• silicon.com
• Technology
• Security

By Joris Evers, 23 September 2005 08:50

NEWS The US Computer Emergency Readiness Team is preparing to take the wraps off the Common Malware Enumeration (CME) initiative - a project meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests.

CME, which is just emerging from its test phase, assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected, the initiative's backers said.

Desiree Beck, the technical lead for the CME initiative, said in an interview: "There is a lot of confusion over the way that malware is referred to. We're trying to alleviate that by giving malware a common identifier, so everybody is talking about the same thing when some malware event happens."

The antivirus industry has tried, and failed, previously to agree on common naming for worms and viruses. This time, US-CERT, the part of the US Department of Homeland Security that co-ordinates response to cyber attacks, is running the show. With that in mind, and because the plan allows companies to keep their own naming by assigning an ID rather than a common name, security software makers are hopeful that the effort will be a success, and they're eager to participate.

Vincent Weafer, the senior director of security response at Symantec, said: "Everybody recognises it as a pain point, and the industry has tried multiple times to come together. CME is a step in the right direction."

Jimmy Kuo, a senior fellow at software maker McAfee, agreed. However, he noted the success of CME depends on industry participation, which is voluntary. "We have this problem because there is no authority that can force any type of co-ordination," he said. Kuo hopes people will push antivirus vendors to adopt the ID convention.

Symantec and McAfee both plan to support CME in their products and in their online reference libraries of threats, Weafer and Kuo said. Kaspersky Labs and Trend Micro will do the same, company representatives said. Other major antivirus providers - Computer Associates, F-Secure, MessageLabs, Microsoft and Sophos - are also involved in the effort. ICSA Labs, a research and testing outfit, also participates.

Because of the lack of co-ordination in naming threats, an outbreak can be tagged with a variety of names or variant designations, depending on the security company that's referring to it. This can result in confusion, with people wondering if there are multiple virus or worm attacks, or just one, and whether the product they own offers protection.

Victor Go, vice president of technology at a medium-sized, California-based retailer PureBeauty, sees value in the initiative. "It might help us speed up looking for virus information," he said.

The confusion could be even greater in larger organisations that use multiple security products from different vendors. Symantec's Weafer said: "This is a real problem." A desktop antivirus product may display a different name for a fast-spreading worm than the scanner at the email gateway or the intrusion detection system, he said. This can send people scrambling to find out if each product has a defence against a particular pest.

CME identifiers should relieve some of the stress, according to Beck, an employee of Mitre, which runs the initiative on behalf of US-CERT. Initially, only major threats will be given an ID number but the ultimate goal is to cover all attacks affecting users, she said.

Referring to the pests currently chosen to receive a CME ID tag, she said: "It is a little bit subjective right now. We'd like to expand to anything that is out there that we could lend some clarity to."

The goal of CME is to offer a neutral, shared identification method that cuts through the naming clutter. It will assign one randomly chosen number to a worm or virus, regardless of what names it is known by at antivirus companies. Even if those companies disagree about the risk assessment or the background of the malicious software, CME will ignore this and focus on the characteristics of the attack to tag it.

A CME identifier should get assigned within hours of a new worm or virus starting to spread, Beck said. Security vendors should then include the number in their products and link from their advisories to the information on the CME website, which is set to debut in early October. The proposal is for security companies to add the CME tag to the threat names, Beck said. An alert popping up on a user's screen could look like this: "Zotob.E!CME-540 detected."

The effort is completely reliant on industry participation. A number is assigned only after an industry researcher submits a sample of a threat with a write-up to CME. A group associated with the CME initiative then further researches the threat, collates information from antivirus companies, allocates an ID and publishes a threat profile.

Industry participation has been good, according to Beck. "They have been really responsive, and I think they have confidence that it is something good for the long run," she said.

The first version of the CME website will have descriptions of a couple dozen threats, Beck said. By the end of the year, a more comprehensive website should be available, she said.

Joris Evers writes for CNET News.com