Schneier on Security
A blog covering security and security technology.
« The Beginnings of a U.S. Government DNA Database |
| Bulletproof Clothing »
September 27, 2005
Computer Malware to Have Uniform Names
Starting next month, US-CERT will start issuing uniform names for worms, viruses, and other malware. This is part of a program called the Common Malware Enumeration Initiative, and is great news.
Posted on September 27, 2005 at 3:59 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Finally! This has been overdue for quite some time...
Now if they start naming them something like "author_is_a_useless_little_twirp_1", "author_is_a_useless_little_twirp_2", etc., instead of giving them sexy names like "mydoom", that'll be real progress.
Good news! I thought the example in the article is worth noting:
"on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named "W32.Lanieca.H@mm."
However, Kaspersky Lab, another anti-virus company, named the same worm "Email-Worm.Win32.Tanatos.p," McAfee Inc. called the threat "W32.Eyeveg.worm" and Trend Micro Inc. called it "WORM-WURMARK.P"
Hey, at least they all agreed that it should be called a worm.
Don't know if you've tried this, but you might find it a more user-friendly way to avoid being (over)flashed:
Does this mean that viruses will get names like hurricanes? One for each letter of the alphabet?
I look forward to seeing virus names such as C-000, C-3PN, C-3PO, etc....
This is great news but will only be of value if the AV vendors commit to it and also use the naming standard.
Click on the link in the top right that says "go directly to eweek".
It's a stupid flash intro "screen".
[I love adblock, flashblock and firefox so I don't have to see something I'll *never ever* click on].
Who submits the malware to MITRE?
How is the malware desiminated to every _other_ AV company in a timely basis (they need to respond within two hours, right?)?
How do they resolve the 24 hr time differences around the world?
How do they resolve when two or more competing companies are working on the analysis and definitions [before it's submitted to or during the two hour window]?
How do they deal with flash worms (the last one only took 4 hours to fully propogate)?
Sounds simple on paper, but it is quite complicated in real life. There really is no _simple_ answer to this issue, and it probably will require re-releases by AV companies of virus/malware/worm names (something that's not so easy).
Oh, I forgot my favorite question:
What happens when _one_ of the AV companies decides it's in their best interest to release new definitions before waiting for the two hour window to expire (they can claim to be first to have a fix for _any_ given exploit and everyone else has to wait, and possibly use their competitors defacto name)?
Re: Flash adverts
I have nothing to add except I'm happy for the unified naming system. Off topic: I use the Mozilla flashblock plugin. It simply replaces the flash with an icon, and when you click on it, it then loads in and runs the flash. You don't have to wait for it to load in before you can click through.
Uh, I thought making a list of bad things was one of the top 6 bad security ideas. Doesn't this just reinforce that?
The list was already there, now it's just a bit more boring to read.
I like this a lot. I hope it catches on.
@No Nym -
Well, yes and no. Yes AV software is about making lists of bad things to keep out rather than good things to permit.
But this is a good thing because it eliminates the confusion of one malware episode having 5 or more names. At least this way when we're talking about a malware virus/worm/trojan/whatevr, we can all know we are talking about the same one!
������� ����� ������ � ������� ������� � ���������. ���� ��������� ��������
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.