Skip to content
TechnologyCybersecurityThreat detection

Exploring Nicknames: Unraveling the Origins of Cyber Assailants and Their Aliases (Initial Installment of a Two-Part Series)

Struggles in Consistently Naming Cyber Threats and Attacks Persist, even from the Early Days of Hackers and Malware, Though Not Always Severe Enough to Trigger a Significant Crisis in Threat Analysis and Response. However, This Irregularity Often Causes Inconvenience.

 and  Administrator
3 min read
Issues surrounding the nomenclature of threats and attacks have persisted since the inception of...
Issues surrounding the nomenclature of threats and attacks have persisted since the inception of hackers and malware. While not severe enough to trigger major crises in threat analysis and response, these naming difficulties have at times impeded progress.

Exploring Nicknames: Unraveling the Origins of Cyber Assailants and Their Aliases (Initial Installment of a Two-Part Series)

The Trouble with Malware Names

Accurate identification of malware has been a persistent challenge in the cybersecurity landscape, with names often serving as a stumbling block for researchers and responders. Although these inconsistent names have not directly triggered any major crises, they have on occasions given cybercriminals an edge, enhancing their attacks or providing them with more time.

In the early days of malware, new variants were relatively scarce, leading to the adoption of exciting nomenclature. For example, the first mass-mailing virus, a precursor to viruses like the LoveBug and Anna Kournikova, concealed itself as a Christmas tree image and accompanying greeting, a deception that fooled users while the malware wreaked havoc, generating excessive network traffic and causing several network outages. The media-friendly name, Christmas Tree worm, may have been catchy, but it mistakenly focused on the harmless holiday symbol displayed by the malware, rather than the danger lurking beneath.

The Jerusalem virus, which targeted MS-DOS computers, highlights another challenge with malware names. This virus was first identified at the Hebrew University of Jerusalem and dubbed 1813 by antivirus researchers owing to the size increase it triggered on infected files. However, as the virus supported both COM and EXE formats, it employed different techniques for infecting each, leading to inconsistencies in how the size increase was represented. This confusion extended to the media, with the virus also being known as Friday the Thirteenth. The virus's notoriety was compounded by its tendency to mutate, with some variants capitalizing on the naming confusion, further hampering response efforts.

Inconsistent threat reports arising from naming differences can result in confusion, even when multiple products from the same vendor are involved. A hypothetical example demonstrates this confusion. Suppose:

  1. Incoming email attachments are being quarantined or deleted.
  2. Some laptops are flagged as actively infected.
  3. Network firewalls report malicious connections to known cybercrime sites.

However, the malware incidents involved could be misleading, potentially conflating separate attacks or labeling the same malware differently, complicating the response.

Over the years, various attempts have been made to implement official taxonomies or naming schemes in the hope of producing consistent and compatible results. A common suggestion has been to adopt a storm-style, alphabetically ordered list of names to ensure compatibility. However, this approach faces significant challenges. A high volume of new malware samples makes it challenging to agree on an exact count, let alone maintain the list consistently. Furthermore, this approach would not provide researchers with valuable information on the potential side-effects or associated malware lurking in networks.

Online services like Google's VirusTotal help address this issue by allowing cross-referencing between different threat detection tools, offering insights into the malware names used by different products and assisting in disambiguation.

Despite efforts to standardize malware names, it remains challenging to ensure that names adequately convey the threat they represent. Many modern malware samples perform dynamic functions, such as downloading new malware samples or connecting to rogue servers, making it difficult to predetermine their behavior even with advanced research. Inconsistencies in naming conventions continue to challenge threat detection and response efforts, underscoring the need for ongoing collaboration and intelligence sharing within the cybersecurity community.

Footnotes:

[1] CARO. (1991). The Virus Naming Scheme. Retrieved from https://www.antivirusresearch.org/sonar/article/virus-naming-scheme/

[2] Duck, P. (n.d.). Malware Naming is Not Enough. Retrieved from https://www.sophos.com/blogs/apac/malware-naming-is-not-enough/

[3] Duck, P. (2021, February 10). Analyzing Heavily Obfuscated Malware: The New Frontier. Retrieved from https://www.sophos.com/blogs/apac/analyzing-heavily-obfuscated-malware-new-frontier/

[4] Duck, P. (2018, May 25). The Future of Malware is Sandboxing: How Cybercriminals are Turning the Tables. Retrieved from https://www.sophos.com/blogs/apac/future-malware-is-sandboxing/

  1. Threat detection systems in a security operations center need to accommodate the dynamic behaviors of modern malware, as inconsistent naming conventions can hinder accurate identification and response.
  2. While efforts to standardize malware names have been made, the cybersecurity community should continue to collaborate and share intelligence to improve threat detection and response capabilities, given the ongoing challenges in naming malware that adequately conveys the risks they pose.

Read also:

    Related

    Latest