve the naming problems of the anti-virus industry, said Steve Christey, a senior security engineer at MITRE. Still, Christey said he hopes the CME program can eventually help address that problem.

"This is the first real public event strongly associated with CME, and no doubt we will learn a lot from this and make improvements in the future," Christey said. "It will take some time for everyone to get this right, and we shouldn't expect perfection coming out of the gate."

Update, 1:27 p.m. ET: Someone just pointed me to another interesting discussion about this going on over at the blog run by the ESET anti-virus people (makers of NOD32).

By Brian Krebs  |  February 3, 2006; 10:55 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Firefox Update Mends 8 Security Flaws
Next: Spyware Found Exploiting Winamp Flaw

Comments

From a user perspective I agree that having multiple names is confusing.

From the anti-virus community point of fact it's almost impossible to have the same name, even given 24hr a day staffing. It's impossible for Symantec in Cupertino, CA to coordinate with F-Secure in Helsinki, and Kapersky in Russia and have all of them have the same exact malware and same exact analysis and then give it a name. It would take nearly 24 hours to do this, way to late for their customers.

The only sensible thing to do is to choose a name and push out your definitions ASAP.

Now, if someone would just pre-publish a list of virus names for the rest of the year like Hurricane names, that would solve _some_ of this naming problem that you describe. With some of them (how many variants of Bagle are there?) it may be impossible even with this idea for it to work.

Oh, and after you've chosen your name if you want to follow someone elses name, how do you do this, and ensure that all your customers get the new name??

You seem to be barking up a tree when there's nothing but leaves in the tree.

Posted by: David | February 3, 2006 12:44 PM | Report abuse

the virus naming problem can't be solved - even you created a central list of names ahead of time the companies would still have to compare their new sample with samples from other companies to determine if the virus has already been given a name...

and if anyone actually cared to read the site (http://cme.mitre.org/about/faqs.html#a1) they'd know that the CME was not intended to solve the naming problem...

the CME is just a well coordinated alias (http://anti-virus-rants.blogspot.com/2005/10/what-common-malware-enumeration-really.html)

Posted by: kurt | February 3, 2006 3:04 PM | Report abuse

Hi,
I appreciate the laymens terms. Names for viruses and scams with some basic order would be excellent.T-KamaSutra.wormything to identify T=Temporary name,to be re-named and appropriatly categorized as more information is available.
There is one other thing,for me, as a non tech, I need direct and simple talk, brief explanations, we casual users are easily overwhelmed with too much information.
I see that you used an awful lot of words to say the same things repeatedly. (this I know. also guilty)
ty for your time :) it's appreciated

Posted by: KnotATech | February 3, 2006 5:29 PM | Report abuse

Did anyone else notice the similarity between CME (Common Malware Enumeration) and CME (The makers of Gator and the GAIN Network)? Does that make anyone else uneasy? I for one have learned to hate seeing "CME" anywhere on my system.

Posted by: ConstableBrew | February 3, 2006 5:32 PM | Report abuse

Al Qaeda is not what that group calls itself. The name stems from a computer file entitled "al qaeda" (literally, "the base") that was found on a confiscated laptop and listed contact information for a large portion of Bin Laden's network.

So by calling that group Al Qaeda I believe we do precisely what the anti-virus crowd aims for, instead of pandering to a group that instead calls itself "International Front for Jihad against the Jews and Crusaders" (http://en.wikipedia.org/wiki/Al_Qaeda)

Posted by: Grant Hutchins | February 3, 2006 6:11 PM | Report abuse

I think the point isn't to have all the companies refer to the virus by the same name as everyone else, but to give a common reference to the viral code when the company completes it's tests and determine this is in fact ' CME-XYZ '.
All they'd have to do is append the CME code to their name or at least make reference to it in their documentation. As long as this occurred before the virus's Mal-Code is scheduled to go off it would help consumers find out if they are protected or not.
Personally I'd think they'd welcome this as I commonly see on anti-virus companies' webpages a long list of aliases. Instead of this they would just list the CME code. The media would pick up on this and instead of talking about a virus simply as 'Karma Sutra' they refer to the virus as 'Virus CME - XYZ commonly known as the Karma Sutra virus'

I for one welcome CME and our new Common Malware Enumeration overlords.

Posted by: The point on my head | February 3, 2006 6:23 PM | Report abuse

You wrote:

Stewart said he's not surprised that the industry hasn't _embarced_

Try embraced.

Posted by: Wooden | February 3, 2006 6:55 PM | Report abuse

Actually, I really like the idea of naming organizations that we don't like with silly names. Calling Al Qaeda "El Daquiri" or "Army of Clowns" or something like that may actually lessen the desire of some people to be talked about as the guys who blew himself up for El Daquiri. It would require us to be mercilessly consistent with the naming, and never slip, but it would be awesome to see a picture of a guy identified as the #2 Clown of the Clown Army.

Posted by: Patrick Glennon | February 3, 2006 7:03 PM | Report abuse

A few points about MITRE - first, it's MITRE, not Mitre. And it used to have offices in Reston, but its based in McLean, VA and Bedford, MA.

For folks interested in how CME may (hopefully) look in the future, take a gander at the CVE project at http://cve.mitre.org, started by MITRE a little over five years ago to help with the same issue in vulnerability assessment. With any luck, the CME project will get the same level of commitment from vendors soon that CVE has.

Posted by: Anal retentive fella | February 3, 2006 10:40 PM | Report abuse

As a mathematician and an American, the last thing I want is for malware to be "summarily executed". Way to overload the semantic space, chief!

Posted by: Nick Black | February 3, 2006 11:34 PM | Report abuse

"Blackworm", "Kama Sutra"? Why exactly should they have called it that? Because the muppets in the media thought it was catchy? Did you not notice that NO AV vendor called it by either of those names? The AV companies are the authorities on what these things can do. They analyze the d*&n things, not Tom Brokaw.

Posted by: DM | February 4, 2006 12:10 AM | Report abuse

When mentioning AV suppliers, don't forget ClamAV (http://clamav.net/).

A virus alias database is being operated here:

http://www.rainingfrogs.co.uk/

Posted by: ScratchMonkey | February 4, 2006 3:39 AM | Report abuse

I'm a total layman at this, but one of my Yahoo! Groups, with nearly 2,000 very diverse members scattered all over the world, got hit repeatedly by the Nymex/Blackmal/Grew/MyWife... worm, meaning that everyone who received their messages by e-mail was vulnerable if he or she tried to open the attachment. So I did my best to do some informal research in order to advise and warn my fellow members, and was frustrated not to find explanations initally on some obvious sites like Norton/Symantec and C/Net. But I think I'd just overlooked unfamiliar names like "I-Worm [something]".

The profusion of names caused no direct damage, but it makes it hard to find out what's going on in real time, and it's obviously gotten way, way out of hand. Three or four names one can live with, just as there are a couple of different names for the U.S. (America), Britain (England, G.B., the U.K) and the Netherlands (Holland). But this has gone beyond the point of absurdity or manageability.

The CME codes can help (just as unique, common Latin Linnaean genus/species names help in biology and nature), but eventually people who aren't professionally involved are just going to lose track of the numbers, just as a non-preparer won't know what distinguishes IRS Form 5829 from Form 5332. Far better hurricane (or geographic or historical or mineral or animal) names in some kind of alphabetical or chronological order.

As for reverse psychology and denying satisfaction to the virus creator (calling Skynet Netsky for example), that's a plausible argument that doesn't really hold up. Very often what's intended as a term of abuse or contempt is adopted by the target with ironic pride, as the British Expeditionary Force called themselves "The Old Contemptibles" after the Kaiser dismissed them as "a contemptible little army". Similarly with the Irish anti-English insults "Tories" and "Brits". And police often call themselves by names that were originally insults like "coppers", "Peelers", "the fuzz" or "flatfeet".

The only problem with using the hacker's own name for a bug is that he or she would then start either varying the name (in identical bugs) or repeating it (over different ones) in order to frustrate the anti-virus community.

I've wondered what classic song lyric best applies to this Babel: Ruby Tuesday (who could hang a name on you, when you change with every new day), Sympathy for the Devil (pleased to meet you, hope you guess my name; but what's troubling you is the nature of my game), A Horse with No Name (in the desert you can't remember your name, 'cos there ain't no one for to give you no pain) or Rocky Raccoon (her name was McGill and she called herself Lil, but everyone knew her as Nancy.)

Posted by: Dave 2 | February 4, 2006 7:12 AM | Report abuse

I was trying to avoid commenting on it, but it keeps getting brought up. Presetting "Lists" of names "like we do for hurricanes" is impossible. Lets consider two AV companies, AVX and AVY. Company AVX gets 200 malware samples sent in over the course of a day by various sources (including mostly their customers). Company AVY gets 250 samples sent in over that same period, but also has some net-scouring spiders trolling through known malware stores... adding another 50 to their daily total. The problems with the "list" now become obvious. 1) it's an impossibility that the first 200 samples received by the two companies 1a) arrived in the same order 1b) contain exactly the same set of files. 2) company AVY is surely going to exhaust more names on the list on this given day than company AVX.
I think ones who suggest this 'hurricane list' sort of approach are unaware of the sheer scale of detection signatures produced daily by most AV. Simply because one piece of malware gets media attention every 45 days or so doesn't mean that those are the only threats AV customers are protected from; and most no less buzz-worthy than Nyxem-D. The Zotob-F worm only got media buzz because a few of CNN's servers got infected with it. Riddle me this: why had the computing community not heard media reports of Zotob-A, -B, -C, -D, -E before then?

Posted by: DM | February 4, 2006 8:16 AM | Report abuse

The media is responsible for a large portion of the naming problem this time. After the CME was assigned, professionals started using it. It was the media that persisted in using names they considered more sexy. If we could train the media to throttle-back the hype engines and cure the Henny-Penny syndrome perhaps this non-event could have been accurately reported from the beginning and we wouldn't now be worrying about whether the computing world will ignore us the next time we cry "wolf!" and mean it.

Posted by: Dave | February 4, 2006 3:41 PM | Report abuse

I don't think this was a wolf-crying or Henny Penny/Chicken Little phenomenon.

As Mr Krebs said in another blog here (comparing it to the hype over Y2k), it was probably only because many people from the most expert to the most amateur (e.g. me) took a great deal of effort to warn people about this and to direct them to preventive or curative measures that this attack wasn't much worse.

And it wasn't media hype that got me involved. It was being in a (non-adult) Yahoo! Group which normally exchanges lots of pictures by e-mail anyway, and whose (overwhelmingly non-techie) members are accustomed to opening attachments that seem to come from familiar names, including the moderator's. I didn't even realize this was a worm and might eventually have tried to open the attachment myself if the accompanying text hadn't been so strange for the context. It was only when a more technically-proficient member passed on the warning he'd got from his (relatively up-to-date) anti-virus program that I had a clue about what was happening and what names to search for on Google. (The AV company's warning to my fellow member included a list of names assigned by different companies, and half the lines were empty, including Grisoft/AVG's.)

That's where I ran into this whole nomenclature hassle.

***

As for hurricane names, I understand what you're saying and was using shorthand.

But if eventually all the professionals can be persuaded to use a common name like CME-24, why not devise a system (like hurricane names) which uses names that are easier for the media (and the ordinary folks they serve) to handle and remember?

While we're used to seeing news stories that refer to Form 1040 and W-2's, how many of us would react to a warning about Form 8814, Form 8862 or Form 8863? (...dealing respectively with the Alternative Minimum Tax, reclaiming a disallowed Earned Income Credit and tax credits for education.)

It might be a little difficult at first to persuade the media to switch names (and thereby inevitably confuse their readers and hearers) in mid-course, but eventually I think people might be persuaded to get used to seeing a metamorphosis from "the vius which was tentatively called Nightmare2 and which has now been officially named Quartz", just as [fictional] Tropical Storm 22 becomes Hurricane Xavier.

Going in the opposite direction from memorable name to dull number doesn't seem workable or feasible in the non-technical community which also has to deal with and prevent viruses (not every home user has an IT Dept.)

If an ordinary person has been discussing the dangers of Blackworm with his friends and associates, he's not going to switch over to calling it CME-24, anymore that he'd start calling oncoming Hurricane Xavier "Tropical Storm 22" or refer to the Pole Star/North Star by its catalogue number.

And if his friend (using a different AV system or reading different news sources)has been discussing MyWife, he's not going to suddenly say "CME-24? we're talking about the same thing!" He'll say "you must have the wrong number, or maybe I do; I was discussing MyWife."

Posted by: Dave 2 | February 4, 2006 6:32 PM | Report abuse

I think you've identified a real problem -- in the real world, as well as the malware world. How the heck do people communicate when some are native English speakers and have mastered "cut down a tree" vs "cut up a tree", and others have to struggle through spelling like... like "through" (or "threw", but not "though" or "thought")?

More info on Esperanto at http://www.esperanto-usa.org or (in the US) 1-800-ESPERANTO.

Posted by: David Wolff | February 4, 2006 9:21 PM | Report abuse

I think ones who suggest this 'hurricane list' sort of approach are unaware of the sheer scale of detection signatures produced daily by most AV


What you are failing to realize is that the hurricane system only assignes names to the largest and most dangerous storms. I think that a hybred system should be utilized.

The CME system would be used to provide a common name that the AV industry can use for the vast number of signatures they develop each day. This will reduce confusion within the industry as it provides an common index to each AV's own internal naming schema.

Once a severe threat has been identified (high infection rate, dangerous payload) a hurricane like naming system will be used to provide a public-friendly name.

Posted by: ConstableBrew | February 6, 2006 10:59 AM | Report abuse

Hi, according to this discussion theme i think that you might be interested in http://www.yourgirls.ab3.eu/ where you can find hundreds of cool girls right from your town... Just check it.

Posted by: John Hash | June 26, 2006 1:27 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company