Common Malware Enumeration Initiative Now Available

Discussion in 'Computer Security' started by David H. Lipman, Oct 5, 2005.

  1. http://www.mitre.org/news/releases/05/cme_10_05_2005.html

    "During a virus outbreak, participants on the CME board request an identifier from an
    automated system by providing a sample of the virus and as much additional information as
    possible. An identifier in the format 'CME-N' where N is an integer between 1 and 999 is
    generated and distributed to the other participants. The participants then disseminate the
    CME identifier to their contacts in the industry and reference the CME identifier on their
    web pages, in their product, or when speaking to the press.

    In addition to MITRE, participants on the CME editorial board include McAfee, Symantec,
    Trend Micro, Microsoft, Sophos, ICSA Labs, Norman, Kaspersky Lab, MessageLabs, F-Secure, and
    Computer Associates. "


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 5, 2005
    #1
    1. Advertising

  2. David H. Lipman

    Bigbruva Guest

    At LAST!

    Thanks for the link David.


    BB


    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:kAV0f.3289$Ll2.1075@trnddc04...
    > http://www.mitre.org/news/releases/05/cme_10_05_2005.html
    >
    > "During a virus outbreak, participants on the CME board request an
    > identifier from an
    > automated system by providing a sample of the virus and as much additional
    > information as
    > possible. An identifier in the format 'CME-N' where N is an integer
    > between 1 and 999 is
    > generated and distributed to the other participants. The participants then
    > disseminate the
    > CME identifier to their contacts in the industry and reference the CME
    > identifier on their
    > web pages, in their product, or when speaking to the press.
    >
    > In addition to MITRE, participants on the CME editorial board include
    > McAfee, Symantec,
    > Trend Micro, Microsoft, Sophos, ICSA Labs, Norman, Kaspersky Lab,
    > MessageLabs, F-Secure, and
    > Computer Associates. "
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
     
    Bigbruva, Oct 5, 2005
    #2
    1. Advertising

  3. David H. Lipman

    Galen Guest

    In news:kAV0f.3289$Ll2.1075@trnddc04,
    David H. Lipman <DLipman~nospam~@Verizon.Net> had this to say:

    My reply is at the bottom of your sent message:

    > http://www.mitre.org/news/releases/05/cme_10_05_2005.html
    >
    > "During a virus outbreak, participants on the CME board request an
    > identifier from an automated system by providing a sample of the
    > virus and as much additional information as possible. An identifier
    > in the format 'CME-N' where N is an integer between 1 and 999 is
    > generated and distributed to the other participants. The participants
    > then disseminate the CME identifier to their contacts in the industry
    > and reference the CME identifier on their web pages, in their
    > product, or when speaking to the press.
    >
    > In addition to MITRE, participants on the CME editorial board include
    > McAfee, Symantec, Trend Micro, Microsoft, Sophos, ICSA Labs, Norman,
    > Kaspersky Lab, MessageLabs, F-Secure, and Computer Associates. "


    It's about time... The question begs what will they do when the numbers run
    out? Perhaps something that also includes date of discovery or of numeration
    and would be acceptable? As it is, if you look on their site, you'll see
    that there's already a number of them taken up and, according to them, it's
    only numbers 1-999 which is pretty limited. Finally, one more question, what
    about older versions of malware? Will those be assigned numbers?

    Galen
    --

    "You know that a conjurer gets no credit when once he has explained his
    trick; and if I show you too much of my method of working, you will
    come to the conclusion that I am a very ordinary individual after all."

    Sherlock Holmes
     
    Galen, Oct 5, 2005
    #3
  4. From: "Galen" <>


    |
    | It's about time... The question begs what will they do when the numbers run
    | out? Perhaps something that also includes date of discovery or of numeration
    | and would be acceptable? As it is, if you look on their site, you'll see
    | that there's already a number of them taken up and, according to them, it's
    | only numbers 1-999 which is pretty limited. Finally, one more question, what
    | about older versions of malware? Will those be assigned numbers?
    |
    | Galen


    I doubt the database will be retroactive. The '04 dated designations will most likely be
    the earliest versions. As for the number 1~999 that's a good point.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 5, 2005
    #4
  5. David H. Lipman

    Phil Weldon Guest

    Let's hope the response will be better organized than other recent emergency
    responses.

    Phil Weldon
     
    Phil Weldon, Oct 5, 2005
    #5
  6. David H. Lipman

    kurt wismer Guest

    Galen wrote:
    [snip]
    > It's about time... The question begs what will they do when the numbers run
    > out?


    they increase the number of digits used...

    > Perhaps something that also includes date of discovery or of numeration
    > and would be acceptable?


    wouldn't necessarily help... it's entirely possible to have more than
    1000 significant malware threats in a single year...

    > As it is, if you look on their site, you'll see
    > that there's already a number of them taken up


    are you sure? they're assigned a random number from within the range...

    > and, according to them, it's
    > only numbers 1-999 which is pretty limited. Finally, one more question, what
    > about older versions of malware? Will those be assigned numbers?


    they aren't going to be enumerating all malware, only ones that are a
    real threat (ones that are already being seen in the wild or will
    probably be seen in the wild)... to that end, old malware *usually*
    doesn't pose as much of a threat as new malware...

    --
    "they threw a rope around yer neck to watch you dance the jig of death
    then left ya for the starvin' crows, hoverin' like hungry whores
    one flew down plucked out yer eye, the other he had in his sights
    ya snarled at him, said leave me be - i need the bugger so i can see"
     
    kurt wismer, Oct 6, 2005
    #6
  7. David H. Lipman

    Galen Guest

    In news:LyZ0f.7606$,
    kurt wismer <> had this to say:

    My reply is at the bottom of your sent message:

    > Galen wrote:
    > [snip]
    >> It's about time... The question begs what will they do when the
    >> numbers run out?

    >
    > they increase the number of digits used...
    >
    >> Perhaps something that also includes date of discovery or of
    >> numeration and would be acceptable?

    >
    > wouldn't necessarily help... it's entirely possible to have more than
    > 1000 significant malware threats in a single year...
    >
    >> As it is, if you look on their site, you'll see
    >> that there's already a number of them taken up

    >
    > are you sure? they're assigned a random number from within the
    > range...
    >> and, according to them, it's
    >> only numbers 1-999 which is pretty limited. Finally, one more
    >> question, what about older versions of malware? Will those be
    >> assigned numbers?

    >
    > they aren't going to be enumerating all malware, only ones that are a
    > real threat (ones that are already being seen in the wild or will
    > probably be seen in the wild)... to that end, old malware *usually*
    > doesn't pose as much of a threat as new malware...


    I'm not sure if I posed all of my concerns (keep in mind I'm only active in
    the msnews.microsoft.com groups at the moment) with any greater clarity but
    I think I addressed them and (perhaps) a potential solution. I note that you
    mention that only significant threats would be included. By who's
    definition? (And this boarders on soapbox so please bear with me.) By my
    definition - anything that potentially puts my system's data at risk or my
    system's stability at risk is serious enough for me to be concerned about it
    and more so when there's people who won't patch their systems and keep
    sending me year old worm variants... </climbs off soapbox but it's been an
    afternoon of deleting emails> When I am obligated to support end-users, both
    online and in the real world, with malware issues I don't want there to be
    exclusions, I want all the information and I want a resolution as quickly as
    possible because, to be frank, I don't have that much time and nor do they.

    I think one of the greatest values in this proposal is trend monitoring. By
    date I don't mean the specific year only, I mean a format such as defined in
    the prior response such as CME-10052005-*** which, along with a description
    field and a few others added for flavor would make this not only a valuable
    standardization but also a repository for a wealth of information such as
    trends, targeted systems, method of attack, and security flaws exploited for
    instance... A standard, such as a stud being 16" on center to enable ease of
    use with a 4x8 piece of sheet material sheathing, must stand the test of
    time. While the number of digits is infinite if they just keep adding on to
    them they also become meaningless after a while. Those who would be "in the
    know" would be able to look at CME-10052005-123 and say "ha, that's
    doomandgloom, a trojan, and this is how you remove it from your system." And
    while that would only stay in memory for the tech for a short while, it's
    easier (and at least has more information for reference even without the
    database ideas) and it contains more information than a simple number. It's
    also very simple to implement and this is truly something that's infinite.
    The malware threats aren't going to go away and while you'll never run out
    of numbers the idea for a standard is to have it last and in ten of fifteen
    years I don't want to be reading CME-*********************************** and
    be expected to know what that is.

    Anyhow, that's about all I really have to say on the subject I think. I
    might think of more.

    Galen
    --

    "You know that a conjurer gets no credit when once he has explained his
    trick; and if I show you too much of my method of working, you will
    come to the conclusion that I am a very ordinary individual after all."

    Sherlock Holmes
     
    Galen, Oct 6, 2005
    #7
  8. David H. Lipman

    kurt wismer Guest

    Galen wrote:
    [snip]
    > I'm not sure if I posed all of my concerns (keep in mind I'm only active in
    > the msnews.microsoft.com groups at the moment) with any greater clarity but
    > I think I addressed them and (perhaps) a potential solution. I note that you
    > mention that only significant threats would be included. By who's
    > definition?


    i don't believe it's by any 'definition'... to quote their process
    document (http://cme.mitre.org/cme/process.html)

    "The terms 'potentially', 'considerable', and 'significant' are
    intentionally vague because generally the initiative will rely on the
    collective experience of CME participants to determine when a malware
    threat requires CME identification."

    > (And this boarders on soapbox so please bear with me.) By my
    > definition - anything that potentially puts my system's data at risk or my
    > system's stability at risk is serious enough for me to be concerned about it
    > and more so when there's people who won't patch their systems and keep
    > sending me year old worm variants... </climbs off soapbox but it's been an
    > afternoon of deleting emails>


    your soapbox is irrelevant... the common malware enumeration has
    absolutely nothing to do with protecting you from malware... in no way
    does it affect the risks that you face, at all... it's just a means of
    coming up with another alias for the malware... at best it may help to
    clear up some naming confusion...

    > When I am obligated to support end-users, both
    > online and in the real world, with malware issues I don't want there to be
    > exclusions, I want all the information and I want a resolution as quickly as
    > possible because, to be frank, I don't have that much time and nor do they.


    and nor do the people behind the common malware enumeration
    initiative... you appear to be unaware of the shear volume of malware
    created each day (most of which goes basically nowhere) - the cme would
    be completely unworkable on that scale...

    > I think one of the greatest values in this proposal is trend monitoring. By
    > date I don't mean the specific year only, I mean a format such as defined in
    > the prior response such as CME-10052005-*** which, along with a description


    it would be better as CME-20051005, i think... at least if you have any
    intention of sorting them...

    > field and a few others added for flavor would make this not only a valuable
    > standardization but also a repository for a wealth of information such as
    > trends, targeted systems, method of attack, and security flaws exploited for
    > instance...


    from the faq (http://cme.mitre.org/about/faqs.html#a1)

    "CME is not an attempt to solve the challenges involved with naming
    schemes for viruses and other forms of malware"

    and a good thing too, because the naming problem is basically unsolvable
    under the current environment... too many independent organizations
    working in parallel...

    > A standard, such as a stud being 16" on center to enable ease of
    > use with a 4x8 piece of sheet material sheathing, must stand the test of
    > time. While the number of digits is infinite if they just keep adding on to
    > them they also become meaningless after a while. Those who would be "in the
    > know" would be able to look at CME-10052005-123 and say "ha, that's
    > doomandgloom, a trojan, and this is how you remove it from your system." And
    > while that would only stay in memory for the tech for a short while, it's
    > easier (and at least has more information for reference even without the
    > database ideas) and it contains more information than a simple number.


    what's even simpler is to use a *name* instead of a number... it doesn't
    matter whether you use 10052005-123 or just 123, it's still just a
    number and as such is not human-friendly... it's meant to be looked up,
    not memorized...

    > It's
    > also very simple to implement and this is truly something that's infinite.


    actually it's no more infinite than the current system...

    > The malware threats aren't going to go away and while you'll never run out
    > of numbers the idea for a standard is to have it last and in ten of fifteen
    > years I don't want to be reading CME-*********************************** and
    > be expected to know what that is.


    i can look at virus *names* and not know what they are... the days where
    it was reasonable to be expected to know what something was and how best
    to deal with it just by it's identifier (without looking it up) are long
    gone... get over it... the cme is providing a reference number for you
    to look up, not a way for you to pretend you can cram more information
    into your brain...

    --
    "they threw a rope around yer neck to watch you dance the jig of death
    then left ya for the starvin' crows, hoverin' like hungry whores
    one flew down plucked out yer eye, the other he had in his sights
    ya snarled at him, said leave me be - i need the bugger so i can see"
     
    kurt wismer, Oct 6, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JaR
    Replies:
    10
    Views:
    649
    Hermit Dave
    Feb 15, 2004
  2. Eric Anderson

    Anonymous Enumeration: a serious threat to Active Directory

    Eric Anderson, Nov 8, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    2,127
    Eric Anderson
    Nov 8, 2003
  3. Au79
    Replies:
    0
    Views:
    347
  4. Au79
    Replies:
    1
    Views:
    365
  5. =?Utf-8?B?SVQgU2Ft?=
    Replies:
    4
    Views:
    1,939
    Darrell Gorter[MSFT]
    Mar 7, 2007
Loading...

Share This Page