Slashdot Mirror
Common Malware Enumeration Initiative
LogError writes "The Common Malware Enumeration Initiative was just announced. Headed by the United States Computer Emergency Readiness Team (US-CERT) and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks."
This is just another example of getting entrenched in a default permit world which has proven itself time and again not to work. We need to be enumerating the good programs and not the other way around.
This is the first time I've been to the US-CERT website, so please forgive my enthusiasm.
This document on viruses should be required reading for anyone who uses a computer.
http://www.us-cert.gov/reading_room/virus.html
Most common malware can be stopped with the same virus-avoidance techniques listed in this brief document.
As for this initiative, it's not explained very well, that's for sure. It seems like a simple naming convention for viruses as well as a central location for all virus information. I'm not big on the government taking away such a role from private industry, but with the threat of viruses affecting everyone, it makes sense that the government provide a baseline starting point for all antivirus companies to start from. It is not in the best interest of the public to have a single private company hoard virus information.
Jesus saved me from my past. He can save you as well.
From TFA: "During a virus outbreak, participants on the CME board request an identifier from an automated system by providing a sample of the virus and as much additional information as possible. An identifier in the format 'CME-N' where N is an integer between 1 and 999 is generated and distributed to the other participants. The participants then disseminate the CME identifier to their contacts in the industry and reference the CME identifier on their web pages, in their product, or when speaking to the press. "
It's much easier when there's an actual name to refer to like Blaster or Sasser than referring to the distinctions between CME-46 and CME-50. While the automated system seems to make sense to prevent slowdowns by having people discuss naming, this doesn't seem like a great solution. Many people may even think: I've heard of that CME thing before, I'm already protected.
It would be WAY easier to keep a list of names and heuristics for all of the legitimate code out there and have a default deny policy with a whitelist. The only condition that would need to be met is that no legitimate application is denied entry or the concept could become worse than DRM.
Firstly let me just say I thought this was going to be an initiative to create a working group to assist in identifying threats quicker, but as I RTFA I find out all this is really is just a control gate for naming malcode.
Now that being said I 100% agree that we need a methodology in place to ensure that malcode names follow a fixed format. There have been too many times that we have had to research viruses and it is annoying as all hell to see a worm as Variant B on one site and Variant C on another. It adds to the confusion during an outbreak, which in turn usually costs more research and fix time... But saying that I do not like the naming format because it doesn't clearly identify similar variants... On the site it shows an example of two variants of Zotob. One is CME-164 and one is CME-243. For tracking purposes I would much rather see something along the lines of Zotob-A being named CME-164A and Zotob-B being CME-164B. Or better yet as numbers don't stick in your head as well as words IMO stick to names like Zotob but ensure the major AV vendors follow the CMEI variant guidance...
News Reporters Make Tasty Polar Bear Treats!
Lets say we don't implement a common naming scheme. Lets say McAfee comes out and identifies a new piece of malware called malware192 and releases a patch for. Ok, you go ahead and patch your system. Later on, you read that Symantec has issued an alert for malware195. Are they referring to the same one you just patched? Should you hurry up and try to get your system up to date? Clearly, having a common name is a step in the right direction.
End transmission.
``Default Deny is good. Centralized lists of "good" software is bad. Think about it for a second and you'll realize why.''
He never said "centralized". Default deny is secure, but cumbersome to work with. People find ways around things that are cumbersome (like taping passwords on monitors when they are too strong to be remembered). Outsourcing the decission of what software to trust to a third party is a good compromise, as long as you can freely chose the parties you trust.
What I'm imagining is something like APT repositories. You trust the maintainers to put up good software, and you verify it was really put there by the maintainers by checking the signatures. If, one day, you decide you don't trust some server anymore, you just remove it from your sources.list.
Please correct me if I got my facts wrong.
the sad part is that several well-paid government employees spent 6 months developing this "solution".
Most identifiers are just for reference, but may not be intended for the type of indexing that you're expecting.
Consider the following situation:
We now have two options -- change the identifier from 'x' to 'p.1' or leave some sort of note attached to 'x' that it's a derived from 'p'. (well, there's two other options -- don't try to identify them, or don't assign identifiers until all research is done, which defeats the whole purpose of building the system in the first place)
The list they're making is more like a glossary -- a flat list of items, as opposed to something which might have a concept of heirarchy. (but that's not to say that some other values in the descriptions can't be used to generate a heirarchy).
If you'd like an even worse example of selecting identifiers -- imagine if you found a worm 'y' that used the same code for vulnerability exploits as 'c', but carried the same payload as 'g' ... is it 'c.1' or 'g.1' or 'c.g.1'?
Sequential identifiers may seem like a bad choice, but they're so much easier to maintain in the long run, and handle the heirarchy through some other field.
Build it, and they will come^Hplain.
The first computer virus I encountered was back in the glory days of the Amiga 500. I forget the name of it, but the virus re-wrote your video driver so the screen displayed everything upside down and backwards.
The second virus I encountered (same machine) was just as interesting: a tiny helicopter flew onto your screen, dropped a grappling hook to grab your pointer, and fly off with it, never to be seen again.
I tell ya, those were the days, when men were men, gurus meditated, and virus writers were... but I digress.
Today, those guys probably are making a fortune somewhere writing video DRM for Vista.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I'm a federal employee and information assurance is a huge part of my job. I don't understand why CERT needed another resource rather than tying things into NISTs shiny new National Vulnerability Database. Seems to me that one-stop shopping for both software vulnerabilities and malware alerts would be the thing to do.
we see things not as as they are, but as we are.
-- anais nin