[ISN] Virus names could be standardized

InfoSec News isn at c4i.org
Fri Nov 26 01:15:14 EST 2004 

http://www.cbronline.com/article_news.asp?guid=11D11704-DE5B-45BD-AF4B-45D8F44E055C

November 25, 2004

US-CERT, the Computer Emergency Readiness Team within the US
Department of Homeland Security, is coordinating a Common Malware
Enumeration initiative among vendors, according to a letter sent to
The SANS Institute.

The letter, signed by representatives of the DHS, Symantec, Microsoft,
McAfee, and Trend Micro, said the industry hopes to address "the
challenges surrounding the 'Virus Name Game'," with a pilot program
coming as early as January.

US-CERT will act as a "neutral third party" that coordinates a
database of malware identifiers. It will look quite a lot like the
Common Vulnerabilities and Exposures list, currently managed by The
Mitre Corp and sponsored by US-CERT.

"By building upon the success of CVE and applying the lessons learned,
US-CERT, along with industry participants... hopes to address many of
the challenges that the anti-malware community currently faces," they
wrote.

The identifiers will look something like "CME-1234567", the letter
says. Headline writers need not be too dismayed, however, as it
appears there could be room to apply media-friendly names like
"Blaster" and "Slammer" to new threats.

At first, CME will be confined to "major" threats. The project leaders
wrote: "There are significant obstacles to effective malware
enumeration, including the large volume of malware and the fact that
deconfliction can be difficult and time-consuming". Deconfliction,
while not a word, is used in military circles to mean the removal of
conflict.

This was evident recently when some vendors named the first mobile
exploit for the Internet Explorer 6 Iframe bug Bofra, while others
said it was a variant of MyDoom. F-Secure Corp said Bofra and MyDoom
had less than half their code in common.

This kind of conflict could presumably still arise under a CME
numbering system, but at least security administrators would be able
to tell they were the same threat and only one signature or definition
is needed for protection.

Generally, assigning names to viruses is currently the job of the
companies that find them. In fast outbreaks, companies will often
assign different names, and the media does the job of deciding which
one will stick in the public consciousness.

Names are often derived from the filenames, the content of the email
the worm attaches itself to, or plaintext found inside the code.  
Blaster, one of the most serious threats ever, was MSBlast.exe, but
somebody at Symantec decided Blaster sounded better.

McAfee called the same worm Lovsan after finding plaintext reading "I
just want to say LOVE YOU SAN!!". Plaintext ridiculing Bill Gates also
led to the suggestion "billy". Neither name is widely used today.

Sometimes naming can be even more arbitrary. The Melissa worm was
named by its own author after a stripper known to him, it later
emerged in court. Code Red is a high-caffeine soft drink the geeks at
eEye Security Inc were drinking when they spotted it.

More information about the ISN mailing list