Recently – perhaps for the last two to three years – there has been a significant level of publicly voiced dissatisfaction with the confusion that exists around the naming of malicious software (malware). This problem has always existed within the antivirus (AV) industry (and elsewhere), but has become especially salient in the last few years with the 1999 appearance of the first ‘successful’ self distributing viruses (Ska, Melissa) and the ensuing rapid growth in viruses that deliberately distributed themselves, and particularly the growth of the mass (or ‘fast’) mailers.
This is not the long awaited update to the Computer Antivirus Research Organization (CARO) naming convention document , but rather a discussion document elaborating most of the updated naming convention that has so far been agreed. This discussion paper should be sufficiently complete as to provide good guidance on naming most malware of concern to contemporary antivirus and related security researchers, although a couple of real problem areas such as how to deal with multi-component malware dependent on multiple platforms and/or carrying along ‘innocent’ utilities are still to be finally resolved by the CARO naming group. It is hoped the scheme extensions and usage advice still under discussion will resolved within the next month or so. Thus, although the advice in this paper does not address the final updated standard, following this advice should result in the creation of virus names that conform to the finally settled version of this naming convention. If the guidance on malware naming in this paper is followed, future virus naming confusion can be reduced.
However, our collective success in achieving such a reduction depends largely on two forms of cooperation between AV researchers, and others who name malware. First, a general commitment to follow this (or some) set of guidelines is needed, and second, an agreement to work toward standardizing the actual family names used for each malware family is imperative. This latter objective is the larger (and harder to reach) requirement of standardizing names across the industry, but it is entirely unlikely to be met until some agreement on naming form is achieved. At best, all this guide can do is describe the ‘rules’ for forming acceptable names. When it comes to actually choosing a name in the first place, all this guide can do is offer some fairly general dos and don’ts for choosing ‘suitable’ family names. The work of co-ordinating family names across products is a rather more complex task than the current author intends to address in this guide, but it is an ideal he commends his fellow AV researchers to actively strive toward.