Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Common Malware Enumeration Initiative Now Available

Reply
Thread Tools

Common Malware Enumeration Initiative Now Available

 
 
David H. Lipman
Guest
Posts: n/a
 
      10-05-2005
http://www.mitre.org/news/releases/0...0_05_2005.html

"During a virus outbreak, participants on the CME board request an identifier from an
automated system by providing a sample of the virus and as much additional information as
possible. An identifier in the format 'CME-N' where N is an integer between 1 and 999 is
generated and distributed to the other participants. The participants then disseminate the
CME identifier to their contacts in the industry and reference the CME identifier on their
web pages, in their product, or when speaking to the press.

In addition to MITRE, participants on the CME editorial board include McAfee, Symantec,
Trend Micro, Microsoft, Sophos, ICSA Labs, Norman, Kaspersky Lab, MessageLabs, F-Secure, and
Computer Associates. "


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
 
Bigbruva
Guest
Posts: n/a
 
      10-05-2005
At LAST!

Thanks for the link David.


BB


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:kAV0f.3289$Ll2.1075@trnddc04...
> http://www.mitre.org/news/releases/0...0_05_2005.html
>
> "During a virus outbreak, participants on the CME board request an
> identifier from an
> automated system by providing a sample of the virus and as much additional
> information as
> possible. An identifier in the format 'CME-N' where N is an integer
> between 1 and 999 is
> generated and distributed to the other participants. The participants then
> disseminate the
> CME identifier to their contacts in the industry and reference the CME
> identifier on their
> web pages, in their product, or when speaking to the press.
>
> In addition to MITRE, participants on the CME editorial board include
> McAfee, Symantec,
> Trend Micro, Microsoft, Sophos, ICSA Labs, Norman, Kaspersky Lab,
> MessageLabs, F-Secure, and
> Computer Associates. "
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>



 
Reply With Quote
 
 
 
 
Galen
Guest
Posts: n/a
 
      10-05-2005
In news:kAV0f.3289$Ll2.1075@trnddc04,
David H. Lipman <DLipman~nospam~@Verizon.Net> had this to say:

My reply is at the bottom of your sent message:

> http://www.mitre.org/news/releases/0...0_05_2005.html
>
> "During a virus outbreak, participants on the CME board request an
> identifier from an automated system by providing a sample of the
> virus and as much additional information as possible. An identifier
> in the format 'CME-N' where N is an integer between 1 and 999 is
> generated and distributed to the other participants. The participants
> then disseminate the CME identifier to their contacts in the industry
> and reference the CME identifier on their web pages, in their
> product, or when speaking to the press.
>
> In addition to MITRE, participants on the CME editorial board include
> McAfee, Symantec, Trend Micro, Microsoft, Sophos, ICSA Labs, Norman,
> Kaspersky Lab, MessageLabs, F-Secure, and Computer Associates. "


It's about time... The question begs what will they do when the numbers run
out? Perhaps something that also includes date of discovery or of numeration
and would be acceptable? As it is, if you look on their site, you'll see
that there's already a number of them taken up and, according to them, it's
only numbers 1-999 which is pretty limited. Finally, one more question, what
about older versions of malware? Will those be assigned numbers?

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes


 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      10-05-2005
From: "Galen" <(E-Mail Removed)>


|
| It's about time... The question begs what will they do when the numbers run
| out? Perhaps something that also includes date of discovery or of numeration
| and would be acceptable? As it is, if you look on their site, you'll see
| that there's already a number of them taken up and, according to them, it's
| only numbers 1-999 which is pretty limited. Finally, one more question, what
| about older versions of malware? Will those be assigned numbers?
|
| Galen


I doubt the database will be retroactive. The '04 dated designations will most likely be
the earliest versions. As for the number 1~999 that's a good point.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Phil Weldon
Guest
Posts: n/a
 
      10-05-2005
Let's hope the response will be better organized than other recent emergency
responses.

Phil Weldon


 
Reply With Quote
 
kurt wismer
Guest
Posts: n/a
 
      10-05-2005
Galen wrote:
[snip]
> It's about time... The question begs what will they do when the numbers run
> out?


they increase the number of digits used...

> Perhaps something that also includes date of discovery or of numeration
> and would be acceptable?


wouldn't necessarily help... it's entirely possible to have more than
1000 significant malware threats in a single year...

> As it is, if you look on their site, you'll see
> that there's already a number of them taken up


are you sure? they're assigned a random number from within the range...

> and, according to them, it's
> only numbers 1-999 which is pretty limited. Finally, one more question, what
> about older versions of malware? Will those be assigned numbers?


they aren't going to be enumerating all malware, only ones that are a
real threat (ones that are already being seen in the wild or will
probably be seen in the wild)... to that end, old malware *usually*
doesn't pose as much of a threat as new malware...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
 
Reply With Quote
 
Galen
Guest
Posts: n/a
 
      10-06-2005
In news:LyZ0f.7606$(E-Mail Removed),
kurt wismer <(E-Mail Removed)> had this to say:

My reply is at the bottom of your sent message:

> Galen wrote:
> [snip]
>> It's about time... The question begs what will they do when the
>> numbers run out?

>
> they increase the number of digits used...
>
>> Perhaps something that also includes date of discovery or of
>> numeration and would be acceptable?

>
> wouldn't necessarily help... it's entirely possible to have more than
> 1000 significant malware threats in a single year...
>
>> As it is, if you look on their site, you'll see
>> that there's already a number of them taken up

>
> are you sure? they're assigned a random number from within the
> range...
>> and, according to them, it's
>> only numbers 1-999 which is pretty limited. Finally, one more
>> question, what about older versions of malware? Will those be
>> assigned numbers?

>
> they aren't going to be enumerating all malware, only ones that are a
> real threat (ones that are already being seen in the wild or will
> probably be seen in the wild)... to that end, old malware *usually*
> doesn't pose as much of a threat as new malware...


I'm not sure if I posed all of my concerns (keep in mind I'm only active in
the msnews.microsoft.com groups at the moment) with any greater clarity but
I think I addressed them and (perhaps) a potential solution. I note that you
mention that only significant threats would be included. By who's
definition? (And this boarders on soapbox so please bear with me.) By my
definition - anything that potentially puts my system's data at risk or my
system's stability at risk is serious enough for me to be concerned about it
and more so when there's people who won't patch their systems and keep
sending me year old worm variants... </climbs off soapbox but it's been an
afternoon of deleting emails> When I am obligated to support end-users, both
online and in the real world, with malware issues I don't want there to be
exclusions, I want all the information and I want a resolution as quickly as
possible because, to be frank, I don't have that much time and nor do they.

I think one of the greatest values in this proposal is trend monitoring. By
date I don't mean the specific year only, I mean a format such as defined in
the prior response such as CME-10052005-*** which, along with a description
field and a few others added for flavor would make this not only a valuable
standardization but also a repository for a wealth of information such as
trends, targeted systems, method of attack, and security flaws exploited for
instance... A standard, such as a stud being 16" on center to enable ease of
use with a 4x8 piece of sheet material sheathing, must stand the test of
time. While the number of digits is infinite if they just keep adding on to
them they also become meaningless after a while. Those who would be "in the
know" would be able to look at CME-10052005-123 and say "ha, that's
doomandgloom, a trojan, and this is how you remove it from your system." And
while that would only stay in memory for the tech for a short while, it's
easier (and at least has more information for reference even without the
database ideas) and it contains more information than a simple number. It's
also very simple to implement and this is truly something that's infinite.
The malware threats aren't going to go away and while you'll never run out
of numbers the idea for a standard is to have it last and in ten of fifteen
years I don't want to be reading CME-*********************************** and
be expected to know what that is.

Anyhow, that's about all I really have to say on the subject I think. I
might think of more.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes



 
Reply With Quote
 
kurt wismer
Guest
Posts: n/a
 
      10-06-2005
Galen wrote:
[snip]
> I'm not sure if I posed all of my concerns (keep in mind I'm only active in
> the msnews.microsoft.com groups at the moment) with any greater clarity but
> I think I addressed them and (perhaps) a potential solution. I note that you
> mention that only significant threats would be included. By who's
> definition?


i don't believe it's by any 'definition'... to quote their process
document (http://cme.mitre.org/cme/process.html)

"The terms 'potentially', 'considerable', and 'significant' are
intentionally vague because generally the initiative will rely on the
collective experience of CME participants to determine when a malware
threat requires CME identification."

> (And this boarders on soapbox so please bear with me.) By my
> definition - anything that potentially puts my system's data at risk or my
> system's stability at risk is serious enough for me to be concerned about it
> and more so when there's people who won't patch their systems and keep
> sending me year old worm variants... </climbs off soapbox but it's been an
> afternoon of deleting emails>


your soapbox is irrelevant... the common malware enumeration has
absolutely nothing to do with protecting you from malware... in no way
does it affect the risks that you face, at all... it's just a means of
coming up with another alias for the malware... at best it may help to
clear up some naming confusion...

> When I am obligated to support end-users, both
> online and in the real world, with malware issues I don't want there to be
> exclusions, I want all the information and I want a resolution as quickly as
> possible because, to be frank, I don't have that much time and nor do they.


and nor do the people behind the common malware enumeration
initiative... you appear to be unaware of the shear volume of malware
created each day (most of which goes basically nowhere) - the cme would
be completely unworkable on that scale...

> I think one of the greatest values in this proposal is trend monitoring. By
> date I don't mean the specific year only, I mean a format such as defined in
> the prior response such as CME-10052005-*** which, along with a description


it would be better as CME-20051005, i think... at least if you have any
intention of sorting them...

> field and a few others added for flavor would make this not only a valuable
> standardization but also a repository for a wealth of information such as
> trends, targeted systems, method of attack, and security flaws exploited for
> instance...


from the faq (http://cme.mitre.org/about/faqs.html#a1)

"CME is not an attempt to solve the challenges involved with naming
schemes for viruses and other forms of malware"

and a good thing too, because the naming problem is basically unsolvable
under the current environment... too many independent organizations
working in parallel...

> A standard, such as a stud being 16" on center to enable ease of
> use with a 4x8 piece of sheet material sheathing, must stand the test of
> time. While the number of digits is infinite if they just keep adding on to
> them they also become meaningless after a while. Those who would be "in the
> know" would be able to look at CME-10052005-123 and say "ha, that's
> doomandgloom, a trojan, and this is how you remove it from your system." And
> while that would only stay in memory for the tech for a short while, it's
> easier (and at least has more information for reference even without the
> database ideas) and it contains more information than a simple number.


what's even simpler is to use a *name* instead of a number... it doesn't
matter whether you use 10052005-123 or just 123, it's still just a
number and as such is not human-friendly... it's meant to be looked up,
not memorized...

> It's
> also very simple to implement and this is truly something that's infinite.


actually it's no more infinite than the current system...

> The malware threats aren't going to go away and while you'll never run out
> of numbers the idea for a standard is to have it last and in ten of fifteen
> years I don't want to be reading CME-*********************************** and
> be expected to know what that is.


i can look at virus *names* and not know what they are... the days where
it was reasonable to be expected to know what something was and how best
to deal with it just by it's identifier (without looking it up) are long
gone... get over it... the cme is providing a reference number for you
to look up, not a way for you to pretend you can cram more information
into your brain...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re-using a simple type definition; with enumeration constraint andwithout enumeration constraint puvit82 XML 4 02-01-2008 03:46 PM
Looking for a business partner (internet based initiative) sheleg NZ Computing 0 07-04-2006 04:04 PM
3Com's Zero Day Initiative Uncovers Two Microsoft Vulnerabilities Au79 Computer Support 1 06-14-2006 09:45 PM
3Com's Zero Day Initiative Uncovers Microsoft Vulnerability Au79 Computer Support 0 03-15-2006 06:21 AM
New Initiative as a part of MCP exams JaR MCSD 10 02-15-2004 10:17 PM



Advertisments