News Stay informed about the latest enterprise technology news and product updates.

Will US-CERT bring sanity to virus naming?

IT professionals hope US-CERT's soon-to-be-unveiled malcode ID plan will end confusion that often arises during outbreaks.

When a worm outbreak hits, Donald Hauser says it's much tougher to respond when different antivirus firms are giving it different names. If the attack comes from multiple variants of the same worm, things get really hairy.

Symantec is the antivirus provider of choice throughout his organization. But Hauser, information security engineer for The National Academy of Sciences (NAS) in Washington, D.C., said newly hired support technicians often come to the job having used other companies like Trend Micro for their intelligence. They may adapt to Symantec, but they continue to monitor other labs for new outbreaks. They also get their information from a variety of news services and other sources. It's a good example of an alert, diligent security team. But here's where it can get painful during an outbreak:

"Our level two support technicians [14-20 in all] will sometimes see a virus first, and from another source," Hauser said. "They'll warn me of a virus, then I go to Symantec to see what they're calling it. Sometimes it's a totally different name. So, you're searching attachment names and taking creative steps to find out which is which. There was one worm -- I can't remember which one -- but it was given three different names by three different AV companies."

It can take an hour or two to track down the new virus because it can be in your system under a completely different file name, he said. Life during an outbreak would be much more orderly if all the AV vendors adopted some common naming element, even if it's just a common code before whatever name they decide to give a new worm, he said. "It would be nice to see viruses being given a uniform number or convention similar to what [The United States Computer Emergency Readiness Team (US-CERT)] uses for vulnerabilities -- the CVE [Common Vulnerabilities and Exposures] designation. That would be very helpful. Then the major players could give it any name they want but there would still be a common code."

US-CERT is expected to grant Hauser and other IT professionals that wish next month, when it moves the Common Malware Enumeration (CME) initiative out of the testing phase. According to its Web site, the CME initiative has been working with private industry and government to:

  • Assign unique identifiers to high-priority malware events;
  • Facilitate the coordination of malware information; and
  • Improve the current state of public information needed to respond to malware events.

"CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware," according to the initiative's Web site. "Instead, CME is working with the security community to facilitate the adoption of a shared, neutral indexing capability for malware. An example of a CME identifier would be: CME-123."

Past efforts to develop a common naming system have failed. In earlier interviews, antivirus vendors said that during an outbreak, their first priority is to ensure they're offering the right protection. "It's more important to get the protection out there than have a conference call with everyone to agree on what to call it," Graham Cluley, senior technology consultant for UK-based Sophos, said in a November interview. "In the heat of battle, there's no time for that."

Vincent Gullotto, vice president of Santa Clara, Calif.-based McAfee's Anti-Virus Emergency Response Team, agreed in another interview at the time. "For the most part, [virus] family names are consistent across vendors. Multiple variants is where it can get tricky," he said. "Sometimes one company may discover two variants during an outbreak while another discovers four. That also leads to different names." Gullotto said vendors try to maintain consistency through distribution lists. "When something new is found a researcher will give the worm a name and report it to different companies," he said. "But some companies on the distribution list still call it something else and that can be frustrating."

The name game caused more grief during the August attacks on Microsoft Windows' Plug and Play flaw. Among the names that circulated during the outbreak were Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN; and Drugtob-B.

With US-CERT leading the charge this time, security experts are more hopeful the name game will finally be tamed.

"If CME lives up to its potential, security practitioners will save valuable time by relying on a single CME tag to identify a particular malicious program across multiple antivirus databases," Lenny Zeltser, practice leader at New York-based Gemini Systems LLC and a volunteer handler for the Bethesda, Md.-based SANS Internet Storm Center, said in an e-mail exchange.

Related content
Caught in the virus name game
Zeltser said there will be challenges to getting the initiative off the ground. "First, its usefulness will be proportional to the number of security vendors that support it," he said. But he is encouraged because "the project seems to have gained support from industry heavyweights such as Symantec, Microsoft, and McAfee, so I think it has a good chance of succeeding in this respect."

He said another challenge for the initiative will be the timeliness with which malware identifiers can be produced. "I would derive the most value from the CME identifier in the initial phases of infection, when each vendor would normally assign its own name to the malicious program and I need to quickly correlate information from many sources," he said. "I suspect this challenge of the CME initiative will be very difficult to tackle."

Hauser agrees timeliness could be an issue. But having that common code would still make his department's job more manageable during an outbreak.

"There's always the time-frame challenge," he said. "We're always trying to protect ourselves from the zero-day worm. But I think there's still enough of a delay where there's time for the uniform designation."

The Zotob experience shows how everything could work out, Hauser said. "With Zotob there was still a three- to four-day delay," he said. "It appeared on a Sunday and took two or three days to turn into a big outbreak. We still had time to get everything fully patched."

His concern is that some in the information security community are too eager to publish exploit code showing how a flaw could be attacked before a patch or virus definition is available. "But in most cases, there's still time to take action," he said.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.