[ISN] Security experts criticize malware list

From: InfoSec News (isn@private)
Date: Mon Dec 12 2005 - 23:22:36 PST


Forwarded from: Marjorie Simmons <lawyer@private>

http://www.csoonline.com.au/index.php/id;551430318;fp;8;fpid;2

Matthew Broersma
Techworld.com
08/12/2005 

Just how useful is the Common Malware Enumeration (CME) initiative
debuted by U.S.-CERT this autumn?

The system was created to sort out some of the confusion created by
the different naming systems used by different security vendors, and
to help system administrators deal with outbreaks more effectively.
Some security experts have, however, voiced doubts as to how well CME
is working in practice.

One complaint is that the system isn't providing much information on
malware aside from listing the reference codes used by different
security vendors. Such information was promised more than a year ago
by the organizers of the CME plan -- U.S.-CERT, the U.S. Department of
Homeland Security, and antivirus vendors such as Microsoft, Trend
Micro, McAfee and Symantec.

The plan was outlined in an open letter, published by the SANS
Institute, in which the organizations said U.S.-CERT would "assign a
CME identifier... to each new, unique threat and to include additional
incident response information when available".

The goal was "improving the malware information resources available to
(antivirus) software users, first responders, and malware analysts --
anyone who depends on accurate, concise information about malware,"
the letter said.

The letter was in response to criticism voiced in an earlier open
letter to the security industry by Chris Mosby, a system
administrator, in which he strongly criticized antivirus vendors for
adopting "an isolationist attitude" that made it difficult for
administrators to deal with complex virus outbreaks. "As the customers
that spend money for your products, we should not have to work so hard
to figure out if your products are keeping us protected," Mosby wrote.

A year later, the most difficult part of the CME project -
distinguishing similar pieces of malicious code from one another -
appears to be working. But CME still only provides a basic list of
names used by different vendors, without listing details or even
including links.

This makes the project of limited use, even compared with similar,
independent projects such as Secunia's virus information database,
according to SANS Internet Storm Center handler Patrick Nolan.

"Links to technical analysis was a hoped-for outcome for the CME
project, since vendors' technical analysis is the critical 'additional
incident response information' needed by the people responding to
malware outbreaks," Nolan wrote in a recent entry in the ISC diary. "A
name by any other name is just a name."

Thomas Kristensen said the lack of links or additional information
means CME is of limited use to the general public. "It can only be
used by the vendors and others with a specific interest in viruses to
more easily identify viruses in other vendors' databases," he said.
"It probably does what it was intended to do, and more information
would probably exceed the intended purpose."

Such criticisms are beside the point, according to Graham Cluley,
senior technology consultant with Sophos Antivirus. "We mustn't
criticize it for not being a 100 percent solution, it's a definite
step in the right direction," he said. "The most important thing is
that its making correlations between the different names."

He said the system would be sure to improve over time. "Linking to
more information seems to be an obvious thing they could do," he said.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Mon Dec 12 2005 - 23:55:37 PST