US-CERT Malware Naming Plan Faces Obstacles

By Paul F. Roberts

US-CERT Malware Naming Plan Faces Obstacles

US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.

The program is intended to clear up confusion that results from the current decentralized system for naming Internet threats, which often results in the same virus or worm receiving different names from different anti-virus vendors.

However, anti-virus experts say the voluntary CME (Common Malware Enumeration) program will face a number of challenges, including that of responding quickly to virulent virus and worm outbreaks.

CME is being run by the Mitre Corp., based in Bedford, Mass. and McLean, Va., for the U.S. DHS (Department of Homeland Security) National Cyber Security Division.

Work was begun on the program about one year ago. So far, CME numbers have been assigned to a handful of critical worms and viruses, said Julie Connolly, principal information security engineer at Mitre.

New malicious code samples are held for 2 hours and, if no other example of the new code is submitted, assigned a CME number.

When multiple examples of new malicious code are submitted within the 2-hour window, Mitre will ask anti-virus company researchers to work out conflicts in definitions and submit one or more samples for numbering, Connolly said.

US-CERT warns of attacks on systems running Veritas backup software. Read more here.

Contrast that with the present system for naming malicious code, in which each company that discovers a threat assigns it a name based on that company's database of threats.

Most companies make cursory attempts to synchronize their virus and worm names with those of other vendors, but there are frequent divergences and differences.

For example, on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named "W32.Lanieca.H@mm."

However, Kaspersky Lab, another anti-virus company, named the same worm "Email-Worm.Win32.Tanatos.p," McAfee Inc. called the threat "W32.Eyeveg.worm" and Trend Micro Inc. called it "WORM-WURMARK.P," according to Symantec's Web site.

"Naming is a problem for everybody," said Bruce Hughes, senior anti-virus researcher at Trend Micro.

The CME program will help security administrators and end users of anti-virus software, as well as anti-virus companies, Hughes said.

Click here to read about how long registry names can hide malware.

The new system could make it easier for operations staff at large companies to coordinate response to virus outbreaks, said Erik Johnson, vice president and program manager at Bank of America Corp. in Boston.

Bank of America has different teams that handle viruses both at the network perimeter and on the company's internal network. In addition, the company uses a number of different anti-virus products simultaneously, he said.

"For operations folks, it might make a difference," Johnson said.

"I don't care what they name them as long as they kill those suckers," said Hap Cluff, director of IT for the City of Norfolk, Va.

Cluff said the new naming system will make it easier to respond to questions from users about new viruses and worms.

Next Page: How the system will play out.

How the System Will

Play Out">

Currently, Mitre is working with major anti-virus vendors including McAfee, Symantec, Trend Micro, Sophos Plc, F-Secure Corp., Computer Associates International Inc. and Microsoft Corp. to launch the program, but the program is open to smaller anti-virus and security software vendors as well, Connolly said.

Mitre has created a secure server to which participating anti-virus companies pass their discoveries, and will launch a CME Web site on Oct. 3 that will list about 21 viruses with CME numbers.

Initially, only high-impact viruses and worms will receive CME numbers, though Mitre may extend CME numbers to lower-level threats once the program is up and running, she said.

The CME number and links to a description of the threat will appear on a Mitre Web site akin to the CVE (Common Vulnerabilities and Exposures) Web site.

Anti-virus companies will link to that definition from their own advisories, Trend Micro's Hughes said.

Vincent Weafer, senior director of security response at Symantec, said the CME number may not be available in the first hours or even days after a big outbreak, but will provide a reference point for a malicious code threat in the weeks, months and years that follow.

Even more importantly, the common ID number will make it easier to program tools to automatically respond to threats, he said.

Still, anti-virus experts said they doubted that the new system would eliminate conflicts between vendors, or replace the habit of assigning catchy names like "Code Red" and "Slammer" to viruses.

"Think about Code Red, AV," Hughes said. "Anti-virus companies had a different name for that virus, but had to eventually refer to it as Code Red because the name took off—there was a sexiness to it."

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

This article was originally published on 09-22-2005