How malware and vulnerabilities get their names

You may have wondered where Cryptolocker or Heartbleed came from, and why. And does every virus and vulnerability get a name?

Most individual pieces of malware aren’t given special names. In this sense, malware is similar to stars (with the exception that we don’t offer users the option to pay to name malware): there are so many that giving each a unique handle would be nearly impossible. The majority of malware samples are named based on their functionality, such as Banker or Downloader, or they are given a completely generic name, such as Agent or Malware.

Then you have bigger malware families, whose naming makes sense from both a threat intelligence and public relations perspective. I guess you can think of this as giving malware families last names. Researchers basically cluster samples for future investigation and track their activity, as malware nowadays evolves rapidly. These names are usually based on the information we know about the sample, such as a slightly modified command and control (C&C) domain, the author’s name, or the sample’s functionality.

Researchers also use special naming for malware families and vulnerabilities if they believe it will have a large impact on the public and will attract attention from the media.

In some cases, the malware creators name their malware themselves. Petya and Mischa, double ransomware, is heavily marketed on the darknet by its creators, Janus. Janus has even created logos for Petya and Mischa.

Heartbleed is particularly intersting, as it’s actually a really big security vulnerability that allows attackers to read the server’s memory, leaking, for example, certificates. The attackers send a crafted heartbeat signal to the server. This signal is something like “Echo the data I’m sending you.” The heartbeat signal, in this case, caused the exploitation of this vulnerability. The server sent back secret information, bleeding it to the attacker. And voila, you have Heartbleed, which personally I think was really cool name! The media loved it, because it describes what the vulnerability actually does.

Quite often, different antivirus entities use different names for the same families. For the most part, though, we all try to stick to the same name to avoid confusion. Of course, no one agrees on everything. In this case, there are two sides: one side wants to name every sample they discover, giving each sample a special name; the other wants to have just one detection name, claiming “It’s malware!” Now, we are somewhere in the middle and this will probably never change.

So there you have it, folks! Now you know how malware is named.


Author: Jiří Sejtko, 25 November 2016


Posted in Uncategorised.