US-CERT Malware Naming Plan Faces Obstacles

US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.

The program is intended to clear up confusion that results from the current decentralized system for naming Internet threats, which often results in the same virus or worm receiving different names from different anti-virus vendors.

However, anti-virus experts say the voluntary CME (Common Malware Enumeration) program will face a number of challenges, including that of responding quickly to virulent virus and worm outbreaks.

CME is being run by the Mitre Corp., based in Bedford, Mass. and McLean, Va., for the U.S. DHS (Department of Homeland Security) National Cyber Security Division.

Work was begun on the program about one year ago. So far, CME numbers have been assigned to a handful of critical worms and viruses, said Julie Connolly, principal information security engineer at Mitre.

New malicious code samples are held for 2 hours and, if no other example of the new code is submitted, assigned a CME number.

When multiple examples of new malicious code are submitted within the 2-hour window, Mitre will ask anti-virus company researchers to work out conflicts in definitions and submit one or more samples for numbering, Connolly said.

US-CERT warns of attacks on systems running Veritas backup software. Read more here.

Contrast that with the present system for naming malicious code, in which each company that discovers a threat assigns it a name based on that company’s database of threats.

Most companies make cursory attempts to synchronize their virus and worm names with those of other vendors, but there are frequent divergences and differences.

For example, on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named “W32.Lanieca.H@mm.”

However, Kaspersky Lab, another anti-virus company, named the same worm “Email-Worm.Win32.Tanatos.p,” McAfee Inc. called the threat “W32.Eyeveg.worm” and Trend Micro Inc. called it “WORM-WURMARK.P,” according to Symantec’s Web site.

“Naming is a problem for everybody,” said Bruce Hughes, senior anti-virus researcher at Trend Micro.

The CME program will help security administrators and end users of anti-virus software, as well as anti-virus companies, Hughes said.

Click here to read about how long registry names can hide malware.

The new system could make it easier for operations staff at large companies to coordinate response to virus outbreaks, said Erik Johnson, vice president and program manager at Bank of America Corp. in Boston.

Bank of America has different teams that handle viruses both at the network perimeter and on the company’s internal network. In addition, the company uses a number of different anti-virus products simultaneously, he said.

“For operations folks, it might make a difference,” Johnson said.

“I don’t care what they name them as long as they kill those suckers,” said Hap Cluff, director of IT for the City of Norfolk, Va.

Cluff said the new naming system will make it easier to respond to questions from users about new viruses and worms.

Next Page: How the system will play out.