Inside the malware name game
Every day, security researchers and machines identify myriad new malware strains and name the most dangerous ones. Hummingbad and Heartbleed, Stagefright and Shylock, Dridex and Duqu—the names of these computer viruses and other digital nasties are often as exotic as they are inscrutable.
What’s behind them? From researchers intent on gaining publicity to automated naming tools, here’s a rundown of malware-naming factors.
From the the early days of computer security, naming schemes for viruses and worms have been all over the map, from researchers’ beverage choices to messages contained within the actual code.
The Stoned DOS virus (1987) displayed a message saying, “Your PC is now stoned! LEGALIZE MARIJUANA!” Back Oriface (1998), an exploit that allowed attackers to gain backdoor access to Windows machines, was a play on Microsoft’s Back Office Server. The “I Love You” virus (2000) was named for the subject line of the emails that carried the virus payload. The Code Red worm (2001) was so named because the researchers at eEye Security who found it were hopped up on Mountain Dew Code Red at the time. And the Nimda Worm (2001) was simply “admin” spelled backward.
A common desire among security researchers was to use the name to claim an upper hand over—or just make fun of—the malware authors.
Researchers of a virus created by hacker David L. Smith, for example, discovered that he had embedded in its code the name of his favorite Miami exotic dancer: Melissa. Naturally, they named the virus after this vixen. Melissa caused $80 million of damage in March 1999 and ultimately landed Smith in federal prison for 20 months.
“When the antivirus industry started, there was an unwritten rule you would not call malware or viruses by what the author wanted them known as, because we didn’t want to encourage authors by giving them recognition,” says Seth Hardy, security researcher at Lookout Mobile Security. “So if an author named an exploit ‘Really Awesome SMS Forwarder,” we might call it ‘Really Bad SMS Forwarder,’ just to let them know they’re not actually that cool.”
The media connections
The names of most malware programs today refer to things they do or code they include. And because multiple researchers often separately discover the same threat, they tend to initially have several names.
Take a worm allegedly created by U.S. and Israeli intelligence agencies in the mid-2000s to damage Iran’s uranium centrifuges. When researchers at Belarus antimalware firm VirusBlokAda discovered the worm in June 2010, they named it Rootkit.Tmphider, because it gained root access to the operating system and hid inside temp (tmp) files.
When Symantec researchers encountered the worm, they called it Stuxnet, a mashup of two words found inside the code: “stub” (for the section of code where the worm’s primary payload was stored) and “xnet” (from mrxnet.sys, one of the drivers installed by the malware).
Stuxnet stuck; Tmphider faded into obscurity. Why?
“It usually comes down to the PR departments of the security companies,” says Patrick Hinojosa, former CTO for Panda Security and now a private consultant. “It’s about who knows who in the media and gets the story out first.”
Having a catchy name helps news about the threat spread and promotes the security company that discovered it, says Rahul Kashyap, chief security architect at Bromium.
“Vendors and researchers resort to jazzy names to provoke response from the Internet community,” he says. “Sometimes, naming becomes a pure branding or marketing campaign, which aggravates the security community, as some issues tend to get overhyped in the media cycle.”
But as the volume of malware has increased exponentially—more than 400 million variants were released in 2015, according to Symantec—the vast majority are given prosaic alpha-numeric monikers like MDVSA-2015-062, says Vincent Weafer, vice president of Intel Security’s McAfee Labs.
“Only high-profile threats get memorable names,” Weafer says. “Most are automatically named by machine-learning tools to provide a unique identifier for security solutions.”
And there are competing naming conventions. The Computer Antivirus Research Organization convention is to list malware by type, platform, family, then variant. Worm: Win32/Stuxnet.A, for example.
The Common Malware Enumeration convention, led by Mitre, also includes vulnerabilities open to malware like Heartbleed, which gets its name from an April 2014 exploit that targeted the “heartbeat” function of SSL encryption, causing otherwise encrypted websites to leak (or bleed) data.
Because a name like Heartbleed is more memorable and descriptive than CVE-2014-0160, its official name in the Mitre database, creative and sometimes conflicting names are likely to be with us for many years to come, says Kenneth Geers, senior research scientist at Comodo.
“Forensic naming conventions like those developed by CARO and Mitre are encyclopedic and necessary to categorize the thousands of run-of-the-mill code variants discovered every day,” Geers says. “But really impactful malware—just like a good rock ‘n’ roll band or hacker group—needs a memorable name, like Dire Straits or Lizard Squad. Thus, old hands and new still remember Code Red.”