http://isc.sans.org/diary.php?date=2004-11-23
Open Letter To Anti-Virus Software Companies - A Response
On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an "Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:
http://isc.sans.org/diary.php?date=2004-11-05
Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:
http://isc.sans.org/diary.php?date=2004-11-08
Yesterday, we received the following response from members of the USCERT's CME (Common Malware Enumeration) initiative. While we don't have any policy about providing "equal time", we thought that their response was also interesting enough to publish:
------------------begin letter------------------
As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.
As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.
As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.
As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.
We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”
Desiree Beck, CME Technical Leader
US-CERT
Andy Purdy, Acting Director NCSD
Department of Homeland Security
Larry Hale, Deputy Director NCSD
Department of Homeland Security
Jimmy Kuo
McAfee Fellow - McAfee, Inc.
Matthew Braverman, Program Manager
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team
Mady Marinescu, Development Lead
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team
Randy Treit, Program Manager
Microsoft Corporation
Security Business and Technology Unit - Antivirus Team
Vincent Weafer, Senior Director, Symantec Security Response
Symantec Corporation
Oscar Chang, Executive Vice President
Trend Micro, Incorporated
Joe Hartmann, Director North American
Anti-virus Research Group
Trend Micro, Incorporated
-------------------end letter-------------------
All I can say is….WOW!!