Security experts criticise malware list

Just how useful is the Common Malware Enumeration (CME) initiative debuted by US-CERT this autumn?

The system was created to sort out some of the confusion created by the different naming systems used by different security vendors, and to help system administrators deal with outbreaks more effectively. Some security experts have, however, voiced doubts as to how well CME is working in practice.

One complaint is that the system isn't providing much information on malware aside from listing the reference codes used by different security vendors. Such information was promised more than a year ago by the organisers of the CME plan - US-CERT, the US Department of Homeland Security, and anti-virus vendors such as Microsoft, Trend Micro, McAfee and Symantec.

The plan was outlined in an open letter, published by the SANS Institute, in which the organisations said US-CERT would "assign a CME identifier... to each new, unique threat and to include additional incident response information when available".

The goal was "improving the malware information resources available to (antivirus) software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware," the letter said.

The letter was in response to criticism voiced in an earlier open letter to the security industry by Chris Mosby, a system administrator, in which he strongly criticised antivirus vendors for adopting "an isolationist attitude" that made it difficult for administrators to deal with complex virus outbreaks. "As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected," Mosby wrote.

A year later, the most difficult part of the CME project - distinguishing similar pieces of malicious code from one another - appears to be working. But CME still only provides a basic list of names used by different vendors, without listing details or even including links.

This makes the project of limited use, even compared with similar, independent projects such as Secunia's virus information database, according to SANS Internet Storm Center handler Patrick Nolan.

"Links to technical analysis was a hoped-for outcome for the CME project, since vendors' technical analysis is the critical 'additional incident response information' needed by the people responding to malware outbreaks," Nolan wrote in a recent entry in the ISC diary. "A name by any other name is just a name."

Thomas Kristensen said the lack of links or additional information means CME is of limited use to the general public. "It can only be used by the vendors and others with a specific interest in viruses to more easily identify viruses in other vendors' databases," he said. "It probably does what it was intended to do, and more information would probably exceed the intended purpose."

Such criticisms are beside the point, according to Graham Cluley, senior technology consultant with Sophos Antivirus. "We mustn't criticise it for not being a 100 percent solution, it's a definite step in the right direction," he said. "The most important thint is that its making correlations between the different names."

He said the system would be sure to improve over time. "Linking to more information seems to be an obvious thing they could do," he said.