- Related Stories
-
Online scams emerge in Katrina's wake
September 1, 2005 -
Windows worms knocking out computers
August 16, 2005 -
Bagle variants punch, punch and punch again
June 2, 2005
(continued from previous page)
saw it as another threat (Rbot.CBQ). Some times antivirus companies will rename a worm for the sake of conformity, but that typically doesn't happen quickly.
A CME identifier should get assigned within hours of a new worm or virus starting to spread, Beck said. Security vendors then should include the number in their products and link from their advisories to the information on the CME Web site, which is set to debut in early October. The proposal is for security companies to add the CME tag to the threat names, Beck said. An alert popping up on a user's screen could look like this: "Zotob.E!CME-540 detected."
The effort is completely reliant on industry participation. A number is assigned only after an industry researcher submits a sample of a threat with a write-up to CME. A group associated with the CME initiative then further researches the threat, collates information from antivirus companies, allocates an ID and publishes a threat profile.
Industry participation has been good, Beck said. "They have been really responsive, and I think they have confidence that it is something good for the long run," she said.
Participation on the organization's editorial board, which includes Microsoft, Symantec, McAfee and the other industry majors previously mentioned, is by invitation-only, and companies have been lining up to get in, Beck said. The editorial board guides the process by which industry and researchers submit information on threats and by which the common IDs are assigned.
The first version of the CME Web site will have descriptions of a couple dozen threats, Beck said. Some have been written up in the months since the CME initiative started its trial run in the first quarter of this year. To begin with, the site will provide characteristics of threats and all the aliases used by different security companies, Beck said. By the end of the year, a more comprehensive Web site should be available, she said.
A worm or a virus is typically tagged by the first security company to discover it. Aside from some ground rules--for example, the name can't be that of a real person or be offensive--antivirus providers are essentially free to call the new pest whatever they like. "There are no grown-ups; there is nobody there to dictate standards to anyone, so you name the virus whatever you want to," said David Perry, director of global education at security provider Trend Micro.
In the case of a fast-spreading worm, a lot of security companies typically see it at the same time and all give it a moniker, Symantec's Weafer said. "Speed and response time are so critical--that overwhelms any ability to get together with others and agree on a name for it," he said.
A convention that comes up with names ahead of time, like that used for hurricanes, doesn't work with worms or viruses, Weafer said. One reason is that there are many variants of worms and viruses, and antivirus companies don't always agree on whether a newly spotted threat is an offshoot or a brand new pest.
A few antivirus companies, including McAfee and Symantec, have already included CME identifiers in some of their advisories. As more threats get assigned an ID number, more companies will probably support the effort in their products, Beck expects.
"It is a chicken-and-egg problem. If there was stuff that they could point to, I think they would be very quick to link to it," she said.
While Go at PureBeauty does see some value in the naming initiative, he'd rather have his security software made more effective. "We get hit before virus definitions are out--that has happened several times. I doubt this initiative will help against that," he said.
See more CNET content tagged:
initiative, participant, worm, confusion, McAfee Inc.
