And so it was that Gobot5 begat GhostbotA who was a nasty blighter and begat Downloader Delf and IRCBot-16 who was a very bad boy and begat Partie-B and Funlove, which where in fact no fun at all. And so it goes according to Halvar Flake the founder of Saber Security, who has been reverse engineering malware in an effort to develop a more rational and less confusing naming system for the little nasties.It turns out that out of the initial few hundred samples of malware bots, for the most part they broke out into two families of very similar code, with a few distant relatives. A far closer relationship than the current naming system would imply.

So what can we read from this graph ? First of all, it is quite obvious that although we have ~200 samples, we only have two large families, three small families, two pairs of siblings and a few isolated samples. Secondly, even the most "distant relatives" in the cyan-colored cluster are 75% similar, the most "distant relatives" in the green cluster on the right are still 58% similar. If we cut the green cluster on the right into two subclusters, the most distant relatives are 90% similar.

Source:SecurityFocus & embedded links