Computer Malware to Have Uniform Names

Starting next month, US-CERT will start issuing uniform names for worms, viruses, and other malware. This is part of a program called the Common Malware Enumeration Initiative, and is great news.

Posted on September 27, 2005 at 3:59 PM • 16 Comments

Comments

SteveSeptember 27, 2005 5:28 PM

Now if they start naming them something like "author_is_a_useless_little_twirp_1", "author_is_a_useless_little_twirp_2", etc., instead of giving them sexy names like "mydoom", that'll be real progress.

Davi OttenheimerSeptember 27, 2005 8:08 PM

Good news! I thought the example in the article is worth noting:

"on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named "W32.Lanieca.H@mm."
However, Kaspersky Lab, another anti-virus company, named the same worm "Email-Worm.Win32.Tanatos.p," McAfee Inc. called the threat "W32.Eyeveg.worm" and Trend Micro Inc. called it "WORM-WURMARK.P"

Hey, at least they all agreed that it should be called a worm.

@ Filias

Don't know if you've tried this, but you might find it a more user-friendly way to avoid being (over)flashed:

http://flashblock.mozdev.org/

Lindalee StuckeySeptember 27, 2005 9:09 PM

Does this mean that viruses will get names like hurricanes? One for each letter of the alphabet?

markSeptember 28, 2005 1:32 AM

This is great news but will only be of value if the AV vendors commit to it and also use the naming standard.

DavidSeptember 28, 2005 8:03 AM

@ Filias

Click on the link in the top right that says "go directly to eweek".

It's a stupid flash intro "screen".

[I love adblock, flashblock and firefox so I don't have to see something I'll *never ever* click on].

DavidSeptember 28, 2005 8:18 AM

Questions:

Who submits the malware to MITRE?

How is the malware desiminated to every _other_ AV company in a timely basis (they need to respond within two hours, right?)?

How do they resolve the 24 hr time differences around the world?

How do they resolve when two or more competing companies are working on the analysis and definitions [before it's submitted to or during the two hour window]?

How do they deal with flash worms (the last one only took 4 hours to fully propogate)?

Sounds simple on paper, but it is quite complicated in real life. There really is no _simple_ answer to this issue, and it probably will require re-releases by AV companies of virus/malware/worm names (something that's not so easy).

DavidSeptember 28, 2005 8:23 AM

Oh, I forgot my favorite question:

What happens when _one_ of the AV companies decides it's in their best interest to release new definitions before waiting for the two hour window to expire (they can claim to be first to have a fix for _any_ given exploit and everyone else has to wait, and possibly use their competitors defacto name)?

Matthew X. EconomouSeptember 28, 2005 8:33 AM

Re: Flash adverts

Internet Explorer configured with non-stupid security zone settings also neatly sidesteps the adverts. I recommend setting the Internet zone to "High" (or nearly high, by customizing the High setting to allow normal things like downloads, META REFRESH, and cut-and-paste/drag-and-drop), the Local Intranet zone to "Medium Low", the Trusted Sites zone to "Medium", and the Restricted zone to "Medium" but customized to only allow signed ActiveX controls and to prompt before running a control or applet. These security settings combined with the pop-up blocker set to "High" or "Medium" and with the cookie handler set to block all cookies except session cookies makes for a tightly-controlled web browsing experience. Security Zones are probably *the* IE feature that's kept me using it all these years. In Mozilla, it's just too cumbersome to keep enabling/disabling Java and JavaScript every time I browse to a different trusted/untrusted web site.

The described IE configuration has the added advantage of counteracting most redirection exploits (such as those listed at http://www.safecenter.net/UMBRELLAWEBV4/... which usually depend on getting bootstrap code of some kind (e.g. JavaScript) to execute in the Internet zone prior to fooling the browser into executing their payload in the Local Intranet zone.

jammitSeptember 28, 2005 10:52 AM

I have nothing to add except I'm happy for the unified naming system. Off topic: I use the Mozilla flashblock plugin. It simply replaces the flash with an icon, and when you click on it, it then loads in and runs the flash. You don't have to wait for it to load in before you can click through.

No NymSeptember 28, 2005 11:41 AM

Uh, I thought making a list of bad things was one of the top 6 bad security ideas. Doesn't this just reinforce that?

BryanOctober 3, 2005 1:04 AM

I like this a lot. I hope it catches on.

@No Nym -

Well, yes and no. Yes AV software is about making lists of bad things to keep out rather than good things to permit.

But this is a good thing because it eliminates the confusion of one malware episode having 5 or more names. At least this way when we're talking about a malware virus/worm/trojan/whatevr, we can all know we are talking about the same one!

Serega4356January 14, 2009 7:24 PM

������� ����� ������ � ������� ������� � ���������. ���� ��������� �������� ���� �����

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..