Posted on Monday, February 4th, 2008 | Bookmark on del.icio.us

Ahhh.. Mega-D == Cutwail et al.

by Danny McPherson

So, no word back from the TRACE folks, however, a couple of sources suggested that what they’re calling Mega-D is actually a downloader Trojan, akin to Cutwail, and is also affiliated with Prg, NTOS, Wsnpoem and Pandex. As the SecureWorks folks stated in their advisory for Prg, “What makes the Prg Trojan especially lethal is its techniques for hiding itself from anti-virus software and the hackers behind it, who have the ability to launch new variants at a drop of a hat.” Perhaps that’s what’s further complicated a consistent nomenclature for this Trojan family, and why the name “Mega-D” came to be. Many of the Prg and related variants have been around since 2006, and according to the SecureWorks folks were originally founds by Michael Ligh, who called it “wnspoem” (I think should have been “wsnpoem”) .

I guess this leads me back to a blog post from June of last year, providing a pointer to a paper on Automated Classification and Analysis of Internet Malware (pdf), and discussing in one of the three key findings, the malware classification consistency problem. Specifically, when labels are provided, malware is inconsistently classified across families and variants within a single naming convention, as well as across multiple vendors and conventions.

This entry was posted on Monday, February 4th, 2008 at 6:08 pm and is filed under Arbor Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response | Add your own



Comment Post by: Chris — February 5th, 2008 @ 2:00 am EST  Reply

As to the malware classification/naming conundrum… there are several reasons (I can come up with) that malware gets misnamed/misclassified/poorly-dealt-with, not the least of which is it’s not in the AV vendor’s best interest to cooperate in the naming/classification game. The researchers and operators get left trying to run multiple engines against single samples with the vain hope that some may agree on a name or partial name. Then arranging a story around why vendorX and vendorY say this is FOO but vendorA and vendorB can’t agree if it’s BAR or BAZ :(

The best setup for this classification I’ve seen so far is the Family/Genus/Species model dragged back to the source-code of the malware in question, done by a neutral third party (is that possible in this game?) and used across the board. One would hope that the AV folks would rid themselves of their current ostrich-syndrome and make this problem better, but…

Leave a Comment