Category Archives: Malware naming

The Name Game – Duh…

[Update: well, Sophos have, it seems, gone official on the name iPh/Duh, which I find quite unreasonably irritating. However, Paul’s latest blog (link below) includes some very useful info.]

http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/

Paul Ducklin, what have you done?

Well, it’s not exactly Paul’s fault, as much as the industry’s: he referred at http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/ to the iBot thingie (yes, that again…) as Duh, since there’s no standardized name for it, and “because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm”.

And so, already we have various media sources referring to the Duh worm or Ikee.B. Well, if naming really mattered, I suppose we’d have all the various iPhone malware bits and pieces properly categorized and named by now. Historically, every vendor would have used a different name, of course, but there would have been some minimal cross-referencing and a semi-standard CARO-ish alternative. And probably the latest example (I really don’t like to describe it as a variant) would not have been called Duh because we tend to avoid using the form of name the malware author might have wanted.

Well, I haven’t changed my mind about naming, in general. In most cases, it’s largely irrelevant and often misleading, certainly in the Windows context. When you have many tens of thousands of unique binary samples coming in on a daily basis, accurately cross-referencing and naming them doesn’t seem much of a priority. (See  one of these papers for a more complete picture of why I say that.)

http://www.eset.com/download/whitepapers/cfet2009naming.pdf 
http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf

So most companies don’t seem to have bothered to name these  at all, even though iPhone malware was obviously going to excite some media interest. Well, exact naming for fairly low-impact threats wasn’t an issue I could raise much interest in either. But the fact is, that journalists and their audiences need a name to hang a malware story on, and they don’t care about the complexities of CARO-like naming (why should they?). So Duh will do, I suppose, especially since Paul as good as endorsed it. (“Perhaps, in fact, Duh is a good name for this virus.”)

What worries me is that at some point, someone is going to point to this as another example of how the AV industry can’t get its act together on naming, even on a platform with few enough threats to count on one hand. Well, we could have sorted this one out easily enough (and still could, in principle), but it will always be Duh now, so we probably won’t bother.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Definitely not speaking for the AV industry…

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/