Want CNET to notify you of price drops and the latest stories?

Name that worm--plan looks to cut through chaos

Plethora of different handles for the same threat can confuse security efforts. Common-identifier scheme looks to fix that.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
7 min read
Zotob.E, Tpbot-A, Rbot.CBQ and IRCbot.worm: all names given to a single worm that wreaked havoc in Windows 2000 systems last month. Among the plethora of identifiers, perhaps the most useful--CME-540--didn't make an impact.

But that's about to change. CME-540 was the tag attached to the worm by the Common Malware Enumeration initiative, which is just emerging from its test phase. Next month, the U.S. Computer Emergency Readiness Team plans to officially take the wraps off the effort, meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests.

How numbers are assigned

CME is supported by researchers who work for US-CERT, but relies on participation by security vendors. Several major vendors, including the top three antivirus vendors, Symantec, McAfee and Trend Micro, currently participate in a preliminary editorial board.

•  The project initially will focus on worm or virus outbreaks, when it is most likely for confusion to occur because security vendors will rush to name the new threat.

•  When there is an outbreak, a CME participant will request an identifier by submitting a sample of the new malicious code to an automated system.

•  The system issues a CME identifier, but won't issue any new IDs for two hours because subsequent submissions likely will be of the same new threat.

•  The CME identifier and the submitted information is sent to all participants.

•  Each participant is then expected to use that identifier in all their communications, including products, alerts and when talking to news media.

The project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected, the initiative's backers said.

"There is a lot of confusion over the way that malware is referred to," Desiree Beck, the technical lead for the CME initiative, said in an interview. "We're trying to alleviate that by giving malware a common identifier, so everybody is talking about the same thing when some malware event happens."

The antivirus industry has tried, and failed, before to agree on common naming for worms and viruses. This time, US-CERT, the part of the U.S. Department of Homeland Security that coordinates response to cyberattacks, is running the show. With that in mind, and because the plan allows companies to keep their own naming by assigning an ID rather than a common name, security software makers are hopeful that the effort will be a success, and they're eager to participate.

"Everybody recognizes it as a pain point, and the industry has tried multiple times to come together," said Vincent Weafer, the senior director of security response at Symantec. "CME is a step in the right direction."

Jimmy Kuo, a senior fellow at software maker McAfee, agreed. However, he noted that the success of CME depends on industry participation, which is voluntary. "We have this problem because there

is no authority that can force any type of coordination," he said. Kuo hopes people will push antivirus vendors to adopt the ID convention.

Symantec and McAfee both plan to support CME in their products and in their online reference libraries of threats, Weafer and Kuo said. Trend Micro and Kaspersky Lab will do the same, company representatives said. Other major antivirus providers--F-Secure, Sophos, Computer Associates, Microsoft and MessageLabs--are also involved in the effort. ICSA Labs, a research and testing outfit, also participates.

Recognizing the threat
Because of the lack of coordination in naming threats, an outbreak can be tagged with a variety of names or variant designations, depending on the security company that's referring to it. This can result in confusion, with people wondering if there are multiple virus or worm attacks, or just one, and whether the product they own offers protection.

Victor Go, vice president of technology at retailer PureBeauty, sees value in the initiative. "It might help us speed up looking for virus information," he said. Still, there has not been a lot of confusion around viruses or worms at his midsize, Encino, Calif.-based business, he said. "Every once in a while (there is), but eventually we come around in figuring it out."

The confusion could be even greater in larger organizations that use multiple security products from different vendors. "This is a real problem," Symantec's Weafer said. A desktop antivirus product may display a different name for a fast-spreading worm than the scanner at the e-mail gateway or the intrusion detection system, he said. This can send people scrambling to find out if each product has a defense against a particular pest.

CME identifiers should relieve some of the stress, said Beck, an employee of Mitre, which runs the initiative on behalf of US-CERT. Initially, only major threats will be given an ID number, but the ultimate goal is to cover all attacks affecting users, she said.

"It is a little bit subjective right now," Beck said, referring to the pests currently chosen to receive a CME ID tag. "We'd like to expand to anything that is out there that we could lend some clarity to."

The goal of CME is to offer a neutral, shared identification method that cuts through the naming clutter. It will assign one randomly chosen number to a worm or virus, regardless of what names it is known by at antivirus companies. Even if those companies disagree about the risk assessment or the background of the malicious software, CME will ignore this and focus on the characteristics of the attack to tag it. The worm assigned CME-540, for example, was seen differently by several software makers: McAfee identified it as a new worm (IRCbot.worm), Symantec labeled it an offshoot of Zotob (Zotob.E) and Trend Micro

saw it as another threat (Rbot.CBQ). Some times antivirus companies will rename a worm for the sake of conformity, but that typically doesn't happen quickly.

A CME identifier should get assigned within hours of a new worm or virus starting to spread, Beck said. Security vendors then should include the number in their products and link from their advisories to the information on the CME Web site, which is set to debut in early October. The proposal is for security companies to add the CME tag to the threat names, Beck said. An alert popping up on a user's screen could look like this: "Zotob.E!CME-540 detected."

The effort is completely reliant on industry participation. A number is assigned only after an industry researcher submits a sample of a threat with a write-up to CME. A group associated with the CME initiative then further researches the threat, collates information from antivirus companies, allocates an ID and publishes a threat profile.

Industry participation has been good, Beck said. "They have been really responsive, and I think they have confidence that it is something good for the long run," she said.

Participation on the organization's editorial board, which includes Microsoft, Symantec, McAfee and the other industry majors previously mentioned, is by invitation-only, and companies have been lining up to get in, Beck said. The editorial board guides the process by which industry and researchers submit information on threats and by which the common IDs are assigned.

The first version of the CME Web site will have descriptions of a couple dozen threats, Beck said. Some have been written up in the months since the CME initiative started its trial run in the first quarter of this year. To begin with, the site will provide characteristics of threats and all the aliases used by different security companies, Beck said. By the end of the year, a more comprehensive Web site should be available, she said.

A worm or a virus is typically tagged by the first security company to discover it. Aside from some ground rules--for example, the name can't be that of a real person or be offensive--antivirus providers are essentially free to call the new pest whatever they like. "There are no grown-ups; there is nobody there to dictate standards to anyone, so you name the virus whatever you want to," said David Perry, director of global education at security provider Trend Micro.

In the case of a fast-spreading worm, a lot of security companies typically see it at the same time and all give it a moniker, Symantec's Weafer said. "Speed and response time are so critical--that overwhelms any ability to get together with others and agree on a name for it," he said.

A convention that comes up with names ahead of time, like that used for hurricanes, doesn't work with worms or viruses, Weafer said. One reason is that there are many variants of worms and viruses, and antivirus companies don't always agree on whether a newly spotted threat is an offshoot or a brand new pest.

A few antivirus companies, including McAfee and Symantec, have already included CME identifiers in some of their advisories. As more threats get assigned an ID number, more companies will probably support the effort in their products, Beck expects.

"It is a chicken-and-egg problem. If there was stuff that they could point to, I think they would be very quick to link to it," she said.

While Go at PureBeauty does see some value in the naming initiative, he'd rather have his security software made more effective. "We get hit before virus definitions are out--that has happened several times. I doubt this initiative will help against that," he said.