How a Botnet Gets Its Name

There is a new kid in town in the world of botnets - isn't there always? A heavyweight spamming botnet known as Festi has only been tracked by researchers with Message Labs Intelligence since August, but is already responsible for approximately 5 percent of all global spam (around 2.5 billion spam emails per day), according to Paul Wood, senior analyst with Messagelabs, which keeps tabs on spam and botnet activity.

When a botnet like Festi pops onto the radar screen of security researchers, it not only poses the question of what is it doing and how much damage it can cause; there is also the issue of what to call it. For all of their prevalence and power online, when it comes to naming botnets, there is no real system in place.

A common practice so far has been to name it after the malware associated with it; this is a practice that has some drawbacks.

Wood explained Festi's history.

"The name came from Microsoft; they identified the malware behind it and gave it the catchiest name," said Wood. "Usually, a number of companies will identify the botnet at the same time and give it a name based on the botnet's characteristics. Its original name was backdoor.winnt/festi.a or backdoor.trojan. Backdoor droppers are common and that wouldn't stick, it would be too generic. Usually the name and convention comes from wording found within the actual software itself and that is used in some way. This one may have been related to a word like festival."

Because the security industry lacks a uniform way to title botnets, the result is sometimes a long list of names for the same botnet that are used by different antivirus vendors and that can be confusing to customers. As it stands now, the infamous Conficker is also known as Downup, Downadup and Kido. The Srizbi botnet is also called Cbeplay and Exchanger. Kracken is also the botnet Bobax. Why they are called what they are called is up to the individual researchers who first identified them.

"A lot of time it depends on the first time we see bot in action and what it does," according to Andre DiMino, director of Shadowserver Foundation, a volunteer group of cybercrime busters who, in their free time, are dedicated to finding and stopping malicious activity such as botnets.

For instance Gumblar, a large botnet that made news earlier this year (and is possibly perking up again), first hit the gumblar.cn domain, said DiMino. Another known as Avalanche was deemed so because of what DiMino described as a preponderance of domain names being used by the botnet.

The naming dilemma can be a difficult one to tackle according to Vincent Weafer, vice president of Symantec's security response division. Over the years naming for malware has had a few ground rules.

"Don't name anything after the author," he said. "That was most important back when viruses were written for fame."

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine