Blackworm Dud Highlights Virus Naming Mess

An anonymous reader writes "Washingtonpost.com is running a story that looks at the total mess that the anti-virus companies made in naming the latest overhyped virus threat. According to the article, 'Blackworm' or the 'Kama Sutra worm' was the first major test of a new U.S.-government funded initiative to introduce some sanity into the virus-naming business. From the article: 'For most of [the antivirus vendors], this is like Esperanto: You can speak it if you want to, but everyone else is going to carry on babbling in their own native tongue, so it doesn't really matter.'"

The problem with variants: cladisitics

[G4from128k]

The problem is all the variants of a given malware. For most users, the signature of the payload is less meaningful than the subject line of the e-mail. A virus email that promises Kama Sutra pictures is "different" from one promising Miss Lebanon even if the underlying payload and behavior is identical.

Perhaps AV experts need to use cladistics with a standardized set of feature dimensions. A cladogram of the virus varients and some threshold distance in feature-space would help segment similar and dissimilar malware.

I actually don't hold out much hope for this because malware is an adaptive threat. Malware creators might (and do) easily take steps to obfuscate their warez -- creating spurious variants for the express purpose of confusing AV software, news reporting, and users. The more variants that appear, the harder it is to counter the threat.