When a worm outbreak hits, Donald Hauser says it's much tougher to respond when different antivirus firms are giving it different names. If the attack comes from multiple variants of the same worm, things get really hairy.
Symantec is the antivirus provider of choice throughout his organization. But Hauser, information security engineer for The National Academy of Sciences (NAS) in Washington, D.C., said newly hired support technicians often come to the job having used other companies like Trend Micro for their intelligence. They may adapt to Symantec, but they continue to monitor other labs for new outbreaks. They also get their information from a variety of news services and other sources. It's a good example of an alert, diligent security team. But here's where it can get painful during an outbreak:
It can take an hour or two to track down the new virus because it can be in your system under a completely different file name, he said. Life during an outbreak would be much more orderly if all the AV vendors adopted some common naming element, even if it's just a common code before whatever name they decide to give a new worm, he said. "It would be nice to see viruses being given a uniform number or convention similar to what [The United States Computer Emergency Readiness Team (US-CERT)] uses for vulnerabilities -- the CVE [Common Vulnerabilities and Exposures] designation. That would be very helpful. Then the major players could give it any name they want but there would still be a common code."
US-CERT is expected to grant Hauser and other IT professionals that wish next month, when it moves the Common Malware Enumeration (CME) initiative out of the testing phase. According to its Web site, the CME initiative has been working with private industry and government to:
- Assign unique identifiers to high-priority malware events;
- Facilitate the coordination of malware information; and
- Improve the current state of public information needed to respond to malware events.
"CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware," according to the initiative's Web site. "Instead, CME is working with the security community to facilitate the adoption of a shared, neutral indexing capability for malware. An example of a CME identifier would be: CME-123."
Past efforts to develop a common naming system have failed. In earlier interviews, antivirus vendors said that during an outbreak, their first priority is to ensure they're offering the right protection. "It's more important to get the protection out there than have a conference call with everyone to agree on what to call it," Graham Cluley, senior technology consultant for UK-based Sophos, said in a November interview. "In the heat of battle, there's no time for that."
Vincent Gullotto, vice president of Santa Clara, Calif.-based McAfee's Anti-Virus Emergency Response Team, agreed in another interview at the time. "For the most part, [virus] family names are consistent across vendors. Multiple variants is where it can get tricky," he said. "Sometimes one company may discover two variants during an outbreak while another discovers four. That also leads to different names." Gullotto said vendors try to maintain consistency through distribution lists. "When something new is found a researcher will give the worm a name and report it to different companies," he said. "But some companies on the distribution list still call it something else and that can be frustrating."
The name game caused more grief during the August attacks on Microsoft Windows' Plug and Play flaw. Among the names that circulated during the outbreak were Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN; and Drugtob-B.
With US-CERT leading the charge this time, security experts are more hopeful the name game will finally be tamed.
"If CME lives up to its potential, security practitioners will save valuable time by relying on a single CME tag to identify a particular malicious program across multiple antivirus databases," Lenny Zeltser, practice leader at New York-based Gemini Systems LLC and a volunteer handler for the Bethesda, Md.-based SANS Internet Storm Center, said in an e-mail exchange.
He said another challenge for the initiative will be the timeliness with which malware identifiers can be produced. "I would derive the most value from the CME identifier in the initial phases of infection, when each vendor would normally assign its own name to the malicious program and I need to quickly correlate information from many sources," he said. "I suspect this challenge of the CME initiative will be very difficult to tackle."
Hauser agrees timeliness could be an issue. But having that common code would still make his department's job more manageable during an outbreak.
"There's always the time-frame challenge," he said. "We're always trying to protect ourselves from the zero-day worm. But I think there's still enough of a delay where there's time for the uniform designation."
The Zotob experience shows how everything could work out, Hauser said. "With Zotob there was still a three- to four-day delay," he said. "It appeared on a Sunday and took two or three days to turn into a big outbreak. We still had time to get everything fully patched."
His concern is that some in the information security community are too eager to publish exploit code showing how a flaw could be attacked before a patch or virus definition is available. "But in most cases, there's still time to take action," he said.