The Common Malware Enumeration (CME) initiative makes no pretense that it's a cure for the multitude of virus- naming conventions. CME officially kicked off in October, but it's been more than a year in the making, primarily under the sponsorship of US-CERT, the technical guidance of the Mitre Corp, and the participation of most of the leading antivirus software vendors. Desiree Beck, technical lead for the project, hopes CME becomes...
the common talking point when it comes to malicious code, and that CME alleviates some of the confusion.
Why is CME necessary? Different entities refer to threats differently; this leads to a lot of confusion. We're hoping a common ID for threats puts everyone on the same page.
What's the process for assigning an identifier? The CME Sample Redistribution Group [the group authorized to use the CME Submission Server] evaluates top threats and submits a sample. If no other samples are submitted within two hours, it's automatically issued an identifier. If something else is submitted, it goes to resolution status where it's determined if the samples are different and if each needs its own identifier. Once it's reached accepted status, it's issued an identifier.
As far as our criteria for what gets identifier, it's primarily about what's prevalent and discussed in media, has the most potential for damage and whether people are talking about it.
Does CME have any intention of serving as a naming convention for malware threats? This is not a naming convention. This is not meant to solve the naming problem. It's more of an effort to coordinate things. People are going to continue to name threats, but if we provide an identifier, it's the glue to make things come together and serve as a talking point when referencing malware. I guess we figure it's indirectly going to help.
What challenges do you anticipate? We have to make sure we're assigning an ID to things that are distinct and that there are not two IDs assigned to equivalent samples.
The other challenge is that, when we've assigned an ID, now we need people to reference them, embed them in alerts and use them in product encyclopedias.
What lessons can the CME initiative learn from CVE? Before something was assigned a CVE identifier, it had a candidate CVE number--a CAN number-- while the vulnerability was still in discussion. This turned out to be a bad thing because the candidate numbers stuck, and were then populated and embedded in text and content out there. One thing we're doing: It either has a CME number or it doesn't.
CVE numbers also used to have dates embedded in the numbers, but there was confusion over whether this was the date the number was assigned or the date the vulnerability was found. We found, anything that has meaning embedded in ID is a bad thing. CME is a number, nothing more.
To read the full text of this interview, visit www.searchsecurity.com/ismag.