

Using Machine Learning to Name Malware - lqdc13
http://lqdc.github.io/using-machine-learning-to-name-malware.html

======
AlyssaRowan
Really, is this just consensus? I'd be more interested if it were analysing
the malware to name it, not what the various labs are calling it.

This malware definitely _isn 't_ called kkrunchy. .kkrunchy is farbrausch's
perfectly good executable packer for their 64k/etc demos. It is not malware,
and it doesn't obfuscate (that wastes bytes!). ryg would probably be
disappointed people are using it to wrap crappy hosts-file malware, and every
AV should have a library of depackers handy anyway - the AVs detecting it as a
generic are being disappointingly 1990s-era dumb.

People did the same with fsg and even UPX, of course, as well as a various
commercial packers/obfuscators. I think the relinker generation of crunchers
(crinkler, MEW, etc) tend to even have "please do not pack malware with this"
licences as a result.

~~~
lqdc13
It's consensus but it takes account how popular the name is elsewhere and
tries to pick a more hipster name. If 5 AVs say this is the family for this
malware and you don't see that family much elsewhere, then that would be
picked as a family. That way you get rid of all the "Agent" type families etc
unless there is nothing better.

Would have been cooler if the content was also taken into account.

Regarding packers I agree, but it is kind of the same situation with every
other packer, including Themida and VMProtect. So some AVs decided to call it
by the name of the packer since they probably see a lot of malware packed with
that packer and not much else.

