New Worm Naming Scheme Aims To Cut Confusion

The US Computer Emergency Response Team and major security vendors are looking to simplify a system which now has infections going by multiple names, each given by a different vendor.

Gregg Keizer, Contributor

October 6, 2005

2 Min Read

A standardized naming process for worms and viruses sponsored by the US-CERT (Computer Emergency Readiness Team) and backed by the biggest names in security debuted Wednesday in the hope that it will lend some sense to the malware naming mess.

Dubbed CME (Common Malware Enumeration), the scheme assigns unique identifiers to threats so that end-users -- both consumers and IT security managers -- have a single point of reference for a worm or virus. Although there is some cooperation between security companies and agencies in naming threats, in many cases, vendors end up assigning different labels for the same piece of malicious code.

During a worm or virus outbreak, CME participants request an identifier from an automated system by providing a sample of the virus. An identifier is generated and then distributed to the other participants.

"Historically, regulating virus naming has proven difficult for security vendors, because of the need to issue threat protection as quickly as possible," said Mark Harris, the director of Sophos' research centers, in a statement.

Wednesday was a perfect example; the newest Sober variant was tagged as Sober.q (Symantec), Sober.r (McAfee), Sober.s (F-Secure), and Sober.o (Sophos). The CME identifier for all, however, is simply "CME-151."

The naming plan, which has been in the works for more than a year, is completely voluntary on the part of security firms, but most of the major anti-virus vendors -- including Symantec, McAfee, Kaspersky, Trend Micro, Sophos, Computer Associates, and F-Secure -- are on the CME editorial board and are either already listing the identifier in their descriptions or will in the future.

Symantec, for instance, put CME-151 as the first item under the "Also Known As" section of its Sober.q description.

The scheme may not put an end to name confusion -- anti-virus vendors are still allowed to slap on their own name -- and it will require global cooperation, but CME's time has come.

"[This] will benefit customers in securing their computers from malware attack," said Sophos' Harris, "without disrupting rapid virus analysis."

The CME list can be found on the initiative's Web site.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights