Malware Naming Plan Gets Chilly Reception

Some industry analysts question the Common Malware Enumeration program's value and its dependence on software vendors.

A discussion of a new system for tracking malicious code introduced by the U.S. Department of Homeland Security turned into a contentious argument Wednesday, with some anti-virus and enterprise IT analysts questioning the programs value and its dependence on major anti-virus software vendors.

Attendees at a presentation on the CME (Common Malware Enumeration) program at the Virus Bulletin Conference, a gathering of computer virus analysts in Dublin, Ireland, peppered CME board members Desiree Beck, of MITRE Corporation, and McAfee Inc. Fellow Jimmy Quo with questions about how the new program will be implemented, what purpose CME numbers will serve, and whether the program will admit representatives from more anti-virus companies.

While some saw the uproar as predictable resistance from entrenched interests in the balkanized anti-virus software industry, others said that changes to CME may be necessary to make the program work.

The spat came on the same day that the US-CERT (U.S. Computer Emergency Readiness Team) officially launched CME, which is intended to clear up confusion that results from the current decentralized system for naming Internet threats.

CME has been in development for over a year and is being run by the MITRE Corp. for DHS National Cyber Security Division.

So far, the program has assigned CME numbers to 23 critical worms and viruses, a tiny fraction of all the malicious code samples that have been discovered during that time.

Unlike previous virus-naming systems, CME will be based on samples of malicious code, not specific files that contain malicious code.

The code samples will be submitted to MITRE, reviewed by experts at anti-virus companies that participate in the program, and then tagged with CME numbers, said Beck.

But audience members noted, and Quo acknowledged, that different anti-virus engines identify threats differently, meaning that a new Internet attack might carry more than one CME number, or that the same CME number might apply to more than one attack.

Audience members, many of them representatives of anti-virus companies that would use the new system, also expressed doubts about whether MITRE would be able to cope with the flood of threat data they would get from member companies.

"[CME] is impossible to achieve," said Vesselin Bontchev, an anti-virus researcher at FRISK Software International. "[CME] is based on CVE [MITREs Common Vulnerability Enumeration list], but the last time I looked, 73 percent of the vulnerabilities did not have a CVE number. Can you imagine coping with the number of viruses?"

/zimages/1/28571.gifClick here to read more about obstacles to the US-CERT naming plan.

CME member Nick Fitzgerald, an independent anti-virus analyst, said that member organizations will keep from being overwhelmed by "self limiting."

"We cant submit 20 or 30 [malicious code samples] a month. Were not so stupid that were going to DOS ourselves," he said.

MITRE and CME members will only work with the most critical threats, such as the recent Zotob worm, which are generating large numbers of infections and media attention, said Beck.

"We want to help consumers and not have anything that theyre confused about," said Quo.

"If we determine that a threat is…something for them to be concerned about, well step in and assign it a CME number."

Not everybody was skeptical of the new system.

"I want information on new malicious code that I havent seen…CME will provide a level of trust between our internal tests and in-house research," said John Alexander of Wells Fargo.

Many of the objections to the program were similar to those raised at the same conference last year, when the idea for CME was first introduced, and typical in a divided and deeply competitive anti-virus industry, which has tried for years and failed to come up with a uniform virus-naming standard, said Ken Dunham, director of malicious code research at iDefense Inc.

"Everybody does whats right in their own mind, and its chaos," he said.

/zimages/1/28571.gifRead more here from columnist Larry Seltzer about the "naming mess."

Changes are likely as CME members begin to implement the program.

While CME membership is invitation-only, the group may need to extend membership to more security companies to ensure its success, said Quo.

"Im going to suggest that," he said.

But forces outside the industry have made accurate tracking more important, including new regulations that emphasize network auditing and compliance.

Over time, those changes will force companies to come up with ways to accurately identify and correlate threats, Dunham said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.