Shostack + Friends Blog Archive


Kaspersky Labs switches to a new naming scheme

Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg.

They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. The scheme breaks down into:

Verdict: verdict clarification.
Verdict clarification includes the following categories:

An example name is thus: “Trojan-Dropper.Win32.Agent.a

My first problem is that the name is long–29 characters, or 9 syllables. That makes it harder to work with than a shorter name. (This is probably more of a problem for those who spend their days working with them. For example, with CVEs, the 8 character length is longer than I can typically handle as one “chunk” and I need to look several times to ensure it’s right. If CVEs were 5-7 characters, they’d fit better in typical short-term memory. (This could be accomplished, for example, by using letters in place of numbers, getting a higher data density per character.)

My second issue is that much of the information is not needed. Today, 99+% of malware infects Windows. By actual infection, non-Windows malware is a rounding error. So why not leave off those 5 characters, except when they’re needed: “rootkit.macosx.opener“?

I think the ordering in use could be better. The name should be an index into a name list, and sometimes, human beings use visual scanning in place of search functions. In those cases, naming this “Agent.a-trojan-dropper” makes scanning much easier, without changing the information content.

Part of me wants to say that they should have used abbreviations in the name: “Agent.a.TD,” to make it harder to typo. But that runs into trouble with handling errors. If you do make a mistake, did you mean its a T(rojan) and added an extra character?

Generating good names that will satisfy all your different of user-types is very hard. Its also very important.

(From Nudecybot via email.) [Update: The cybot pointed me at the Kapersky labs article, he didn’t write the above.]

One comment on "Kaspersky Labs switches to a new naming scheme"

  • Pete Lindstrom says:

    We must be the laughing stock of the professional world, what with each virus having multiple ridiculous names. Heck, we have porn queens, soda pop, dogs (or is it bread), and a hodgepodge of everything else.
    Why can’t we develop a system like any other group that deals with recurring phenomena? The scientific community already has its Kingdom, Phylum, Class, Order, whatever system. Meteorologists use predetermined people’s names for hurricanes. chemists have naming systems. Everyone has a naming system except security folks. And everyone abides by them.
    So here is my top ten list of systems to use in order to name these viruses:
    1. Reading primer three-letter words. Nobody would write viruses any more if they knew theirs was going to be called ‘cat.’
    2. The discoverer’s middle name plus the street name where he or she grew up. For those folks that thought ‘Melissa’ was pretty cool.
    3. Real viruses. Duh.
    4. The date of discovery in hexadecimal form. For the geek in you.
    5. The same system most people use for their passwords. At least they would be easy to remember (or guess).
    6. The source IP for the first known instance. Hey, even if it is spoofed, it would be interesting.
    7. Ben & Jerry’s flavor names.
    8. Street names in Seattle. All roads lead to… oh, forget it.
    9. The Fortune 500. Maybe a lawsuit or two would shake things up for real.
    10. Give me one of yours…
    At the very least, we should have limits, like they have to be palindromes, or they have to write a sentence that has the name as a mnemonic. Maybe we should have charity auctions where people can pay to name the virus. Money opportunity: we could sell viruses the way they sell stars.
    Well, all I know is that this current free-for-all is pretty ridiculous.

Comments are closed.