Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Welcome Guest!

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?


Who names computer viruses? Everybody


Recommended Posts

Who names computer viruses? Everybody

Speed and confusion rule on the antivirus front

By Mike Musgrove

Updated: 12:08 a.m. ET Feb. 26, 2004

Early one Monday afternoon, Craig Schmugar, virus research manager at computer security firm Network Associates Inc., was at his desk taking a quick look at the programming inside a new computer worm that his team had just discovered, still in the early stages of circulating the Web.

As Schmugar scanned through the worm's deciphered code, his adrenaline started pumping. This one had ambitions.

The worm disguised itself as a bounced piece of e-mail and had an innovative way of collecting addresses, looking for more potential victims. Schmugar had a feeling this one was going to create a lot of trouble; it was time to sound the alarms -- but first he needed to attach a name. What to call it?

Antivirus companies compete with each other fervently in the hopes that their customers will hear about the latest computer-based threat from them first. The result is that when there's an outbreak of a new virus or worm, companies often race to offer competing names for the same bug.

'Nobody is in charge'

For some, this regularly occurring confusion is starting to grate. A recent report submitted to the White House, "The National Strategy to Secure Cyberspace," called for more standardized methods of sharing information about security threats and criticized the confusion caused by conflicting names.

Industry officials have announced they are forming an alliance to resolve such problems, but many security experts said a solution will be difficult given the competitive nature of the antivirus business.

"Nobody is in charge and nobody is going to be willing to put anybody in charge who is not from their company," said David Perry, global education director at Trend Micro Inc. "And nobody -- nobody -- wants to add any level of anything" that will slow down the process of getting a fix to customers, he said.

In the early, pre-Internet days of the computer industry, new viruses were so rare and spread so slowly that a central organization of antivirus researchers signed off on the accepted name of each new virus that was discovered.

Today, viruses can spread worldwide in a couple of hours. And they are appearing at an increasingly rapid rate; by one estimate, 77,000 pieces of malicious code have been documented, though that number includes worms roaming the Web as well as code written but never released on the public.

Though the industry has settled on some general rules guiding virus nomenclature, the process can be remarkably haphazard. Recent viruses have gotten their names from soda drinks ("Code Red") and mythical beasts ("Bugbear"); some early antivirus researchers identified programs by working through a list of tree names.

There are as many rules about what not to name a virus as there are about what to call one. It is frowned on, for example, to name a virus after a person or a company. Antivirus researchers also avoid giving a virus the name its creator may have intended, as indicated in its code.

Same worm, different names

Confusion can occur when several companies give the same worm a different name. Many versions of a virus that came to be known as "klez" were considered relatively harmless, until a highly destructive sequel came out. Different antivirus firms had numbered the klez virus sequels differently, and corporate security teams were left scrambling as they had to figure out which version to be wary of.

"It can be bad news for the customers," said Alex Shipp, a senior antivirus researcher at e-mail security firm MessageLabs Inc. "They have no hope of sorting out that mess."

Schmugar at Network Associates said he has named about 200 viruses and worms, though not all have stuck. He tries to pick a name that refers to something unique or memorable about a virus's coding or behavior. In the recent case, he noticed the words "my domain" in the computer worm's programming. The words stuck in his mind, probably because they were related to the worm's advanced address-building capability. He shortened the reference to "mydom." Then he stuck in an extra "o," making "doom" part of the name.

"I steered away from the non-catchy names, because I knew it was going to be big," Schmugar said in a recent phone interview. "When I saw the word 'doom' as part of it . . . I thought that might be appropriate."

Schmugar estimates the decision-making process took less than three minutes.

That afternoon, Network Associates started warning its corporate customers about the "MyDoom" computer worm. (Its full name, "W32/[email protected]" also contains information recognized by computer security workers about what operating systems the worm hits and how it replicates itself.) Customers of Symantec Corp., meanwhile, got warnings about a worm called "Novarg." Trend Micro warned customers about a worm it called "Mimail.r."

Symantec derived its name from another, encrypted line of coding in the same worm; Trend Micro first thought the worm was a variant of a bug called "Mimail" because the two had some traits in common, and identified it as a sequel of that worm.

'MyDoom' catches on

There is a simple rule for which company gets naming rights: The person or company that finds and posts information about a virus first gets to name it. But that's a rule that is often dropped in the heat of the moment. It's not clear whether Network Associates actually named the worm first or not -- but "MyDoom" is the name that caught on.

MyDoom was eventually credited as being the fastest computer worm ever to hit the Web, with millions of infected e-mails clogging servers around the world. At its peak, one of Network Associates' major corporate clients was blocking infected e-mails at a rate of 160,000 an hour.

"By the time we realized what was happening," said Shipp at MessageLabs, "Network Associates had already attached the name 'MyDoom' and we thought that was pretty good. . . . 'Novarg' didn't really trip off the tongue, but 'MyDoom' just seemed to be the name that everyone was going to go for."

While MessageLabs guessed correctly that MyDoom would win the popularity contest, others backed what turned out to be the losing name. Among those was the U.S. Computer Emergency Readiness Team.

The organization, a partnership between the Department of Homeland Security and private industry, originally issued a bulletin warning the public against "Novarg." In subsequent bulletins, the organization shifted gears and used the "MyDoom" moniker, as have Symantec and Trend Micro. The fifth, and possibly most destructive, version of MyDoom was first spotted circulating the Web late last week.

Though the Computer Emergency Readiness Team applies the "who speaks first" naming rule whenever it can, "one of our main goals is to clearly communicate," said Shawn Hernan, a senior member of the organization's technical staff. "It wouldn't do us any good to try to insist on a name that people don't recognize."


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
  • Create New...