All this attention underscores a increasingly significant problem for botnet researchers: how precisely should botnets be usefully named?

It's not an easy problem to solve. The antivirus industry has had decades to reach a consensus for naming new malware, yet it has failed to do so. Such a track record does not build confidence for botnet naming. Despite botnets not being the same as viruses the historical process has been to name a botnet after the primary malware discovery, and this approach is already proving to be an increasingly redundant convention.

Current botnets are best thought of as delivery platforms for centralized malware distribution. That’s a much more sophisticated entity than a named malware sample that just happens to have a recognizable command-and-control channel. Both Conficker and Finjan's "Big Bot" botnets ended up deploying a multitude of spammer tools, spyware, fake security software, and keyloggers to their infected hosts. The specific malware used to establish command-and-control over the compromised host was just a means to an end, and did negligible direct damage by itself.

Bots do enable the criminal entities behind them to focus upon their global infection vectors and tactics, and to defer the deployment of insidious money-making malware suites to a more convenient time or to delegate to others.

One of the consequences of these botnets is that the malware footprint on the infected host is in a constant state of flux, making it difficult — if not impossible — for the botnet to retain a meaningful association with the original malware sample that fathered its name.

To make matters worse, multiple malware agents may be deployed via the original botnet agent, and both the original botnet agent and its command-and-control channel can be changed at any time by their human controller. Any botnet can morph and become unrecognizable after a surprisingly short period of time.

Maybe the existing botnet naming conventions would have been sufficient — especially for historical tracking purposes — if the above was all that researchers had to worry about. The problem, however, now lies with the fact that botnet building is a profitable business model. The criminals orchestrating the building of a botnet can choose to bundle disparate botnets together or carve up a bigger botnet, and sell or lease access to other third-party criminal syndicates. Once a sizable botnet has been created, criminal controllers now generate even more income by dividing it in to optimized sub-botnets and selling or leasing parts of it to other criminal teams that specialize in identity-fraud operations for example. And, amateur botnet builders can make money selling the smaller botnets they’ve created to larger botnet consolidators.

The upshot for security researchers is that the "owners" of a botnet change constantly too, along with the individual malware components on each compromised host. Yet, there remains a pressing need for the security community to speak a common tongue in order to combat botnet threats more successfully than in the past.

Joe Stewart of SecureWorks recently proposed that country-level government agencies need to focus upon the cyber criminals behind the botnets, and be empowered with the ability to shut down criminal networks in globe-spanning coordinated efforts. Whether you believe that law enforcement departments operating in multiple countries, under different legal systems and with differing thoughts on how to prosecute cyber criminals can collaborate in a manner that has eluded them for all other international crime to date or not, he is correct in his point that the focus for combating the botnet threat has to be the targeting of the criminals that operate them.

To that end, the industry needs to adopt a better way of associating botnets with their criminal operators if it’s ever to track the threat across international borders or transitions between multiple criminal entities. The original malware sample’s name can no longer be reasonably associated with a solitary botnet, and the malware components can change or multiply upon the compromised host at a moment’s notice. Therefore, a different method of christening a botnet is required.

How should the industry make this happen? The key lies within a mix of cyber-crime tactics and observed control patterns, such as command-and-control techniques or geography, that can then be associated with a unique entity as a kind of electronic fingerprint. These correlating factors all point back to the needs, goals and actions of specific criminal operators, and so create a more logical framework for naming the botnet. Ideally, they also provide a tracking mechanism sufficiently flexible to account for what amounts to a tree of inheritance, as botnets are divided amongst multiple criminal operators or coalesced into larger botnet entities.

In the end, labeling a botnet may be just a name, but a suitable nomenclature for botnet identification is critical if the security industry is to efficiently coordinate defenses and work together with law enforcement forces to target the source of the threat, the professional consortia of cyber-criminals. This naming system must be able to take any two independently observed collections of compromised hosts, operating within different environments, and be able to positively associate them with the same criminal entity.

Collaboration between security researchers will be the key to a successful pan-vendor naming framework and a consistent, accurate enumeration of botnets for the purpose of targeting cybercriminals. But will this collaboration be tempered by commercial realities as security vendors strive to differentiate their technologies and compete for business? Or will the biggest and most influential customers for their technology force them to play together nicely? Time will tell — and probably very soon.