New Worm-Naming Scheme Aims To Cut Confusion

US-CERT

Dubbed CME (Common Malware Enumeration), the scheme assigns unique identifiers to threats so that end-users -- both consumers and IT security managers -- have a single point of reference for a worm or virus. Although there is some cooperation between security companies and agencies in naming threats, in many cases, vendors end up assigning different labels for the same piece of malicious code.

During a worm or virus outbreak, CME participants request an identifier from an automated system by providing a sample of the virus. An identifier is generated and then distributed to the other participants.

"Historically, regulating virus naming has proven difficult for security vendors, because of the need to issue threat protection as quickly as possible," said Mark Harris, the director of Sophos' research centers, in a statement.

Wednesday was a perfect example; the newest Sober variant was tagged as Sober.q (Symantec), Sober.r (McAfee), Sober.s (F-Secure), and Sober.o (Sophos). The CME identifier for all, however, is simply "CME-151."

id
unit-1659132512259
type
Sponsored post

The naming plan, which has been in the works for more than a year, is completely voluntary on the part of security firms, but most of the major anti-virus vendors -- including Symantec, McAfee, Kaspersky, Trend Micro, Sophos, Computer Associates, and F-Secure -- are on the CME editorial board and are either already listing the identifier in their descriptions or will in the future.

Symantec, for instance, put CME-151 as the first item under the "Also Known As" section of its Sober.q description.

The scheme may not put an end to name confusion -- anti-virus vendors are still allowed to slap on their own name -- and it will require global cooperation, but CME's time has come.

"[This] will benefit customers in securing their computers from malware attack," said Sophos' Harris, "without disrupting rapid virus analysis."

The CME list can be found on the initiative's Web site.