The need to define malware

It is a problem of legend within the computing industry that, surprisingly, there is no universally accepted definition of the term 'computer virus'.

To some it means a self-replicating program, to others a program that attaches parasitically to some other program. Still others maintain that it has to have interaction with the user in order to operate.

In 1981, in his study 'A Short Course on Computer Viruses' Professor Fred Cohen described a virus 'a program that can 'infect' other programs by modifying them to include a possibly evolved version of itself' – in essence a parasite.

However, Professor Cohen himself now wishes he had not defined such programs as 'viruses' but as 'self replicating cellular automata', and went on record in 2003 to say just that. Professor Cohen, like myself, believes that a program does not have to attach itself into another program, or indeed interact with a user at any time, in order to be a 'virus'. It simply needs to replicate. Therefore, to me 'worms' are a captive sub-set of viruses, but to others this is not the case.

Add in terms such as 'trojan' or 'adware' or 'bot' and the confusion mounts. The world of computer viruses is constantly evolving, and even the most experienced of experts can change their minds about what constitutes a threat.

But why does this matter? Why is there a need to define what a virus actually is? Or to drill down to come up with meanings for a variety of subsets of viruses? Why not just refer to all incarnations of malicious code simply as 'viruses'?

Well let me ask you, would you want to go to a doctor that called everything a broken arm? I want a doctor that knows the difference between ebola and the common cold. There is a need in computing terms, as well as within the medical world, to speak with precision and authority. If this can be achieved then it is easier to identify specific threats and find ways to counter them. There are around 122,000 known viruses in the computing world, and by knowing the differences between them, we may come close to eliminating 100% of the threats to our digital security.

The problems caused by this lack of clarification are immense. With no common definition, it is impossible to be sure that you are talking to fellow IT experts about the same type of threat. With staff working the world over, all with their own perceived knowledge of what defines a virus, short circuits are inevitable in the industry.

Alarmingly, many researchers may never know they are using a different definition to their counterpart on a different continent, or even in the building next door. This means that whilst the industry is attempting to try eradicating 100% of threats to security, it's going about it at cross-purposes. The disadvantages in terms of efficiency and expense are obviously huge.

This has been bothering me for years and is always a topic of conversation when I meet fellow computer virus experts. Therefore, a coalition of industry experts has decided to tackle this as a one-year project - the antivirus nomenclature project (AVNP). The project kicked off with a panel discussion at the 2004 Virus Bulletin conference in Chicago, where over 600 delegates came to listen to ideas being discussed. The panel was made up of a number of experts, antivirus vendors, customers, academics and the US Department of Homeland Security. This last group may be a surprise addition but the Department is conducting a Common Malware Enumeration project (CME). When asked how they would count what nobody can even define, they agreed to join the deliberation.

The project has taken a list of 16 commonly used terms, which it will aim to define over the next 12 months. Discussions will take place on a moderated newsgroup, and will be open to anyone with an interest in the field. Decisions will be made using a series of surveys to act as a de facto balloting process. The goal will be to define, once and for all, the basic terms and units of our field of study.

Again we find a parallel with the worlds of medicine and science, which regularly convene to define concepts and ideas, reaching their goals through consensus. Though I would hesitate to refer to myself as a 'scientist', the computing industry needs to move towards adopting similar professional practices in order to root out the inconsistencies that threaten its development.

I acknowledge that the antivirus nomenclature project may result in some dissent. Not everyone will agree. I will happily abandon my preconceived definition of a virus – simply a self-replicating program – if the quorum vote in 12 months finds otherwise.

But it must be argued that it is necessary, whatever the outcome. 20-years since the birth of the computer virus, we cannot mess about anymore, we are no longer a bunch of geeky techies but a multi-billion dollar industry, and we need a universally accepted definition of the threat that enables our industry to exist. I see this project as a milestone in the development of the Antivirus industry from the wildcat of the past, to an elder statesman of the computing world.

David Perry is Global Director of Education at Trend Micro (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.