There is a new kid in town in the world of botnets – isn't there always? A heavyweight spamming botnet known as Festi has only been tracked by researchers with Message Labs Intelligence since August, but is already responsible for approximately 5 percent of all global spam (around 2.5 billion spam emails per day) according to Paul Wood, senior analyst with Messagelabs, which keeps tabs on spam and botnet activity.
When a botnet like Festi pops onto the radar screen of security researchers, it not only poses the question of what is it doing and how much damage it can cause; there is also the issue of what to call it. For all of their prevalence and power online, when it comes to naming botnets, there is no real system in place.
A common practice so far has been to name it after the malware associated with it; this is a practice that has some drawbacks.
Wood explained Festi's history.
"The name came from Microsoft; they identified the malware behind it and gave it the catchiest name," Wood says. "Usually, a number of companies will identify the botnet at the same time and give it a name based on the botnet's characteristics. Its original name was backdoor.winnt/festi.a or backdoor.trojan. Backdoor droppers are common and that wouldn't stick, it would be too generic. Usually the name and convention comes from wording found within the actual software itself and that is used in some way. This one may have been related to a word like festival."
Because the security industry lacks a uniform way to title botnets, the result is sometimes a long list of names for the same botnet that are used by different antivirus vendors and that can be confusing to customers. As it stands now, the infamous Conficker is also known as Downup, Downadup and Kido. The Srizbi botnet is also called Cbeplay and Exchanger. Kracken is also the botnet Bobax. Why they are called what they are called is up to the individual researchers who first identify them.
"A lot of time it depends on the first time we see bot in action and what it does," according to Andre DiMino, director of Shadowserver Foundation. This is a volunteer group of cybercrime busters who, in their free time, are dedicated to finding and stopping malicious activity such as botnets.
For instance Gumblar, a large botnet that made news earlier this year (and is possibly perking up again), first hit the gumblar.cn domain, says DiMino. Another, known as Avalanche, was deemed so because of what DiMino described as a preponderance of domain names being used by the botnet.
The naming dilemma can be a difficult one to tackle according to Vincent Weafer, vice president of Symantec's security response division. Over the years naming for malware has had a few ground rules.
"Don't name anything after the author," he says. "That was most important back when viruses were written for fame."
Weafer whipped off a few botnet names that have made headlines in recent years and did his best to recall how they got their titles. Among the more notable, he says, is Conficker, which is thought to be a combination of the English word configure and the German word ficker, which is obscene. The Storm botnet was named after a famous European storm and the associated spam that was going around related to it. Kracken is named after a legendary sea monster. And MegaD, a large spambot, got its name because it is known for spam that pushes Viagra and various male enhancement herbal remedies.
"You can guess what the D stands for after Mega," he says.
Gunter Ollmann, VP of research with security firm Damballa, believes it is time for a systematic approach to naming botnets that vendors can agree upon. Because botnets morph and change so frequently, he says, they rarely continue to have a meaningful association with the original malware sample that prompted researchers to name it in the first place.
"Botmasters don't restrict themselves to a single piece of malware," says Ollmann "They use multiple tools to generate multiple families of malware. To call a particular botnet after one piece of malware is naïve and doesn't really encompass what the actual threat is."
Ollmann also adds that the vast majority of malware has no real humanised name, and is seen simply as digits, which makes naming impossible. The result is a confusing landscape for enterprise customers who may be trying to clean up a mess made by a virulent worm, only to find various vendors using different names for the same problem.
"There is some work going on among AV vendors to come up with naming convention for the malware sites, but this is independent of the botnets," says Ollmann. "This has been going on for several years now. The most recent iteration of the discussion focused on how to transport the meta-data that describes the particular name threat of the malware. But there has been no visible progress the end user can make use of."
Ollmann says Damballa is now using a botnet naming system, with the agreement of customers, which favours a two-part name and works much like the hurricane naming system used by the National Weather Service. The first part of the name comes from a list of pre-agreed upon names. Once a botnet is identified, the name is used and it is crossed off the list. It becomes the name forever associated with that botnet. The second part of the name tracks the most common piece of malware that is currently associated with the botnet. While the botnet master changes their malware on a daily basis, they usually only change their malware family balance on a two-or-three day basis, says Ollmann. The second part of the name then changes to in order to reflect that fluctuation.
"So many of these are appearing it just becomes a case of assigning a human readable name and no other name associated with it," says Ollmann. "It is perhaps ungracious to name them with a hurricane naming system, but it speaks perhaps to the nature of this threat."