By Larry Seltzer  |  Posted 2008-05-14 Print this article Print

The problem of malware-naming inconsistency is a real one, but the Common Malware Enumeration initiative could never be useful.

I've thought for a while now that the anti-malware business is a boring one with little news worth writing about. This impression was validated when I noticed the decrepit state of Mitre's CME (Common Malware Enumeration) project.

Mitre is the group that administers CVE (Common Vulnerabilities and Exposures), an undoubtedly useful project, CVE is a public database and vocabulary for referring to vulnerabilities in computing products. It is universally respected; almost any disclosure you'll see of a vulnerability will be accompanied by a CVE number, and Mitre certifies security products to work with these numbers properly (although changes in this certification seem to have some vendors unhappy).

Then about four years ago Mitre got the idea to make a second database for malware. Anyone who works with anti-virus software quickly notices and is bothered by the inconsistencies in the naming of malware; for instance, a simple example: Panda's Bagle.BE is W32/Bagle-AU to Sophos; but it gets worse. Win32.DlWreck to CA is W32/Vidlo.P to Norman, and Symantec just calls it a generic Download.Trojan. How to keep these things straight, especially in an environment with multiple anti-malware products installed?

Mitre's idea was to assign the specific program a CME number and use their site to point you to specific descriptions on various sites, as happens now with CVE. Potentially lucrative work beckoned making all that anti-malware software CME-compliant. The number of malware programs out there was always too large to contemplate, so the idea was just to focus on large outbreaks.

Kaspersky's senior anti-virus researcher, Roel Schouwenberg, agrees that the CME database is populated largely by large epidemics. "Personally, when I think of CME I recall two instances of malware. Firstly a variant of Sober, CME-981, of which the CME number actually got quite some attention. I guess, in retrospect, it was the CME initiative at its peak." It's true, Sober was big news.

Schouwenberg continues: "Secondly I think of Nyxem.e, CME-24. The media conveniently called it the KamaSutra worm, referring to one of the possible messages that this Email-Worm could send. I can't think of a better example to illustrate that CME wouldn't really work from a media perspective." Ouch, but he's right. I might have mentioned "CME-24" if I wrote a story about it, but "KamaSutra" would have been in the headline.

Confusion Reigns

I didn't give CME much of a chance back when I first wrote about it, whether or not they were fighting the good fight. Unlike vulnerabilities, which disclosed to the world with descriptions and, often, remediations and patches, malware is released to the world unannounced. It's in those first few hours, perhaps a day or two, that the confusion reigns, and it's at that time that a unifying CME would be useful.

But that's not going to happen. Mitre can't decide that a CME number is worth doing until the scale of the outbreak is clear, and even then it's often unclear which names from one vendor correspond to the others. By the time the CME entry is useful, the crisis is likely to be over.

The end result is that the CME database has a total of 39 entries in it with the last one coming in January 2007. That entry, one of the early Storm Worm variants, says a lot about CME and the state of the malware market.

One could reasonably argue that since Storm there haven't been any large-scale outbreaks, but hundreds, maybe thousands, of small-scale ones. Schouwenberg says that Kaspersky sees "an incoming malware flow of tens of thousands of unique samples per day...How can CME keep up with that? I can't see it being done in a way that's useful for the (somewhat) general public."

But any way you look at it, CME is a failure: either there has been a need for it since January 2007 and they have failed to fill that need, or there hasn't been a need and CME was misplaced to begin with. The latter is my take on the matter.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel