[ISN] US-CERT Malware Naming Plan Faces Obstacles

InfoSec News isn at c4i.org
Fri Sep 23 01:42:09 EDT 2005


By Paul F. Roberts 
September 22, 2005 

US-CERT, the U.S. Computer Emergency Readiness Team, will begin
issuing uniform names for computer viruses, worms and other malicious
code next month, as part of a program called the Common Malware
Enumeration initiative.

The program is intended to clear up confusion that results from the
current decentralized system for naming Internet threats, which often
results in the same virus or worm receiving different names from
different anti-virus vendors.

However, anti-virus experts say the voluntary CME (Common Malware
Enumeration) program will face a number of challenges, including that
of responding quickly to virulent virus and worm outbreaks.

CME is being run by the Mitre Corp., based in Bedford, Mass. and
McLean, Va., for the U.S. DHS (Department of Homeland Security)  
National Cyber Security Division.

Work was begun on the program about one year ago. So far, CME numbers
have been assigned to a handful of critical worms and viruses, said
Julie Connolly, principal information security engineer at Mitre.

New malicious code samples are held for 2 hours and, if no other
example of the new code is submitted, assigned a CME number.

When multiple examples of new malicious code are submitted within the
2-hour window, Mitre will ask anti-virus company researchers to work
out conflicts in definitions and submit one or more samples for
numbering, Connolly said.

US-CERT warns of attacks on systems running Veritas backup software.  
Read more here.

Contrast that with the present system for naming malicious code, in
which each company that discovers a threat assigns it a name based on
that company's database of threats.

Most companies make cursory attempts to synchronize their virus and
worm names with those of other vendors, but there are frequent
divergences and differences.

For example, on Sunday, Symantec Corp. issued an alert for a Category
2 mass-mailing worm it named "W32.Lanieca.H at mm."

However, Kaspersky Lab, another anti-virus company, named the same
worm "Email-Worm.Win32.Tanatos.p," McAfee Inc. called the threat
"W32.Eyeveg.worm" and Trend Micro Inc. called it "WORM-WURMARK.P,"  
according to Symantec's Web site.

"Naming is a problem for everybody," said Bruce Hughes, senior
anti-virus researcher at Trend Micro.

The CME program will help security administrators and end users of
anti-virus software, as well as anti-virus companies, Hughes said.

The new system could make it easier for operations staff at large
companies to coordinate response to virus outbreaks, said Erik
Johnson, vice president and program manager at Bank of America Corp.  
in Boston.

Bank of America has different teams that handle viruses both at the
network perimeter and on the company's internal network. In addition,
the company uses a number of different anti-virus products
simultaneously, he said.

"For operations folks, it might make a difference," Johnson said.

"I don't care what they name them as long as they kill those suckers,"  
said Hap Cluff, director of IT for the City of Norfolk, Va.

Cluff said the new naming system will make it easier to respond to
questions from users about new viruses and worms.

Currently, Mitre is working with major anti-virus vendors including
McAfee, Symantec, Trend Micro, Sophos Plc, F-Secure Corp., Computer
Associates International Inc. and Microsoft Corp. to launch the
program, but the program is open to smaller anti-virus and security
software vendors as well, Connolly said.

Mitre has created a secure server to which participating anti-virus
companies pass their discoveries, and will launch a CME Web site on
Oct. 3 that will list about 21 viruses with CME numbers.

Initially, only high-impact viruses and worms will receive CME
numbers, though Mitre may extend CME numbers to lower-level threats
once the program is up and running, she said.

The CME number and links to a description of the threat will appear on
a Mitre Web site akin to the CVE (Common Vulnerabilities and
Exposures) Web site.

Anti-virus companies will link to that definition from their own
advisories, Trend Micro's Hughes said.

Vincent Weafer, senior director of security response at Symantec, said
the CME number may not be available in the first hours or even days
after a big outbreak, but will provide a reference point for a
malicious code threat in the weeks, months and years that follow.

Even more importantly, the common ID number will make it easier to
program tools to automatically respond to threats, he said.

Still, anti-virus experts said they doubted that the new system would
eliminate conflicts between vendors, or replace the habit of assigning
catchy names like "Code Red" and "Slammer" to viruses.

"Think about Code Red, AV," Hughes said. "Anti-virus companies had a
different name for that virus, but had to eventually refer to it as
Code Red because the name took off—there was a sexiness to it."

More information about the ISN mailing list