How do you call a virus?

Petya, Misha, WannaCry, Friday 13th, Anna Kournikova ... The names of the computer viruses that caused the real epidemics on the network remain on hearing for a long time. They are constantly repeated by the media, as a rule, without going into technical details and confusing modifications with each other.

Have you ever wondered how and who gives names to viruses? After all, there are a lot of computer malware, there are millions of them, and everything must somehow be called. Under the cut - a brief insight into the naming of viruses, Trojans and other computer evil.

So, what do people follow by giving names to detected malware?
')

Classifier Names

When another virus is detected in an antivirus laboratory, analysts "disassemble" it into parts, study its functionality, and then assign a virus identifier to the virus.

Names are unified and directly depend on the capabilities of the virus and its predecessor. For example, Backdoor.Win32.Odinaff.A is a backdoor virus (“backdoor”), that is, its main task is to provide remote access to the infected machine. It was written under the Windows platform; the virus analyst in the laboratory gave it the name Odinaff. And this is modification A, its rewritten modification will have code B and so on.

Classifier names may vary from lab to lab. Here, for example, a picture from a single database of viruses VirusTotal, demonstrating the results of a scan of one malware and its name from various manufacturers of antivirus software.



Obviously, when searching for information about a virus by its name, it is also worth pointing out the specific vendor whose product the virus detected.

But who is interested in sorting out such names? We'd better select the malware samples more interestingly, sort them out by the type of getting the names and-and-and ..., here are their “lab cards”!

By file extensions

Pattern name : WannaCry.
Purpose : virus extortionist.
Type : encrypt worm.
The start date of the epidemic : May 12, 2017.
Damage : Infected more than 500 thousand computers in more than 150 countries around the world.
Description : one of the most famous viruses of the last time. His big name WannaCry received by extension, with which he marked the files he encrypted, “.wncry”. Although, apparently, implied "WN-cryptor".



Sample name : Duqu.
Purpose : virus extortionist.
Type : spy worm.
The epidemic began on September 1, 2011.
Damage : Unknown.
Description : The military virus, which marked the files created with the prefix “~ DQ”, was named Duqu, like the same Star Dooku Count from Star Wars. The method of infection was similar to the Stuxnet combat virus. I used the zero-day MS11-087 vulnerability in the Windows kernel and, having gained access to the system, collected data that can be used to access the process control system (passwords, screenshots), and sent to command servers. Self 36 days later.

Geographically

Pattern name : Jerusalem.
Purpose : uncontrolled self-replication.
Type : classic virus.
The date of the beginning of the epidemic : October 1987.
Damage : Unknown.
Description : The first virus, named after the first detection. Its main "merit" is that, in addition to uncontrolled reproduction, this virus has also spawned dozens of its own modifications.

By features of activation

Very often, the developers of the virus leave tabs ("Easter eggs"), and the contents of the virus give the name. As a rule, these are some jokes, references to desktop or computer games, books and hacker subculture.

Sample name : Friday 13th.
Purpose : Viper.
Type : classic virus.
The epidemic began in 1987.
Damage : Unknown.
Description : a modification of the "Jerusalem" virus. The name Friday 13th received by activation method: the virus was activated only on Friday the 13th and destroyed all the files on the computer. Apparently, the authors wanted to support superstition in the technological era!

According to the "bookmarks" from the developers

Sample Name : Cookie Monster.
Purpose : comic virus.
Type : locker.
Date of the beginning of the epidemic : 1970.
Damage : billions of nerve cells of IT workers at the time.
Description : a frankly joking virus. Cookie Monster demanded to give him a cookie by typing the word "cookie" in the displayed window.


(Note: the picture from the hackers, the original photo of the virus has not been preserved.)

Sample Name : Melissa.
Purpose : Viper.
Type : macro virus.
The epidemic began on March 26, 1999.
Damage : US $ 80 million estimated by the US government.
Description : The virus spreads via email, in a malicious attachment. Namely, in a file of type Microsoft Word with embedded macros. Its main task was to modify or delete OS-critical files. After infection, the virus sent itself to the first 50 recipients from the address book. It is considered the progenitor of all rapidly spreading viruses. The name comes from the Easter egg in the form of a registry key:
HKEY_CURRENT_USERSoftwareMicrosoftOffice»Melissa?»=«...by Kwyjibo»

By way of distribution

Ways to spread viruses abound. And sometimes a particular implementation becomes a source of inspiration for analysts when they give the virus a name.

Pattern name : ILOVEYOU (LoveLetter).
Purpose : uncontrolled self-replication.
Type : mail worm.
Date of the beginning of the epidemic : May 4, 2000.
Damage : 3 million computers worldwide are infected, 10-15 billion dollars of damage. Record holder of the Guinness Book of Records as the most destructive computer virus in the world.
Description : The famous ILOVEYOU virus was distributed in an email attachment with the name “LOVE-LETTER-FOR-YOU.txt.vbs”.



He sent himself to all the contacts of the victim and even used IRC channels, creating the file LOVE-LETTER-FOR-YOU.HTM in the Windows system directory. The first virus to use social engineering as a basis for distribution. I also used the fact that at that time, script processing was enabled by default in Windows, and the extension was hidden by default.

Pattern name : Anna Kournikova.
Purpose : uncontrolled self-replication.
Type : mail worm.
Date of the beginning of the epidemic : February 11, 2011.
Damage : about 200,000 dollars.
Description : Named after a famous Russian tennis player and model, the virus spread in a letter that supposedly contained a photo of Anna. However, the attachment was only malware. Like its predecessor, ILOVEYOU, the worm sent itself to email contacts and used social engineering.

By coincidence

Sample name : CIH ("Chernobyl").
Purpose : Viper.
Type : resident virus.
The date of the beginning of the epidemic : June 1998.
Damage : 1 billion dollars.
Description : The creator of the Chernobyl virus most likely did not know that on April 26, when he planned to launch his virus, is the anniversary of the accident at the Chernobyl nuclear power plant. In addition, the author’s initials (Chen Inhao) contributed to the virus being called CIH, or "Chernobyl." But remember the virus is not at all for it. After the system was infected, the virus was asleep, waiting for the key date, and after its occurrence, overwritten the first 1024 KB on the hard disk with zeros, deleting the entire partition table. But that's not all. The second part of the "payload" of the virus tried to overwrite and flash flash BIOS. So devastating are the consequences. The virus spread by infecting exe-files on servers distributing software.

Here is an example of a message about its detection:

Thanks to a developer marketing company

Sample name : Peter and Misha (brothers, apparently).
Purpose : ransomware viruses.
Type : Trojan encoders.
The date of the beginning of the epidemic : May 2016.
Damage : Unknown.
Description : The Petya and Misha encryption viruses were very diligent developers. In Darknet, they made a real PR campaign for their products!



Initially, a logo was created, which by default was red, but then blinked, changing colors every second - from red to green and back.

Then the rebranding was carried out, the skull became only green, and the virus mini-logos were also added to it.



Why did hackers do all this?

Obviously, they took the names to pretend to have become a meme "Russian hackers." But it didn't work out too well. Janus looked really wild: the guys did not know what was right with us - Ivan.

But why all the PR campaign? And besides, it was suggested that viruses be bought and distributed for a percentage of the ransom received! In fact, the developers offered everyone to work as malware dealers. Directly, "earnings on the Internet." True, with the schedule of "a year after three": you work a year, you sit three.

Summary

About half a million new virus modifications appear every day in the world. Most of them receive classifier names and will remain only in the memory of antivirus software. And only units get unique names. Almost a hundred percent way to leave your mark in the history of information security, right? True, before you enjoy fame, you have to rewind your time =)

Write in a comment, which viruses you remembered, and what they remembered.

Anton Bochkarev, information security consultant for Jet Infosystems