EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Common Malware Enumeration – CME – where is it going?

July 10th, 2007 · No Comments ·

Earlier we discussed the Common Malware Enumeration initiative here:

Blended threats – are they computer security’s new nemesis?

Trend – Rootkits coming to the PC near you

Trend – malware – data loss prevention is getting tougher

Today we dive a bit deeper but, in particular, we focus on its success so far.

What the Common Malware Enumeration is NOT
Naming it has not and will continue not to change the naming scheme used by vendors whereby each one will assign it a different name to malware coming along.
Users because CME assigns numbers to each piece of Malware, the scheme is next to unusable for the average user except as an index to use when wanting to look something up.
Protection the naming scheme will not improve protection
What is CME good for? it will help researchers who want to make use of the database instead of being confused and having to work through more than 10 different labels for each piece of malware found in the wild. If this will ultimately help improve products remains to bee seen.

2005-10-05 when the Common Malware Enumeration (CME) list was launched, it was done with great fanfare and everybody felt that it would do as a great service.

The above table summarises what the Common Malware Enumeration wants to accomplish and what it will not do for us when it comes to fighting the latest malware attacks.

It has a narrow focus but, most importantly, what it wants to accomplish is needed and will benefit many including researchers that want to use the database to analyse some things. But it will not eliminate the naming chaos that happens when a new malware string is being discovered in the wild. Nonetheless, the CME initiative never was intended to do this nor will it in the future.
In the meantime, some time has passed since the list was launched and the two year mark will be up soon. So what has happened with this great initiative looking at its performance, activity, trends, etc.?

1- IS IT UP TO DATE?

Common Malware Enumeration – CME-711 – 2007-01-20 last entry on the list

CME-711 was assigned on January 20, 2007 – since then no new numbers have been published.

This surprises one a bit since many new types of malware have been released since then and even if they were only variants of previous one, malicious the still are.

2 – HAS the Common Malware Enumeration initiative changed its FOCUS?

But while the list does not appear very much up-to-date, it could be that this is partially due to a change in focus. We found the following information:

    ‘The changing nature of the malware threat—away from pandemic, widespread threats to more localized, targeted threats—is impacting public perceptions about which malware are high profile. CME recognizes the importance of this issue and is working to adapt to this new threat environment. As of November 2006, CME is also assigning identifiers to the most prevalent virus threats in the wild in order to further mitigate user confusion. ‘

Scope of the Common Malware Enumeration initiative

So if the spread has been more localized, targeted as pointed out above, has there been little if any activity in CME’s primary market – North America, the homebase for MITRE?

Any search on the Internet will clarify this quickly and indicate that many new viruses have appeared in North America as well as in other corners of the globe.

3 – Has the CME initiative ADDRESSED CHANGES IN MALWARE?

So while the list is very much inactive and has not addressed localized, targeted threats, what about changes in the type of Malware we must deal with?

Again, looking at the Website for the CME does not give one the indication. Neither has it made an attempt to follow up on localized threats as was its objective (see point 2 above), nor has it focused on changes in the malware threat we see (e.g., see TREND section below for one simple example).

4 – WHERE IS THE COMMON MALWARE ENUMERATION INITIATIVE GOING?

As you can see, we are not sure how to answer this question but if you know anything why not share it with us?

We sincerely hope that this laudable effort, which got a lot of positive press and created some media hype during and shortly after its launch, will once again rise from the ashes.

At the moment it seems to be hybernating.

5 – WHAT DOES THIS MEAN FOR THE European Information Sharing and Alerting System – EISAS FOR SHORT?

For ENISA (European Network Information Security Agency) tasked with exploring how best an Early Warning System (EWS) as envisioned with EISAS can work, the Common Malware Enumeration hybernating status is unfortunate. In fact, the CMEs inactivity would suggest that one cannot expect from it the structure it could and should provide when exchanging information in the malware domain.

As it is right now, it fails to provide a label as quickly as we get as far as vulnerabilities are concerned – CVE. In turn, its usefulness for research is still hampered for two reasons:

A) substantial time delay that one might be able to overcome but much worse,

B) no apparent systematic approach for including malware in its database

Hence, CME in its current form is unlikely to fulfill its objectives as stated above and in the Table we provided at the top of this story.

Neither will NOAH the European Network of Affined Honeypots research effort be able to use CME numbers. This would have been helpful regarding the attack signatures that are being created when running a net of honeypots using Argos – the secure system emulator.

TREND – interesting

Malware that uses a modular design is becoming ever more popular (also named modularly designed malware). Here, spam may be used to mail the recipient an infected attachment. Once the latter has been clicked upon and activated, the Trojan may try to download another piece of malware from a web site. Modularly designed malware means that the infected PC will try to download more malware using the internet connection. Such subsequently downloaded malware may steal personal data resulting in identity theft or other mishaps, such as:

– installing a rootkit on the user’s machine or

– making the PC a zombie of a large botnet that mails out spam.

With the ever increased localization of malware, modularly designed malware provides the attacker with the opportunity to create slightly varied versions (e.g., across languages or countries) and then test if these are able to outmanoeuvre anti-virus scanners on servers and on PC workstations to reach the user’s e-mail in-box. Also, modularly designed malware can make it ever more difficult for AV software to catch the new culprit unless either:

1) it is able based on its heuristics to identify the malware as a generic piece of malicious code, or else

2) we have to wait and hope that users do not activate the malware and, most importantly, the vendors release a patch fast.

PS. WHAT DO YOU GET?

Placing two or more honeypots into a network ==>  the result is a honeynet


SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.



|

→ No CommentsTags: 2005 · enumeration · horse · mitre · portantly · storm · trojan · worm