TWiki> Main Web>MalwareNaming (2007-06-28, TorokEdwin)EditAttach

Signature names

Phishing (Signature based)

Signature name Sig Type Description
Email.Phishing.Bank Mail (type 4) Banks (Halifax, Fifth Third, CitiBank etc.)
Email.Phishing.RB Mail (type 4) Rapid Block (URL based matches)
Email.Phishing.Auction Mail (type 4) Ebay
Email.Phishing.Azon Mail (type 4) Amazon
Email.Phishing.Pay Mail (type 4) PayPal
Email.Phishing.Card Mail (type 4) Credit Cards (Access/Visa etc.)
HTML.Phishing.Bank HTML (type 3) Banks (Halifax, Fifth Third, CitiBank etc.)
HTML.Phishing.Pay HTML (type 3) PayPal
HTML.Phishing.Auction HTML (type 3) Ebay
HTML.Phishing.Azon HTML (type 3) Amazon
HTML.Phishing.Postcard HTML (type 3)  
HTML.Phishing.Card HTML (type 3) Credit Cards (Access/Visa etc.)
HTML.Trojan.Pcard HTML (type 3)  

Phishing (Heurisitic based)

Heuristic name Description
Phishing.Heuristics.Email.SpoofedDomain URL domain mismatch
Phishing.Heuristics.Email.HexURL suspicious hexadecimal URL notation
Phishing.Heuristics.Email.Cloaked.Null suspicious %00 in URL
Phishing.Heuristics.Email.Cloaked.NumericIP suspicious numeric IP/domain mismatch
Phishing.Heuristics.Email.Cloaked.Username suspicious username in http URL
Phishing.Heuristics.Email.SSL-Spoof link claims https:// but its really an http://

-- SteveBasford - 17 Feb 2007

I'm trying to put together a small set of very simple rules to help you... however in no time you'll be able to feel any target by yourself.

SCRIPTS

Coded in Javascript:

You can have one of:
  • Trojan.Dropper.JS.NAME (if it drops a file)
  • Trojan.Downloader.JS.NAME (if it downloads a file)
  • But in the most cases it will be:
  • Worm.Feebs.X (where X is a letter, you've seen enough feebs to recognize them now)

Coded in VBS:

One of:
  • Trojan.VBS.NAME (a malicous script)
  • Worm.VBS.NAME (a mass mailing worm)
  • Trojan.Downloader.VBS.NAME
  • Trojan.Dropper.VBS.NAME

For MS Office macro malware:

For Word, Excel and Powerpoint respectively you have:
  • W97M.NAME
  • X97M.NAME
  • P97M.NAME
Or if they're generic:
  • O97M.NAME

WINDOWS EXECUTABLES

Coded in Delphi:

  • Trojan.Dropper.Delf-XXX
  • Trojan.Downloader.Delf-XXX
  • (less often) Trojan.Clicker.Delf-XXX
  • (for spyware) Trojan.Spy.Delf-XXX
  • (or ...) Trojan.Delf-XXX

Bancos are bank spying trojans popular in brazil.

  • Trojan.Bancos-XXX

Coded in Visual Basic (not scripts or macro):

  • Trojan.Clicker.VB-XXX
  • Trojan.Downloader.VB-XXX
  • Trojan.Dropper.VB-XXX
  • Trojan.VB-XXX
(Well quite similar to the delphi names)

Other info:

  • Worm for Internet worms
  • Trojan for backdoor programs
  • JS for Java Script malware
  • VBS for VBS malware
  • W97M , W2000M for Word macro viruses
  • X97M , X2000M for Excel macro viruses
  • O97M , O2000M for general Office macro viruses
  • DoS for Denial of Service attack software
  • Exploit for popular exploits
  • VirTool for virus construction kits
  • Dialer for dialers
  • Joke for hoaxes
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2007-06-28 - 11:47:34 - TorokEdwin
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback