10 min read
Do you ever wonder where malware names come from? What’s in a name, after all? There’s Heartbleed, Melissa, and GooLoad. There’s even ILOVEYOU. All these names appear to have come from nowhere, just like the malware they’re attached to.
There is no universally adopted standard for naming malware, although you’d think there would be (more on this later). After all, thanks to the World Meteorological Organization, we have official annual lists of names for hurricanes. The International Astronomical Union has formalized the familiar cultural names for hundreds of stars like Betelgeuse and Sirius and defined an alphanumeric nomenclature for the millions of other celestial bodies in the universe. And the World Health Organization names virus variants, like Omicron for Coronaviruses and H1N1 for influenza.
Is There a Method to the Malware Naming Madness?
The short answer is sort of. Usually, malware is named by the threat researcher who discovers it. These analysts work in the computer and network security industry, typically for commercial or government organizations. And there are patterns that these researchers often follow.
For example, there are names for malware types that are based on functionality, such as banker, downloader, backdoor, dropper, spyware, keylogger, or Trojan. Similarly, a name is sometimes based on the method by which the malware actually operates. Heartbleed, for example, was so named because it bled secret banking information back to the attacker – information considered to be the heart of the victim organization. The media latched onto the name Heartbleed because it is so descriptive and emotional – as well as sufficiently scary – garnering it a lot of attention.
Names may also designate a malware family. Malware authors continue to innovate, often creating new variants of existing malware to avoid detection or increase their impact. If the researcher can identify commonality in the code signature, malicious commands, and attack style, then it is likely the new threat is based on a known malware family.
Sometimes threats are named by the malware author, rather than a researcher, and promoted as a kind of branding. For example, the Janus syndicate was especially aggressive in promoting its ransomware modules, Petya and Mischa (or Misha). These were sold as a pair in underground forums, and Janus was anxious to make sure that the names were something that they controlled because they generated billions of dollars in revenue.
When Patterns Don’t Apply, Malware Names Can Get Interesting
Sometimes the people naming malware just get creative. Many years ago there was ILOVEYOU, named for its email attachment “love-letter-for-you.txt,” a file that carried malicious code. This is back when we were quite naive about these malicious attachments. What made it suspicious was that the attack arrived as an email from a business contact. Typically, you don’t get love letters in this environment. But it was a simple virus for a much simpler time.
Here are some other interesting names out there in the wild:
- The name Koobface is an anagram of Facebook. Koobface is a computer worm that spreads via social media sites.
- Melissa is a “macro virus” that targets Microsoft Word and Outlook. The author named the virus for a stripper that he knew in Florida called Melissa. Go figure.
- Michelangelo was so named because it was designed to activate only on Michelangelo’s birthday, which happens to be March 6.
- CIH was simply named using the initials of its developer, Chen Ing-Hau. Not very exciting, namewise. However, according to The Virus Encyclopedia, its other popular name, Chernobyl, emerged because the payload trigger date, April 26, is the same date as the nuclear disaster. That’s a much more dramatic name, and better for news value, but the association was not intended.
Attempts To Tame the Mess
While there is no single, global registry of official names for all the malware out there, there have been attempts to establish standards for naming. In 1991 the Computer Antivirus Research Organization (CARO) came up with the first Virus Naming Convention. It looked like this:
Family_Name.Group_Name.Major_Variant.Minor_Variant[[:Modifier]
The malware landscape has changed considerably since then, as have the means of detection, rendering the 1991 convention obsolete. However, CARO meets annually and has continued to update what it today calls the CARO Malware Naming Scheme. Formally adopted by some organizations, including Microsoft, the format of the current scheme is:
Type:Platform/Family.Variant!Suffixes
In practice, a name following scheme looks like this:
Email-Worm:Win32/Bagle.aav!dll
In reality, however, every anti-virus (AV) vendor uses its own naming convention, although most are a variation of the CARO scheme. The result? Things are still messy. For example, names of the email worm Bagle (and its variants) that turn up in a web search include w32.Beagle.A@mm, I-Worm.Bagle.gen, Email-Worm.Ein32.Bagle.ge, and Worm:HTML/Bagle!mail. So much for standardization!
It doesn’t help that antivirus (AV) terminology itself is very quirky and inconsistent. Most AV products defend against malware, and “malware” is much broader than “virus.” But in the mind of the public, the word “virus” has stuck and is often used interchangeably with malware. Similarly, “Trojan” is often used as a synonym for virus. But in fact, it is an attack vector.
So, if malware names in the news amuse you, or leave you scratching your head, you’re not alone. Don’t dismay. The name makes some kind of sense, at least to the person who named it.
A.N. Ananth
A.N. Ananth is Chief Strategy Officer at Netsurion, co-creator of Netsurion's Open XDR platform, and has an extensive background in product development and cybersecurity operations.
