Saturday, June 4, 2011

The CARO Malware Naming Scheme


In 2009, amidst my trying to sort out why malware naming is chaotic within the anti-malware community, I came across an elegant malware naming system from CARO (The Computer AntiVirus Researcher's Organization) that is considered the standard. It has no competing proposed system apart from the 'whatever' mess practiced by the various anti-malware researchers/companies.

Recently I have been volunteering time with a group of other Mac security geeks as we try to keep track of what is going on with the Trojan.OSX.MAC Defender scamware series and provide malware signatures to the ClamAV Open Source project. One of our members was musing about applying the biological taxonomy system to malware naming. I wrote back that malware naming doesn't successfully fit within that system. Instead I described the CARO Scheme while tossing in a few of my usual rants about chaos in the anti-malware community. For those interested, here is my description of the CARO Scheme:


There is an standard malware naming system called the 'CARO Malware Naming Scheme'. Despite its existence and age, it is generally ignored in favor of chaos. As the description article itself states:
No matter how good a naming standard, it is mostly worthless if nobody is using it. And, as experience has demonstrated, some anti–virus producers would fol- low their own malware naming scheme in royal disregard of any proposed standards.
You can read about the CAROS scheme here:

To quote:
The general format of a Full CARO Malware Name is
where the items in square brackets are optional. According to this format, only the family name and the variant name of a piece of malware are mandatory and, as we shall see later, even the variant name can be omitted when reporting it. The Full Name is white space–delimited. That is, it cannot contain white space (i.e., space, tab, car- riage return, line feed), and there is a white space before and after it.

Here is the general CARO approach:

1) The name starts with the type of malware. For Macs, all the malware are Trojan horses. Therefore, they all begin with 'Trojan' followed by a period. 

Due to the mixed types of malware being created these days, this can get messy. Some malware these days are Trojans that infect the target with a bot, which itself is a worm by way of spewing SPAM or DDOS attackes. This is the case with the iServices Trojan. But I believe the best approach here is to name the malware type as that which is initially presented to the target computer. Therefore, Trojan works in all the current Mac cases.

However, I still argue that hacker tools are NOT Trojans. They're just hacker tools. They are only infected onto computers by way of 'LUSER' behavior whereby a hacker inadvertently has physical access to the target computer.

2) The malware type is followed by the target OS name. In our case it is 'OSX'. Previous to Mac OS X, the term 'MacOS' was used. But since Mac OS X is certified UNIX, the term 'Mac' is being dropped and only 'OSX remains. The OS name is followed by another period.

3) The third part of the name is supposed to be left to whomever first discovers the malware in the wild and chooses a name for it

For example, Andrew Welch (of Ambrosia Software) was the first person to fully describe and name the proof-of-concept Trojan which he named "Oompa-Loompa" or simply "Oomp". Using his variation on the Caro scheme, the resulting name was:


But Symantec has more clout than Andrew and after his work pushed out the name 'leap' instead, resulting in their name of it:


4) The fourth part of the name specifies the variant, starting with A through Z, proceeding to AA through ZZ, etc. Therefore, at this point we have (I think):

Trojan.OSX.MAC Defender.A
Trojan.OSX.MAC Defender.B
Trojan.OSX.MAC Defender.C
Trojan.OSX.MAC Defender.D

Unfortunately, it is left up to interpretation as to what constitutes a new variant. As I noted over the weekend, I've seen MAC Defender.E listed, for reasons I cannot explain. With the two new proven varients, apparently that naming source would be up to MAC Defender.G at least, at this point.

I like Shawn's idea about digging into the actual Trojan app's Contents directory to check out the guts of each potentially new 'variant'. The web page GUI variations are clearly of little importance compared to the actual Trojan app variations.

5) If there are further details about a specific malware, they are typically put in parentheses after the variant identifying letter. For the MAC Defender variants this would include all the names for the installer files and the various names the Trojan application gives itself. Therefore, we could have:

Trojan.OSX.MAC Defender.B (aka Apple Security Center, aka Apple Web Security...)


I have never seen the Caro scheme used exactly in the original proposed format. But the general approach of focusing from abstract to specific has remained in most of the offshoots of the scheme. Typically, the separators between the naming items are simply periods, as in: 

Trojan.OSX.MAC Defender.A

Intego stick to this specific pattern.

Microsoft use a colon instead of the first period, resulting in:

Trojan:OSX.MAC Defender.A


Some companies choose to use forward slashes and dashes in their malware naming, resulting for example in:

Trojan/OSX/MAC Defender-A

Overall, because this is what I call 'The Wild West Era' of the anti-malware community, malware naming chaos reigns. There are commonly three publicly published names from various anti-malware researchers/companies for exactly the same malware. In the case of MAC Defender I've counted over 15 names at VirusTotal for what may only be MAC Defender.A.

I hope my lecture was helpful. ;-)


No comments:

Post a Comment