The Anti-virus Times

Monday, August 15, 2016

People name their children, pets, steamships, and cities, and the naming does not stop there. Malicious programs have names, too, so that it’s possible to tell them apart.

Each anti-virus developer has its own method for naming viruses and Trojans. For example, to assigns names to malware, Doctor Web uses the following pattern:

[malware class].[malware name].[version]

So, in the case of Trojan.Bolik.1, the word "Trojan" denotes the malware class; "Bolik"is its name; and "1" is the Trojan's version.

How can one determine a malware class?

Malicious programs can be distinguished by the type of platform they target. Most programs target Windows. Android ranks second in terms of the number of threats that exist for it. However, this doesn't mean that Trojans don’t exist for other platforms: there are malicious programs for Linux, Mac OS X, and various mobile platforms including Blackberry, but they are far fewer in number. That's why names for Android Trojans in the Doctor Web nomenclature start with the class name Android, e.g., Android.BankBot.20, while the names of malicious programs for Linux start with Linux, e.g., Linux.Ellipsis.1 . Sometimes the marker 'origin' is appended to Android Trojan names. It means that programs of this kind are detected using the technology Origins Tracing.

As far as Trojan names for Android and Linux are concerned, things appear to be quite simple. However, when it comes to Windows, there exist a far greater number of malicious programs which can be distinguished by their features. For example, common file infectors can replicate themselves and infect other files. At Doctor Web, this category of program is denoted as Win32 or Win64—depending on the platform for which they are intended. Accordingly, the malware Win32.Rmnet.16 is a file infector.

Unlike viruses, worms don't infect executable files but can spread over a network and use email as a transport—worms can send themselves as email attachments or create copies of themselves in shared folders. Doctor Web experts include them in the category HLLW—High-Level Language Worm—or HLLM (High Level Language MassMailing Worm).

The most common malicious applications fit into the Trojan category. The name comes from the famous ancient myth about the wooden horse presented as a gift to the citizens of the besieged city of Troy by the Achaeans. When night fell, Achaean warriors emerged from the giant wooden structure and opened the gate to let their army into the sleeping city. Trojan programs act in a very similar way: they get into a system in the guise of a harmless application such as a video player or a game and, when launched, commence their malicious activities. Catching a culprit of this kind can be difficult—many Trojan horses can hide in a system and bypass some types of anti-virus protection.

BackDoor is yet another malware category. As the name suggests, these programs grant attackers unauthorised access to a system without user consent. Intruders can use backdoors not only to view and copy files but also to control the infected machine, launch various programs, delete all the information stored on the hard drive, render the system non-operational, steal money from a bank account or plant incriminating evidence.

Other less common classes also exist. Adware encompasses applications that display annoying ads and JS is used for malicious JavaScript code.

Modern malicious programs are usually equipped with a wide array of features and often combine the properties of several classes. For example, a malicious species can facilitate remote control over an infected machine (act as a backdoor), but can replicate itself in system folders (as a worm) and, under certain circumstances, can infect an executable (like a virus). What category does such a program fit into? In such cases, the class hierarchy is taken into account, e.g., File infector → Worm → Backdoor → Trojan. The arrangement of the classes reflects the severity of the threat they pose. Here the ability to facilitate unauthorised access (backdoor) is less dangerous than the feature that enables programs to spread over networks (worm), which in turn is less dangerous than the ability to infect executable files (virus). Therefore, the sample described above is likely to be named Win32.name.version or Win32.HLLW.name.version, that is to say that it will be classified as a file infector that incorporates some worm-like features.

Virus analysts select a specific name for each malicious program; to generate a name, they usually use a certain feature in the program's code or some other properties of the species. So, for example, the file infector Win32. HLLP.Karud is named after a certain string in its code. Other Trojans exhibit such “elegance” in their inner organisation and perform their malicious tasks in a system in such a “delicate” and “sophisticated” way that their names inevitably reflect that. These include programs of the family Win32.Silly. Some properties of certain threats can also become part of their names. In particular, one of the fallen in virlab backdoors experts puzzled by the presence of a block of encrypted data, the purpose of which seemed ambiguous analysts.

Определенные свойства некоторых угроз также могут наложить отпечаток на их обозначение. В частности, один из попавших в вирлаб бэкдоров озадачил специалистов наличием блока зашифрованных данных, назначение которого показалось аналитикам неоднозначным. Троянца тщательно изучили, после чего ему было торжественно присвоено вполне заслуженное имя BackDoor.Mutny.

However, one of the most popular and widespread names in the Dr.Web virus databases is assigned to malicious applications by the special program Signature Generator (abbreviated as “Siggen”). You can easily guess what types of names the robot assigns to these Trojans.