Sunday, September 25, 2005

Common Malware Enumeration

This article describes the Common Malware Enumeration project. CME is a sister project to Mitre's Common Vulnerabilities and Exposures (CVE) initiative. CME will "assign unique identifiers to high priority malware events." This is a great idea, because anti-virus vendors, security researchers, and OS/application vendors will be able to refer to a common name rather than their internal representations for malware. DHS is funding the CME project.

4 comments:

Anonymous said...

I am fairly skeptical on how successful this approach will be.

- This takes away the media blitz when something like Bagle or Slammer can be announced in the media. Saying CME-635 wrecked havoc really steals away from the news drama. News media will still use the namig scheme from researchers and vendors.

- This takes away marketing from security and AV companies for much the same reason. Maybe we can identify common threats, but researchers and vendors will not change their naming conventions.

- Making this automated is a terrible idea. How do you draw relationships between variants released weeks apart? The numbers will tell you nothing. What if three real viruses are released in an hour? Vendors will be frustrated by the 2 hour "no submission" period...and so will researchers. How does one company know that CME-234 is also the virus they have? Will code be released? Will someone be looking at the code submissions behind the scenes to determine duplicate entries? What if one company participates, but just resubmits everything they find, duplicated or not? "We have submitted 4,564 CME viruses..."

- After having read the most excellent virus book, The Art of Computer Virus Research and Defense by Peter Szor (http://www.bookpool.com/ss?qs=virus+research&x=0&y=0), I have come to understand the issues of naming worms, and the naming conventions themselves. I doubt I will ever use CME-234, but rather use the much more immediately informative W32@MMBagle.G (I might have that wrong, but it immediately tells me a memorable name, the platform, mass-mailing, and it is a variant).

Bottom-line, even if this takes off, I think item #3 in my list will be the one that kills this project in its current form.

-LonerVamp

Anonymous said...

Strike that about the automated part. I was confused. It appears there will be a research team behind submissions. At any rate, I hope this will not slow down response times with this added layer of work. Also, I hope they stick strictly to assigning a CME to particular code and match a description of what that code does, thus eliminating all the subjective threat ratings and other stuff. Everything else should be done by the vendors. This is like the Dewey Decimal Systems in libraries where the system doesn't care how good or important or small a book is, it just assigns it a number and a category and away she goes.
-LonerVamp

Richard Bejtlich said...

Hi LonerVamp,

I think the media will continue to use whatever catchy name a vendor applies to malware. I think the CME will appear more "behind the scenes" to ensure researchers and analysts are all referring to the same piece of code.

Anonymous said...
This comment has been removed by a blog administrator.