How malware and vulnerabilities get their names

Jiří Sejtko, Nov 30, 2016 2:26:58 PM

Avast explains how malware and vulnerabilities are named.

You may have heard names like Cryptolocker or Heartbleed and wondered: Who comes up with these names? Why? The next question you may have is: Do all viruses and vulnerabilities get named?


Well, for the most part, individual pieces of malware aren't given special names. In this sense, malware is similar to stars (with the exception that we don’t offer users the option to pay to name malware), there are so many stars that giving each star a unique name doesn't always make sense. The majority of malware samples are named based on their functionality, such as Banker, Downloader, or they are given a completely generic name, such as Agent or Malware.

Then you have bigger malware families, where naming makes sense from a threat intelligence point of view, as well as from PR perspective. I guess you can think of this as giving malware families family names, or last names. Researchers basically cluster samples for future investigation and track their activity, as malware nowadays evolves and morphs rapidly. These names are usually based on the information we know about the sample, such as a slightly modified command and control (C&C) domain, the author's name, or the samples functionality.

Researchers also use special naming for malware families and vulnerabilities if they believe it will have a large impact on the public and will attract attention from the media.

In some cases, the malware creators name their malware themselves. Petya and Mischa, double ransomware, is heavily marketed on the darknet by its creators, Janus. Janus has even created logos for Petya and Mischa.

How the Heartbleed vulnerability got its name is very interesting. Heartbleed is a really big security vulnerability that allows attackers to read the server's memory, leaking, for example, certificates. The attackers send a crafted heartbeat signal to the server - this signal is something like "Echo the data I'm sending you". The heartbeat signal, in this case, caused the exploitation of this vulnerability. The server sent back secret information, bleeding it to the attacker. And voila, you have Heartbleed, which personally I think was really cool name! The media loved it, because it describes what the vulnerability actually does.

Quite often, different antivirus entities use different names for the same families. For the most part, though, we all try to stick to the same name to avoid confusion.

Speaking about the industry or even about my colleagues here at Avast, there are always two sides/groups. One side wants to name every sample they discover, giving each sample a special name, while the other group wants to have just one detection name, claiming “it’s malware!”. Now, we are somewhere in the middle and this probably will never change.

So there you have it folks! Now you know how malware is named.


Related articles