Virus names could be standardized

US-CERT, the Computer Emergency Readiness Team within the US Department of Homeland Security, is coordinating a Common Malware Enumeration initiative among vendors, according to a letter sent to The SANS Institute.

The letter, signed by representatives of the DHS, Symantec, Microsoft, McAfee, and Trend Micro, said the industry hopes to address the challenges surrounding the ‘Virus Name Game’, with a pilot program coming as early as January.

US-CERT will act as a neutral third party that coordinates a database of malware identifiers. It will look quite a lot like the Common Vulnerabilities and Exposures list, currently managed by The Mitre Corp and sponsored by US-CERT.

By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants… hopes to address many of the challenges that the anti-malware community currently faces, they wrote.

The identifiers will look something like CME-1234567, the letter says. Headline writers need not be too dismayed, however, as it appears there could be room to apply media-friendly names like Blaster and Slammer to new threats.

At first, CME will be confined to major threats. The project leaders wrote: There are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. Deconfliction, while not a word, is used in military circles to mean the removal of conflict.

This was evident recently when some vendors named the first mobile exploit for the Internet Explorer 6 Iframe bug Bofra, while others said it was a variant of MyDoom. F-Secure Corp said Bofra and MyDoom had less than half their code in common.

This kind of conflict could presumably still arise under a CME numbering system, but at least security administrators would be able to tell they were the same threat and only one signature or definition is needed for protection.

Generally, assigning names to viruses is currently the job of the companies that find them. In fast outbreaks, companies will often assign different names, and the media does the job of deciding which one will stick in the public consciousness.

Names are often derived from the filenames, the content of the email the worm attaches itself to, or plaintext found inside the code. Blaster, one of the most serious threats ever, was MSBlast.exe, but somebody at Symantec decided Blaster sounded better.

McAfee called the same worm Lovsan after finding plaintext reading I just want to say LOVE YOU SAN!!. Plaintext ridiculing Bill Gates also led to the suggestion billy. Neither name is widely used today.

Sometimes naming can be even more arbitrary. The Melissa worm was named by its own author after a stripper known to him, it later emerged in court. Code Red is a high-caffeine soft drink the geeks at eEye Security Inc were drinking when they spotted it.

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up