Slashdot Mirror
Common Malware Enumeration Initiative
LogError writes "The Common Malware Enumeration Initiative was just announced. Headed by the United States Computer Emergency Readiness Team (US-CERT) and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks."
Seems like kind of a simple concept. "Let's make sure we're all using the same name." But I guess being able to identify a virus by name is a kind of important step in finding a fix for it.
Bradley Holt
This is just another example of getting entrenched in a default permit world which has proven itself time and again not to work. We need to be enumerating the good programs and not the other way around.
From TFA: "During a virus outbreak, participants on the CME board request an identifier from an automated system by providing a sample of the virus and as much additional information as possible. An identifier in the format 'CME-N' where N is an integer between 1 and 999 is generated and distributed to the other participants. The participants then disseminate the CME identifier to their contacts in the industry and reference the CME identifier on their web pages, in their product, or when speaking to the press. "
It's much easier when there's an actual name to refer to like Blaster or Sasser than referring to the distinctions between CME-46 and CME-50. While the automated system seems to make sense to prevent slowdowns by having people discuss naming, this doesn't seem like a great solution. Many people may even think: I've heard of that CME thing before, I'm already protected.
Like most outlets, I will bet that this site will focus mainly on windows. It just that this time, the attention is deserved.
Am I open minded towards open source, or closed minded towards closed source?
Firstly let me just say I thought this was going to be an initiative to create a working group to assist in identifying threats quicker, but as I RTFA I find out all this is really is just a control gate for naming malcode.
Now that being said I 100% agree that we need a methodology in place to ensure that malcode names follow a fixed format. There have been too many times that we have had to research viruses and it is annoying as all hell to see a worm as Variant B on one site and Variant C on another. It adds to the confusion during an outbreak, which in turn usually costs more research and fix time... But saying that I do not like the naming format because it doesn't clearly identify similar variants... On the site it shows an example of two variants of Zotob. One is CME-164 and one is CME-243. For tracking purposes I would much rather see something along the lines of Zotob-A being named CME-164A and Zotob-B being CME-164B. Or better yet as numbers don't stick in your head as well as words IMO stick to names like Zotob but ensure the major AV vendors follow the CMEI variant guidance...
News Reporters Make Tasty Polar Bear Treats!
Lets say we don't implement a common naming scheme. Lets say McAfee comes out and identifies a new piece of malware called malware192 and releases a patch for. Ok, you go ahead and patch your system. Later on, you read that Symantec has issued an alert for malware195. Are they referring to the same one you just patched? Should you hurry up and try to get your system up to date? Clearly, having a common name is a step in the right direction.
End transmission.
Is this going to be Windows-centric, or are they reporting on ALL malware, regardless of platform?
From the article it sounds like it's an issue of malware outbreaks in general without regard to platform. Since it's simply about having a common name for malware, there's no reason why it should be platform specific.
Bradley Holt
``Default Deny is good. Centralized lists of "good" software is bad. Think about it for a second and you'll realize why.''
He never said "centralized". Default deny is secure, but cumbersome to work with. People find ways around things that are cumbersome (like taping passwords on monitors when they are too strong to be remembered). Outsourcing the decission of what software to trust to a third party is a good compromise, as long as you can freely chose the parties you trust.
What I'm imagining is something like APT repositories. You trust the maintainers to put up good software, and you verify it was really put there by the maintainers by checking the signatures. If, one day, you decide you don't trust some server anymore, you just remove it from your sources.list.
Please correct me if I got my facts wrong.
Congratulations, you've reinvented Palladium.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
Most identifiers are just for reference, but may not be intended for the type of indexing that you're expecting.
Consider the following situation:
We now have two options -- change the identifier from 'x' to 'p.1' or leave some sort of note attached to 'x' that it's a derived from 'p'. (well, there's two other options -- don't try to identify them, or don't assign identifiers until all research is done, which defeats the whole purpose of building the system in the first place)
The list they're making is more like a glossary -- a flat list of items, as opposed to something which might have a concept of heirarchy. (but that's not to say that some other values in the descriptions can't be used to generate a heirarchy).
If you'd like an even worse example of selecting identifiers -- imagine if you found a worm 'y' that used the same code for vulnerability exploits as 'c', but carried the same payload as 'g' ... is it 'c.1' or 'g.1' or 'c.g.1'?
Sequential identifiers may seem like a bad choice, but they're so much easier to maintain in the long run, and handle the heirarchy through some other field.
Build it, and they will come^Hplain.
In the first hours of an outbreak, different vendors will call the same malware by different names. Some may identify it as a variant of previous malware, others may give it a new name based on an attribute, and yet others may give it a name based on a different attribute. Having a common format will let you know that Sasser-435 (CME-42), Blogkiller (CME-42)and SlamDunk (CME-42) are all the same thing named by different vendors, fairly important when trying to solve a problem.
communication between anti viri companies is great, BUT I hope this doesn't turn into a type of "registry" that can be hacked or spoofed and allow networks to be compromised wholesale.
"He's a real midnight golfer"
The first computer virus I encountered was back in the glory days of the Amiga 500. I forget the name of it, but the virus re-wrote your video driver so the screen displayed everything upside down and backwards.
The second virus I encountered (same machine) was just as interesting: a tiny helicopter flew onto your screen, dropped a grappling hook to grab your pointer, and fly off with it, never to be seen again.
I tell ya, those were the days, when men were men, gurus meditated, and virus writers were... but I digress.
Today, those guys probably are making a fortune somewhere writing video DRM for Vista.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
It's very simple. Centralization takes power from most and gives it to a few.
If you trust the few, it has the benefit of being more efficient. (Instead of everyone needing to put the effort into making correct decisions, only a small group needs to do so.)
Unfortunately, people have demonstrated throughout history that small, powerful groups are almost always untrustworthy. They end up using the power for their own benefit.