Some arbitrary facts about malware detection names and detection rates on VT.
(thread)
(thread)
(1) Detection names usually include information about platform, malware type, family and variant, sometimes also hints about the technology that was used to detect the malware.
(2) The malware type and family in a detection name are NOT reliable.
(3) But ESET-NOD32 has the most reliable detection names in my experience.
(4) The variant portion of the name is mostly useless for you unless you work for the company that creates the respective scanner engine.
(5) The term "Trojan" in a detection name is mostly used interchangeably with "Malware" instead of its real meaning.
(6) Umbrella terms are often used instead of a malware family name with "Agent" being the most common default name.
This is because a lot of signatures are created automatically, often without knowing the malware family.
This is because a lot of signatures are created automatically, often without knowing the malware family.
(7) Sometimes malware is too insignificant to give it a proper name.
(8) The umbrella term may also describe behavioural characteristics, e.g. "Runner", "Filecoder". These are no family names.
(9) "Kryptik", "Injector", "Crypted", "Obfus" means the malware is packed or otherwise obfuscated. These are also no family names.
(10) Malware families in detection names are more reliable if you unpack the malware before uploading to VT.
(11) Different vendors have different family names for the same malware family. Yes, it is all a mess.
(12) Security products are not tested for accuracy in malware identification, only whether they detect a file as PUP, malware or clean.
(13) It is common practice NOT to name a malware family by the name the malware author intended it to have.
The big exception is ransomware because it shows its name to the victim and they shall to be able to find information about the malware (decryption tools etc).
The big exception is ransomware because it shows its name to the victim and they shall to be able to find information about the malware (decryption tools etc).
(14) Likewise detection names shouldn't provoke the malware author.
(15) A high detection rate on a file will cause even more vendors to detect it. In some cases this is how clean files can spiral into high false positive rates.
(16) Bitdefender's engine is used by other vendors as well (at least 6 I believe). That means one Bitdefender detection results in several vendors detecting a file which increases the VT detection rate significantly.
(17) These are also no malware family names: Zusy, Razy (unless it is paired with the malware type ransomware in which case it may be Razy ransomware), Artemis if it is McAfee (otherwise it may be Artemis backdoor), Graftor, WisdomEyes, ...
There are probably more 🤔
There are probably more 🤔
