Common Malware Enumeration (CME)
News > Common Malware Enumeration Initiative Press Q&A  

Common Malware Enumeration Initiative
Press Q&A

What is CME?

The Common Malware Enumeration (CME) initiative aims to provide unique, common identifiers to new malware threats for the benefit of the public. Common identifiers help the security community share information faster and with more accuracy. CME is similar to the Common Vulnerabilities and Exposures (CVE) initiative.

Who is responsible for the CME effort? How is MITRE involved?

The United States Computer Emergency Readiness Team (US-CERT) is the sponsor of this effort. MITRE is providing technical expertise and program oversight as part of its work with the National Cyber Security Division (NCSD) within the U.S. Department of Homeland Security (DHS).

How is CME different from CVE?

CVE is also operated by MITRE and provides common identifiers to vulnerabilities. CME is the counterpart to CVE in the malware world and provides unique identifiers to malware threats.

Why is CME needed? What problem do you hope to solve?

There is a lot of confusion when malware threats are discussed because the same threat can be referred to differently by different entities. This is particularly evident for malware threats that receive media attention. By providing malware threats with unique identifiers, this confusion can be mitigated.

What is meant by the term "malware threat"?

Typically, anti-virus procedures detect and name singular virus-related files, but CME focuses on malware threats. A "malware threat" is a single entity encompassing any number of files that may be involved in a single outbreak. For example, all the components of Nimda – the IIS buffer overflow byte stream, the file that is passed through TFTP, the mass-mailed email it creates that attacks via the audio/x-wav vulnerability, the appended html pages or any of its other forms – will be referenced by one CME identifier.

When did this effort start? Who is involved?

This effort started in mid-2004. In early 2005, the CME Editorial Board and sample redistribution group were established. Both are currently comprised of organizations actively involved in the mitigation of malware threats, including representatives from Computer Associates, F-Secure, ICSA Labs, Kaspersky Lab, McAfee, MessageLabs, Microsoft, Norman , Sophos, Symantec, and Trend Micro.

What is the status of CME?

We are currently assigning identifiers to high-profile malware threats, and some anti-virus vendors are referencing those in their descriptions of malware threats. We hope that others will do so in the future. We also will have a Web site with profile information about the malware threats for which identifiers have already been assigned.

What content will be provided on the CME Web site?

Initially, the CME Web site will provide the list of identifiers, brief profiles, and alias information. As the website matures, it will include full profile information such as file modifications, networking information, etc.

Who will this information help?

It will help the computer incident responders and the general public.

Who will provide the analysis information?

Analysis information will be provided by the CME participants and will be supplemented and compiled as necessary by MITRE and US-CERT.

Are CME participants expected to put extra resources toward the CME effort?

As much as possible, we are trying to integrate the assignment of CME identifiers into the existing workflow of participating organizations.

Will anti-virus companies continue to provide their own names for malware threats?

Yes, anti-virus companies may continue to apply their own naming schemes, but we hope that they will reference CME identifiers in their encyclopedias and products.

What do CME identifiers look like?

Initially, CME identifiers will be in the format CME-N where N is a seven digit integer—initially restricted to 3 digits until more digits are needed—between 1 and 9999999 . In Web pages, encyclopedias, alerts, media releases, etc., CME identifiers should appear in the official format (e.g., CME-123), but in vendor products, identifiers can appear in either full or abbreviated formats (e.g., VirusName.Variant!CME-123 or VirusName.Variant!M123).

Why don't CME identifiers follow the format of CVE numbers?

CVE identifiers include date information. For example, the number CVE-2000-1234 indicates that the vulnerability was assigned in the year 2000. However, experience with CVE has shown that users rely on the date information incorrectly and that it is preferable for identifiers to be devoid of meaningful information. For this reason, date information is not embedded in CME identifiers. CVE identifiers will be migrating towards a dateless numeric format in the future.

What is the scope of CME? Are you planning to identify every threat?

For the time being, we are focusing on the top threats, particularly those discussed in the media that could lead to public confusion. We are relying on CME participants to identify and submit those threats.

Will the scope be expanded in the future?

Depending on the response to CME identifiers for high-level threats, we will consider expanding the scope in the future.

Will spyware and adware be assigned CME identifiers?

In the short term, spyware and adware will not be assigned CME identifiers. The CME scope may be expanded in the future, however, to include assigning identifiers to a variety of security threats.

How does the process work? How are identifiers assigned?

Each of the CME Sample Redistribution Group (SRG) members has access to the CME submission server. When there is a virus outbreak, an SRG member will log onto the server, fill out a Web submission form, and upload a sample of the virus. An identifier is then automatically issued and information about the virus is immediately distributed to SRG members. There is a 2-hour deconfliction window, so once a sample has been submitted and an identifier assigned, any other samples that are submitted in the next two hours will not automatically be issued an identifier. The SRG members will discuss whether the new submission is the same as the one previously submitted, a variant, or a completely new threat. If it is not equivalent to any sample previously identified, the SRG members can override the CME system and assign a new identifier to the new sample.

How quickly after an outbreak will an identifier be assigned? When will profile information be available on the web site?

The identifier is assigned immediately. It can take up to a couple of days for the SRG to discuss the virus before profile information is posted on the CME Web site. As the process improves, we hope to be able to post within a 12-hour timeframe.

Is identification sample based?

Yes, a sample must be submitted before a CME identifier can be assigned.

To date, how many identifiers have been assigned?

As of late September 2005, approximately twenty-three (23) CME identifiers were assigned.

Is there a call to action for anti-virus companies?

The effort is voluntary, but we are requesting that anti-virus companies reference CME identifiers in the information they provide to their customers. We hope that the public and the security community will find the CME identifiers useful and will encourage anti-virus companies to adopt CME identifiers.

Are anti-virus companies voluntarily participating?

Several anti-virus companies are participating in CME. Their participation has been very positive.

Is this a U.S. effort or a worldwide effort?

The charter of CME's sponsor, US-CERT, is to protect the United States ' Internet infrastructure. Just as with CVE, however, and due to the nature of malware threats, the CME effort relies upon international cooperation, and we anticipate it will benefit the worldwide community.

How can I participate?

We encourage members of the security community to reference CME identifiers in their products, advisories, etc. Those organizations interested in taking a more active role in the initiative should send email to .

Back to top