Name that worm--plan looks to cut through chaos

Plethora of different handles for the same threat can confuse security efforts. Common-identifier scheme looks to fix that.

Zotob.E, Tpbot-A, Rbot.CBQ and IRCbot.worm: all names given to a single worm that wreaked havoc in Windows 2000 systems last month. Among the plethora of identifiers, perhaps the most useful--CME-540--didn't make an impact.

But that's about to change. CME-540 was the tag attached to the worm by the Common Malware Enumeration initiative, which is just emerging from its test phase. Next month, the U.S. Computer Emergency Readiness Team plans to officially take the wraps off the effort, meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests.

How numbers are assigned

CME is supported by researchers who work for US-CERT, but relies on participation by security vendors. Several major vendors, including the top three antivirus vendors, Symantec, McAfee and Trend Micro, currently participate in a preliminary editorial board.

•  The project initially will focus on worm or virus outbreaks, when it is most likely for confusion to occur because security vendors will rush to name the new threat.

•  When there is an outbreak, a CME participant will request an identifier by submitting a sample of the new malicious code to an automated system.

•  The system issues a CME identifier, but won't issue any new IDs for two hours because subsequent submissions likely will be of the same new threat.

•  The CME identifier and the submitted information is sent to all participants.

•  Each participant is then expected to use that identifier in all their communications, including products, alerts and when talking to news media.

The project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected, the initiative's backers said.

"There is a lot of confusion over the way that malware is referred to," Desiree Beck, the technical lead for the CME initiative, said in an interview. "We're trying to alleviate that by giving malware a common identifier, so everybody is talking about the same thing when some malware event happens."

The antivirus industry has tried, and failed, before to agree on common naming for worms and viruses. This time, US-CERT, the part of the U.S. Department of Homeland Security that coordinates response to cyberattacks, is running the show. With that in mind, and because the plan allows companies to keep their own naming by assigning an ID rather than a common name, security software makers are hopeful that the effort will be a success, and they're eager to participate.

"Everybody recognizes it as a pain point, and the industry has tried multiple times to come together," said Vincent Weafer, the senior director of security response at Symantec. "CME is a step in the right direction."

Jimmy Kuo, a senior fellow at software maker McAfee, agreed. However, he noted that the success of CME depends on industry participation, which is voluntary. "We have this problem because there

Featured Video