November 10, 2009, 9:40 PM — There is a new kid in town in the world of botnets - isn't there always? A heavyweight spamming botnet known as Festi has only been tracked by researchers with Message Labs Intelligence since August, but is already responsible for approximately 5 percent of all global spam (around 2.5 billion spam emails per day), according to Paul Wood, senior analyst with Messagelabs, which keeps tabs on spam and botnet activity.
When a botnet like Festi pops onto the radar screen of security researchers, it not only poses the question of what is it doing and how much damage it can cause; there is also the issue of what to call it. For all of their prevalence and power online, when it comes to naming botnets, there is no real system in place.
A common practice so far has been to name it after the malware associated with it; this is a practice that has some drawbacks.
Wood explained Festi's history.
"The name came from Microsoft; they identified the malware behind it and gave it the catchiest name," said Wood. "Usually, a number of companies will identify the botnet at the same time and give it a name based on the botnet's characteristics. Its original name was backdoor.winnt/festi.a or backdoor.trojan. Backdoor droppers are common and that wouldn't stick, it would be too generic. Usually the name and convention comes from wording found within the actual software itself and that is used in some way. This one may have been related to a word like festival."
Because the security industry lacks a uniform way to title botnets, the result is sometimes a long list of names for the same botnet that are used by different antivirus vendors and that can be confusing to customers. As it stands now, the infamous Conficker is also known as Downup, Downadup and Kido. The Srizbi botnet is also called Cbeplay and Exchanger. Kracken is also the botnet Bobax. Why they are called what they are called is up to the individual researchers who first identified them.
"A lot of time it depends on the first time we see bot in action and what it does," according to Andre DiMino, director of Shadowserver Foundation, a volunteer group of cybercrime busters who, in their free time, are dedicated to finding and stopping malicious activity such as botnets.
For instance Gumblar, a large botnet that made news earlier this year (and is possibly perking up again), first hit the gumblar.cn domain, said DiMino. Another known as Avalanche was deemed so because of what DiMino described as a preponderance of domain names being used by the botnet.
The naming dilemma can be a difficult one to tackle according to Vincent Weafer, vice president of Symantec's security response division. Over the years naming for malware has had a few ground rules.
"Don't name anything after the author," he said. "That was most important back when viruses were written for fame."
Weafer whipped off a few botnet names that have made headlines in recent years and did his best to recall how they got their titles. Among the more notable, he said, is Conficker, which is thought to be a combination of the English word configure and the German word ficker, which is obscene. The Storm botnet was named after a famous European storm and the associated spam that was going around related to it. Kracken is named after a legendary sea monster. And MegaD, a large spambot, got its name because it is known for spam that pushes Viagra and various male enhancement herbal remedies.
"You can guess what the D stands for after Mega," he said.
Gunter Ollmann, VP of research with security firm Damballa, believes it is time for a systematic approach to naming botnets that vendors can agree upon. Because botnets morph and change so frequently, he said, they rarely continue to have a meaningful association with the original malware sample that prompted researchers to name it in the first place.
"Botmasters don't restrict themselves to a single piece of malware," said Ollmann "They use multiple tools to generate multiple families of malware. To call a particular a botnet after one piece of malware is naïve and doesn't really encompass what the actual threat is."
Also see Botnets: 4 Reasons It's Getting Harder to Find Them and Fight Them
Ollmann also adds that the vast majority of malware has no real humanized name, and is seen simply as digits, which makes naming impossible. The result is a confusing landscape for enterprise customers who may be trying to clean up a mess made by a virulent worm, only to find various vendors using different names for the same problem.
