Security threats Toolkit

Virus naming scheme divides experts

Tags:
Viruses

Tom Espiner ZDNet.co.uk

Published: 06 Oct 2005 13:25 BST

The announcement that several major anti-malware players have joined forces to agree on a common malware taxonomy has divided the anti-malware community, who question how effective such a system will be.

The common malware enumeration system (CME) was launched on Wednesday at the Virus Bulletin event in Dublin by Mitre, a not-for-profit research organisation.

CME is a classification system for viruses and other forms of malware that gives them a common code (e.g. CME-154) as well as their name. Its supporters claim that a common naming schema will help to clear up confusion about what malware should be called.

But some experts claimed on Wednesday that CME will make much of a difference, at least initially.

"Now every piece of malware will just have 18 names and a number," said David Perry, global director of education Trend Micro, arguing that antivirus customers won't stop giving newly discovered malware different names.

Martin Overton, independent researcher for IBM, also doubts that CME will bring order to the security space.

"It's going to make it worse," said Overton. He was backed up by Jeanette Jarvis, security systems product manager, Boeing, who agreed that the new situation is no better than the old one.

However, other experts reject the claim that CME will add to the confusion.

"Malware will now be able to be tied together with a common thread," argued Graham Cluley of Sophos.

The enumeration will only initially apply to the "big hitters" — the most common forms of malware — rather than all new viruses that are detected. This led Perry to criticise CME for not going far enough.

Other experts believe this is a step in the right direction. "We have to crawl before we can walk, before we can run," said Larry Bridwell, content security programs manager, ICSA. "CME was never designed to solve the naming problem, it was designed as an index," Bridwell added.

Currently, when a new viruses appear on the Internet they are generally given different names by different companies who discover it independently. This can cause confusion for users, who need to know if they should be patching against one worm or several, and if their security product offers protection.

Only later do the antivirus firms agree on a single name, once they've ascertained that they are talking about the same piece of code.

CME does have the support of several large vendors, including Symantec, McAfee, Microsoft, Computer Associates, Kaspersky Labs, Sophos, Trend Micro, F-Secure and Message Labs. It will be moderated by Mitre.