Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Malware Naming Plan Gets Chilly Reception



 By: Paul F. Roberts
2005-10-06
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Some industry analysts question the Common Malware Enumeration program's value and its dependence on software vendors.

A discussion of a new system for tracking malicious code introduced by the U.S. Department of Homeland Security turned into a contentious argument Wednesday, with some anti-virus and enterprise IT analysts questioning the programs value and its dependence on major anti-virus software vendors.

Attendees at a presentation on the CME (Common Malware Enumeration) program at the Virus Bulletin Conference, a gathering of computer virus analysts in Dublin, Ireland, peppered CME board members Desiree Beck, of MITRE Corporation, and McAfee Inc. Fellow Jimmy Quo with questions about how the new program will be implemented, what purpose CME numbers will serve, and whether the program will admit representatives from more anti-virus companies.

While some saw the uproar as predictable resistance from entrenched interests in the balkanized anti-virus software industry, others said that changes to CME may be necessary to make the program work.

The spat came on the same day that the US-CERT (U.S. Computer Emergency Readiness Team) officially launched CME, which is intended to clear up confusion that results from the current decentralized system for naming Internet threats.

CME has been in development for over a year and is being run by the MITRE Corp. for DHS National Cyber Security Division.

So far, the program has assigned CME numbers to 23 critical worms and viruses, a tiny fraction of all the malicious code samples that have been discovered during that time.

Unlike previous virus-naming systems, CME will be based on samples of malicious code, not specific files that contain malicious code.

Resource Library:
The code samples will be submitted to MITRE, reviewed by experts at anti-virus companies that participate in the program, and then tagged with CME numbers, said Beck.

But audience members noted, and Quo acknowledged, that different anti-virus engines identify threats differently, meaning that a new Internet attack might carry more than one CME number, or that the same CME number might apply to more than one attack.

Audience members, many of them representatives of anti-virus companies that would use the new system, also expressed doubts about whether MITRE would be able to cope with the flood of threat data they would get from member companies.

"[CME] is impossible to achieve," said Vesselin Bontchev, an anti-virus researcher at FRISK Software International. "[CME] is based on CVE [MITREs Common Vulnerability Enumeration list], but the last time I looked, 73 percent of the vulnerabilities did not have a CVE number. Can you imagine coping with the number of viruses?"

Click here to read more about obstacles to the US-CERT naming plan.

CME member Nick Fitzgerald, an independent anti-virus analyst, said that member organizations will keep from being overwhelmed by "self limiting."

"We cant submit 20 or 30 [malicious code samples] a month. Were not so stupid that were going to DOS ourselves," he said.

MITRE and CME members will only work with the most critical threats, such as the recent Zotob worm, which are generating large numbers of infections and media attention, said Beck.

"We want to help consumers and not have anything that theyre confused about," said Quo.

"If we determine that a threat is…something for them to be concerned about, well step in and assign it a CME number."

Not everybody was skeptical of the new system.

"I want information on new malicious code that I havent seen…CME will provide a level of trust between our internal tests and in-house research," said John Alexander of Wells Fargo.

Many of the objections to the program were similar to those raised at the same conference last year, when the idea for CME was first introduced, and typical in a divided and deeply competitive anti-virus industry, which has tried for years and failed to come up with a uniform virus-naming standard, said Ken Dunham, director of malicious code research at iDefense Inc.

"Everybody does whats right in their own mind, and its chaos," he said.

Read more here from columnist Larry Seltzer about the "naming mess."

Changes are likely as CME members begin to implement the program.

While CME membership is invitation-only, the group may need to extend membership to more security companies to ensure its success, said Quo.

"Im going to suggest that," he said.

But forces outside the industry have made accurate tracking more important, including new regulations that emphasize network auditing and compliance.

Over time, those changes will force companies to come up with ways to accurately identify and correlate threats, Dunham said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Malware Naming Plan Gets Chilly Reception
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x{s68w\(gC)%XZNV(S$Q8_~ /=(ɏLb["h4$KW7-gL\sfS?uA@ >X1'>׏NUQR C7((bP<HwO7n[cQ0Ra᳙zY| NRY ZSˆ辥$)5< \g4QL1H6}~8IZ QC%$7 .mqSk0~b[4I܃N8CEnOU[۾twgyDfnrt9am  үdRr-2QɲnMw3a[}ѡlǚZ.׵rX?v~Ucm9NeW4F}˯Kjԯzם ? n0uh;\Cry]JZszu}yA6x%vtx/ȯYJMDU%`ZJ4_::fN{\!x'nKk%٥vlY̞ofV҈ gUU,'IL~6ۛNMӋNOfٚY jid vb!?>X VkYGλs!+|qg>!5M0\̱¬:cU?Z\vO]_6y~b M u ôWuI-YM&!Ժtr9%IJ|?#_]Cj ݖuB_*X_G)L,Y`MIpL2T~`]NjNXѬZykQ\[PĿ"G/cq4Y`A-. Ĺ:.oo:jJ=1ß7V)C!TTr[TQnʼnl :2X jXR7HaQ? tSOc|>56㤞F!|Бdmxq#Z. +ԍEXn`Nth Q٭lEo!pIxZSxV=H:6(Z\?`c VC@B끂9G׿ޚB"Qފѡ4aqj 8=*~3=g @lWk 6G\[-[Z6x O͙A QP sZ( ޟ g dSJJds 4.gH)AH =[h ]99 łݑvZ>L[2'9\v{B#\Z>D;7 ˇ{TKh!+K@fsfd(7i2khƪńx򍜘=b`&Qea*0pLKak`F^JI+'M#AE=4!ޅ BӽB11 }wʠ:'E_ ۝-ý'˗ݏ.DSQzfכ d507nrgNH/x|WY 3EDVhdFCC1{ޡPXY22;= MO%YXX`qRd0q6i SXh8G/C4j];?~uVkCF^u 9r@_օVP˥ K r%W 0pŗZZG"b Ej7{\Z1,c l,h 20@=ȢfmDjrI )KJ7q~5EkZR;<<{6`aPeQ@7MVRQy3:Awm0HGMg!\|S]Wѹq='QK!ɕB@:*[CçV "IJkiPzP( `k_ϳ1 ܉ ܕVR53]֩;lRzz|tݱM% WlKRI1c)Xk±&,<"+ځiȈ0A  ~HLb 4> \Rbr>+j*e$T)5*iMym"P8+%t갢zԘ}Qː 0gted->흧 IZ+jՄfrhU-WjsUWYP2:Ś&H_ଯ8]85hο(~o?{]wks~g^Ol^Ncv"O`V$Op2HU>Z}`/&ϰMqѡ,`k ?+{+]>F]h!.~ X@P A6+8SӞ-uvXZrO-x[zGkg4G X{M-~ʮôE ML`(Dka43~Sb_@7TZTƞu 덿8KAG^320"C;wF\!vƬYq q?yo|렄6RiMxތ9"yea@WIlJhLVhޜ.qix,2ϼ"ymU ֕o&2)wY|ӏVRLKRͳikhx9C;B,$Ur3z!܏r<7L M}YD TQW5BdLfaNg10ck&&w 30UfSfyr;knzOt~g@d+_?L= [LFzɖ0g`{' Yn:ajAy̧bJf3V|6Si4DZ6ȈDzz{zJ*~1'l\SO7[JYTJ`uրDZ9c]f.g|]٘z֩4> ʀ>jG2c)Ь6V#iA/]fRvULlvLTSdTR6Z|aZ/\f8C+`WRjjjv L*'o&ŏh(5rvOC~=բ,.>H#UZe%^ݳYIKɂ]AӀM\r8khs-p}/O&ZOT%Rq4i#⩬yF(.&!skgO̦2zfҮ&t]1Tmfa2N4D*knIG:aޯT)OLIZVڳ$|p`Eb{IT2N=yj-/$x4Hđ;wkʁn*i7JCM;VJ=ȕe#gD!9ԾbEO%~W9@` |RQz{F2(2@ \؈'߾b[D m0wLaV&.n߂B'cI`G 3|'1+*ڼ 2Z cSwW7_85@sE16k$ ?/Ѝ ?FPkE2}{?RT_{uGmu_:o]u. ~?Н :uo&cr|Z%< 8Ws})XL\>hCltj2}e'[x!K1rcE1>dt+]8޴:[^a=lF;!tsպع_>^vo!crٹnK^'Q\Mc{RG!hUHv6:f3hmǛ&%cW5!g42lzE5 qޞo9`B5c-ͅHg"S&aEu4aU[QyG_aY,d"0K7$T0r,`$X)XAU:ӻl}sgun/rm D78C*QW"2Eh%iA&O-xz|-r'E_ѫſE}:}m#?]/8ʚ=?EUN:|&Br^&18/;=h)ޏI"C/p]Rim} zwD&iR'D[3pu*hKhwl)~ڲO'c1! sS {:`AO[up߁؁H*Er [GVɝeiX2멛 h 5fX%KoCӝꖃ(.I߾%/ P +=Ƃ=>#>n2}2JO$h~QϜƭtGzfCY F=n/ ׾~/ۻ}Zؖ[q*ApG<L?Ffc: M"IQU֭EdU)I=Y)ŇƓ?8LboW`@L6#GfKm3F=߹3{K#wKx?"AOgLwUv@z@pSx~=m쳷ez%nQZhr;T%o*ɛO&j OKt1ڮ/=اHkYXxlS;O O O=qԶفǓy|Wyg,d_aз0[+-)$Ι2HC%F[euw+[S'gSc;/HF#`ϖ(6-lG@|P;a6 *|b1 \<e&[qVL=9bxQ0e\ڊ}aK~~ 'V~/N-Vio.GgnSקJ]-+uy_[NhI-ƏW!GEz31n e%t;o>9}US20IPQ҆J[?-+NO/#]; $/#gser#yb}2ZW+?p:7ȁ, }#ׄAi;ZMNrGǟdN(ְ$m˧O?*q10KYRKϣf{RީO?uedԝz*48eO\ЉɮIqh|)HH^_T\ -hk}6L{)+a7)# ^2΁,gV-PLGv(}l'5[c; F1p$lcؐ`AæzDXY=‚\†%@l2;L -\? Om?$0p@PǾ"-vx\GPXz"" a-*\qOSVԈ  /g_Ƿ|)JYR꒦OixJ{:O%^Y-vn%X?+ nl-zvn; WajJ\覤KLa8! 0D' mRz'HJIRm'910%>l0nDxr UߝRP3_괥jV)97@H "E6ͲuEQi>NZTUҶf˳k&n i @Vt5BNEG~.={$p$K}c'%f§ѠzG^m *f3jR.,=)*.KjY7U!^$ b'""Î7w+S۲U*&gvL 3^lJ@ݨR0@Q#I" aJyS"x7wBߖj/R2 X+ˉ[j&Y%i(}[`ܡʨsaq8OmcIGQUq%]Mف"i Mtǔzsuҩ#=gopws鄎| 2JwwD/`kwp$ǼZQ!zHzwGc1l:Jj>*ߞC?&%-FP8:h1Ez3+\tR̆ى%`aj+y|8N366,堿+UO@4(;>3R3H={$j5 *B&/Sq),L擫n`/C ]ԝAFDI 'BG Di+t [$O% 13ogz!u3|^-=YG~3h@u X$Nxu PoD)=Qmn]tayү`lݟJosc@} Ok?C8$8[ < vǽs-=C-ua OܐĂZDT!Xvk㞏_Z>J[{`zޜ㠂3kHgax@HDE VdXE(njی]ssun~ # Z=<) BKiVp)JuIz6c Č $1g[/[-mKb }X\5 lB }v тUSXfd#<7#Xv@$hJY-KW0 Om醺M1 sֻx}!D8$ܾO LvŽkw ,p2v5!Lug#B 7'b]Qsݛo(d z }qgh`Qk힧Osf;xm~-'߭oOz95qlnSysYcPݦlsejx@1]\qm"j GFD۔f N?~:PMO놓sK8!RCjgN?i:^a` I%poO PjXL7Ϲ` zmoKxP_>\'N3e`RqխMo%P Ndyf57X{xi&Zxm+h P|F-c G8A#ȊhkkO]J">-˨JhN n<6_{=W/%_Yf-2ĚQ+i錃ql ޳S&!Xx3WљTK5{*N&rpD^&=_}ǃ|Myp-<$3V -K{~i[ '>W-IS&C "`l{hOwle>#nbd@/_j}:0KފS3ofCɸltq"o(6ʁV;P, Y+ Z^vF0[q{V ƷTg)e`Dvʹ&F6#Zikxw4 4J| E+)<İ>d &[)<6$A .kx>aOR|jVd@2<nWW|ScZ6cZ u't Mt" I.JAzjKc4|܌ Pm̼DGRSi}o<5cb2zXt׀g֐Ub"a=X *>nde2WGP46# p7w/%n.~V };C}m!̈m]T7^a8 Iv 3g<9ד'vqY 2+=14\"aK9.!y8q0ra)?Ĉo9fkHjIC917_n{J])a9$u:C:΀ ZhRiED#RhbGBcM /෽nrn[ք aNJ!wkRRiFcc3_gN[H0 8v|vn[/ T6CĊ1gOiX$c;A+D:@JЗ9vqY+PV: O j1n Q&@Ԕu7SI8l/ۧ}ҽnIkꋲK`˜_r y o׿?mrw}7=rz3Y;)?]sC9 ZSh^tֿпNN?ӹy^K/xeK y+*+{C+U}zxH{ϫO?9/E弿W9a|s:G~asƯ _9&?nMN[{/>_?Xק ?>9~w.=]Aw9_zy޷ru S>8'9˅I+/WA<}賊sVnV`{CJ{_/G+@/I>ss=K+ťfW*7yKxM}%+zᘴ[ͺrn@Kȣ_ ^敽 YDBeD˺U暼B` j?9{n%c$QUeHr+9<;$`B3s{Ċݯh((8[]jz>r*ŃI`a\m8ugK0>AZ2^~nҸxZ 31601gx>}r)1-ͽZzhLR֚lCÂvsFF(FČCܝ0@PJ]Xvg*Yȅ=y n AnӕcX00wUWw -=IAK5 D =bH[׌#3+00ƚ H:D 3`/&o.;4m?,ʌ9 41nK˙}e'w= p7칸9L$g%^#%OEN$~ 3ܳHk`c?94Ǟ"(ـħ%IAf:2Ş_ m>Ro/TùLHd v"щ:4W.mW"&SVT"cEœ;MA c>7q>so2w 6LG4 (TǨz)>IϐQ_Ds;A}F垓gg_5b Gy&3@p+^[zQڗGkХvS$\wTr%sDJrE)ߠ(b/<% *`>#.X&">m<'.}Au;Hx |j7;1Te]YQYɶy SO~nO(#oݒ\k<>ciЄ.^p穎TU|JA1Y":xqeQW T,z/V? <^U$o~V;~v?;Nj:ˌR/'y}|x}ڽ&`֍{u3)*h,)ZL Rr7tAg0]\}!l4¯M#01B4էrer,~XXqg;f†[hx.b&;f1Բ|#