2 comments

[ 3.4 ms ] story [ 12.6 ms ] thread
Really, is this just consensus? I'd be more interested if it were analysing the malware to name it, not what the various labs are calling it.

This malware definitely isn't called kkrunchy. .kkrunchy is farbrausch's perfectly good executable packer for their 64k/etc demos. It is not malware, and it doesn't obfuscate (that wastes bytes!). ryg would probably be disappointed people are using it to wrap crappy hosts-file malware, and every AV should have a library of depackers handy anyway - the AVs detecting it as a generic are being disappointingly 1990s-era dumb.

People did the same with fsg and even UPX, of course, as well as a various commercial packers/obfuscators. I think the relinker generation of crunchers (crinkler, MEW, etc) tend to even have "please do not pack malware with this" licences as a result.

It's consensus but it takes account how popular the name is elsewhere and tries to pick a more hipster name. If 5 AVs say this is the family for this malware and you don't see that family much elsewhere, then that would be picked as a family. That way you get rid of all the "Agent" type families etc unless there is nothing better.

Would have been cooler if the content was also taken into account.

Regarding packers I agree, but it is kind of the same situation with every other packer, including Themida and VMProtect. So some AVs decided to call it by the name of the packer since they probably see a lot of malware packed with that packer and not much else.