A reader recently sent in a batch of questions that I thought might be of general interest. I also invited other members of the Research team to chime in with their thoughts.
Question 1- When it is critical to give a malware specific name?
[David Harley answers…]
For detection/remediation purposes, it isn't really necessary for anti-malware vendors: while classification is important, exact naming for hundreds of thousands of unique samples a day or week is not only unnecessary, it's unfeasible. In fact, in most cases harmonization between vendor detection names is only possible on a sample-by-sample basis: otherwise, it tends to mislead more than it helps, because two vendors can legitimately claim to detect a given malicious program yet may or may not detect a specific sample (for instance, where a malicious site keeps serving repacked or re-obfuscated versions of the same base code). ESET has made available a couple of papers on the subject that you might find interesting and/or useful (we hope): http://www.eset.com/download/whitepapers/cfet2009naming.pdf, http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf.
[Randy Abrams answers]
It generally is most critical that people are using a specific name if they are discussing a specific sample and attributes of it. In most cases a specific name is not required if the threat is blocked to begin with.
Question 2- Is it necessary to unify the "malware names" between all vendors?
[David Harley answers]
It's generally unnecessary and mostly impossible. There is an argument for limited harmonization on names in specific cases of high-profile malware, and I have some ideas on how that might be implemented better than it was by CME, for example, but the feasibility would still require significant cooperation and commitment across the security community.
[Randy Abrams answers]
As desirable as it would be for some people, it really is not necessary, and as David pointed out, it is virtually impossible. Different researchers may obtain samples independently at about the same time. Once they name it there is a cost associated with renaming the threat in the signatures and though it may seem trivial, if you multiply the time required by 200 samples per day, which is an extremely small fraction of what AV companies are seeing, it becomes a full time job at each AV company just to synch up sample names. It isn’t worth the expense. The name does not affect detection, prevention, or removal so it is one of the least important attributes of malware.
Question 3- Sometimes I see vendor names a malware as a trojan, at the same time the other vendor names it as a worm! So, can the two vendors be right in identification that malware? And if yes, how that malware is a trojan and a worm simultaneously?
[David Harley answers]
The defining characteristic of a worm is replication. But it can still have Trojan characteristics (i.e. it pretends to be something it's not, put simply).
[Randy Abrams answers]
Sometimes vendors get it wrong. As David pointed out, a worm can have trojan characteristics, but not all worms are trojans, and most Trojans are not worms. There is an AV company that named a JavaScript worm a VBS worm.
Question 4- Is the equation (More identified malwares names = More cleaning capability of the AV scanner) is accurate?
[David Harley answers]
Absolutely not. Generic disinfection is actually more feasible in the present era of malware glut than specific disinfection for every sub-variant or unique sample. However, pre-execution identification and blocking is still better than post-execution cleaning.
[Randy Abrams answers]
More identified malware names does not mean more identified malware. Simply identifying malware does not mean successful cleaning either. More importantly, cleaning means that one accepts a lower level of security. If security is important, then in most cases the infected machine will be rebuilt from scratch. Detection of a threat does not mean that all threats were detected. When I worked at Microsoft, this fundamental truth was well understood. If an employee’s PC got infected it was completely rebuilt.
Question 4 continued... Are the AV scanners that rely heavily on heuristics 'like ESET' less capable of 'successful cleaning' than those ones rely heavily on signatures detections?
[David Harley answers]
That depends on your definition of "successful cleaning". I've seen some tests where scanners have been marked down on disinfection for leaving traces that couldn't actually result in any malicious effect. A meaningful definition really requires no post-disinfection problems. There might be instances where a generic disinfection might not be as successful in that sense as a malware/sub-variant-specific disinfection, but by the same token, a very specific disinfection might cause problems with a different sub-variant or sample where a signature scanner doesn't "notice" the difference. The question kind of misses the point, though. The main point of advanced heuristics and other forms of behaviour analysis is to identify malware that doesn't have a "signature" yet before it can infect. As we get more information on a specific threat, our detection/disinfection may evolve into something more specific to match. Heuristics isn't a technique we use to _replace_ signature detection: it's something we do that lessens our _reliance_ on signatures.
[Randy Abrams answers]
As David pointed out, there are different definitions of “cleaning”. I am not aware of any cleaning tests that have been performed with very large and diverse sets of malware. I don’t think there is any scientific data to prove or disprove a theory that scanners that are more signature reliant clean more effectively. Remember, detection capability, be it signature or heuristic is not the same thing as cleaning capability.
Question 5- What is the different between 'Trojan dropper' and 'Trojan downloader'?
[David Harley answers]
Put simply, a dropper generally installs and launches another program (not necessarily malicious, but yes, often a Trojan). A Trojan downloader, by definition, downloads something for malicious purposes, but doesn't necessarily install and/or launch it. So there's some overlap, and the same program might be described either way. In fact, there aren't many absolute definitions in anti-malware circles that are accepted by _all_ researchers, and marketing departments sometimes use such terms differently to the ways in which researchers in the same company use them. Security research is a difficult, complex field, and it's inevitable that there are disagreements over classification and definitions.
[Randy Abrams answers]
A dropper will contain another program inside of it. The word “Trojan” refers to the nature of the dropper, and generally to the nature of the program that is dropped. The very first known Access macro virus was a dysfunctional dropper. It tried to create an executable file as well, but due to a stupid syntax error it failed! Downloaders, rather than containing other programs, pull them down from the internet or a network location.
Randy Abrams and David Harley