Name that worm--plan looks to cut through chaos

(continued from previous page)

is no authority that can force any type of coordination," he said. Kuo hopes people will push antivirus vendors to adopt the ID convention.

Symantec and McAfee both plan to support CME in their products and in their online reference libraries of threats, Weafer and Kuo said. Trend Micro and Kaspersky Lab will do the same, company representatives said. Other major antivirus providers--F-Secure, Sophos, Computer Associates, Microsoft and MessageLabs--are also involved in the effort. ICSA Labs, a research and testing outfit, also participates.

Recognizing the threat
Because of the lack of coordination in naming threats, an outbreak can be tagged with a variety of names or variant designations, depending on the security company that's referring to it. This can result in confusion, with people wondering if there are multiple virus or worm attacks, or just one, and whether the product they own offers protection.

Victor Go, vice president of technology at retailer PureBeauty, sees value in the initiative. "It might help us speed up looking for virus information," he said. Still, there has not been a lot of confusion around viruses or worms at his midsize, Encino, Calif.-based business, he said. "Every once in a while (there is), but eventually we come around in figuring it out."

The confusion could be even greater in larger organizations that use multiple security products from different vendors. "This is a real problem," Symantec's Weafer said. A desktop antivirus product may display a different name for a fast-spreading worm than the scanner at the e-mail gateway or the intrusion detection system, he said. This can send people scrambling to find out if each product has a defense against a particular pest.

CME identifiers should relieve some of the stress, said Beck, an employee of Mitre, which runs the initiative on behalf of US-CERT. Initially, only major threats will be given an ID number, but the ultimate goal is to cover all attacks affecting users, she said.

"It is a little bit subjective right now," Beck said, referring to the pests currently chosen to receive a CME ID tag. "We'd like to expand to anything that is out there that we could lend some clarity to."

The goal of CME is to offer a neutral, shared identification method that cuts through the naming clutter. It will assign one randomly chosen number to a worm or virus, regardless of what names it is known by at antivirus companies. Even if those companies disagree about the risk assessment or the background of the malicious software, CME will ignore this and focus on the characteristics of the attack to tag it. The worm assigned CME-540, for example, was seen differently by several software makers: McAfee identified it as a new worm (IRCbot.worm), Symantec labeled it an offshoot of Zotob (Zotob.E) and Trend Micro