CME RIP

The problem of malware-naming inconsistency is a real one, but the Common Malware Enumeration initiative could never be useful.

I've thought for a while now that the anti-malware business is a boring one with little news worth writing about. This impression was validated when I noticed the decrepit state of Mitre's CME (Common Malware Enumeration) project.

Mitre is the group that administers CVE (Common Vulnerabilities and Exposures), an undoubtedly useful project, CVE is a public database and vocabulary for referring to vulnerabilities in computing products. It is universally respected; almost any disclosure you'll see of a vulnerability will be accompanied by a CVE number, and Mitre certifies security products to work with these numbers properly (although changes in this certification seem to have some vendors unhappy).

Then about four years ago Mitre got the idea to make a second database for malware. Anyone who works with anti-virus software quickly notices and is bothered by the inconsistencies in the naming of malware; for instance, a simple example: Panda's Bagle.BE is W32/Bagle-AU to Sophos; but it gets worse. Win32.DlWreck to CA is W32/Vidlo.P to Norman, and Symantec just calls it a generic Download.Trojan. How to keep these things straight, especially in an environment with multiple anti-malware products installed?

Mitre's idea was to assign the specific program a CME number and use their site to point you to specific descriptions on various sites, as happens now with CVE. Potentially lucrative work beckoned making all that anti-malware software CME-compliant. The number of malware programs out there was always too large to contemplate, so the idea was just to focus on large outbreaks.

Kaspersky's senior anti-virus researcher, Roel Schouwenberg, agrees that the CME database is populated largely by large epidemics. "Personally, when I think of CME I recall two instances of malware. Firstly a variant of Sober, CME-981, of which the CME number actually got quite some attention. I guess, in retrospect, it was the CME initiative at its peak." It's true, Sober was big news.

Schouwenberg continues: "Secondly I think of Nyxem.e, CME-24. The media conveniently called it the KamaSutra worm, referring to one of the possible messages that this Email-Worm could send. I can't think of a better example to illustrate that CME wouldn't really work from a media perspective." Ouch, but he's right. I might have mentioned "CME-24" if I wrote a story about it, but "KamaSutra" would have been in the headline.

Confusion Reigns

I didn't give CME much of a chance back when I first wrote about it, whether or not they were fighting the good fight. Unlike vulnerabilities, which disclosed to the world with descriptions and, often, remediations and patches, malware is released to the world unannounced. It's in those first few hours, perhaps a day or two, that the confusion reigns, and it's at that time that a unifying CME would be useful.

But that's not going to happen. Mitre can't decide that a CME number is worth doing until the scale of the outbreak is clear, and even then it's often unclear which names from one vendor correspond to the others. By the time the CME entry is useful, the crisis is likely to be over.

The end result is that the CME database has a total of 39 entries in it with the last one coming in January 2007. That entry, one of the early Storm Worm variants, says a lot about CME and the state of the malware market.

One could reasonably argue that since Storm there haven't been any large-scale outbreaks, but hundreds, maybe thousands, of small-scale ones. Schouwenberg says that Kaspersky sees "an incoming malware flow of tens of thousands of unique samples per day...How can CME keep up with that? I can't see it being done in a way that's useful for the (somewhat) general public."

But any way you look at it, CME is a failure: either there has been a need for it since January 2007 and they have failed to fill that need, or there hasn't been a need and CME was misplaced to begin with. The latter is my take on the matter.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.