Assigning Descriptive Names to Malware – Why and How?

In addition to naming malware according to predictable formats, as I described earlier, security firms often assign descriptive names to high-profile malicious programs. The researcher who coins the name that sticks, should the specimen gain notoriety, gets bragging rights. The person’s employer might also benefit from a slight marketing boost.

It’s natural for a researcher analyzing a malicious program to want to refer to the specimen by a memorable name. Such descriptive names might be based on a file name that the program used, a registry key it created or a relatively unique string embedded in the executable.

For instance, the name of recently-discovered “Duqu” malware is, according to Symantec, based on the prefix “~DQ” that the malicious program uses when naming some of its files. The name Duqu was assigned to the specimen by The Laboratory of Cryptography and System Security (CrySyS). According to CrySyS, they

“Participated in the discovery of Duqu malware within an international collaboration. While gathering deeper knowledge about its functionality, we have confirmed Duqu is a threat nearly identical to Stuxnet. After the thorough analysis of samples we prepared a detailed report about Duqu, named by us.”

Because the origins the Duqu discovery trace back to CrySyS, rather than stemming from independent discoveries made by antivirus companies, the security community didn’t have the opportunity to develop alternative names for this malware. As the result, Duqu is the name that stuck.

As another example, consider how Conficker got its name. At one point, the variants of this malicious program were initially known as Downadup and Kido. At the end of November 2008, the program was observed to have direct associations with the domain trafficconverter.biz. One theory suggests that the name “Con-Fic-K-Er” was derived from rearranging the letters of “trafficconverter.” The use of “ficker” in the name is attributed to “a vulgar nominalized form of the German transitive verb ficken, which is common German for the English “f**k”.”

The name Conficker stuck, perhaps because it was more memorable than the alternatives. Sean Sullivan from F-Secure pointed out that the company initially “used Downadup (Kaspersky based name), but kept getting asked about Conficker.” So they switched.

The marketing advantage in the case of Conficker belonged to whichever company began using the name that stuck first, because the public may have perceived that firm as being the first to research this specimen and also because web searches for “Conficker” may have led more visitors to that company’s website. (Despite this, I still don’t know which firm or individual actually coined the name. Do you?)

I’m fascinated by onomastics, and wish I had the time to perform a more comprehensive study of the descriptive names that have been assigned to popular malware samples in the short history of the antivirus industry. Digging into the details, including interviews with the people who examined the specimens and picked the names could provide an interesting context to such stories. Perhaps someone else can take on that quest.

— Lenny

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more