Common Malware Enumeration Initiative
Press Q&A
What is CME?
The Common Malware Enumeration (CME) initiative aims to provide unique, common
identifiers to new malware threats for the benefit of the public. Common identifiers
help the security community share information faster and with more accuracy.
CME is similar to the Common Vulnerabilities and Exposures (CVE) initiative.
Who is responsible for the CME effort? How is MITRE involved?
The United States Computer Emergency Readiness Team (US-CERT) is the sponsor
of this effort. MITRE is providing technical expertise and program oversight
as part of its work with the National Cyber Security Division (NCSD) within
the U.S. Department of Homeland Security (DHS).
How is CME different from CVE?
CVE is also operated by MITRE and provides common identifiers to vulnerabilities.
CME is the counterpart to CVE in the malware world and provides unique identifiers
to malware threats.
Why is CME needed? What problem do you hope to solve?
There is a lot of confusion when malware threats are discussed because the
same threat can be referred to differently by different entities. This is
particularly evident for malware threats that receive media attention. By
providing malware threats with unique identifiers, this confusion can be mitigated.
What is meant by the term "malware threat"?
Typically, anti-virus procedures detect and name singular virus-related files,
but CME focuses on malware threats. A "malware threat" is a single entity
encompassing any number of files that may be involved in a single outbreak.
For example, all the components of Nimda – the IIS buffer overflow byte stream,
the file that is passed through TFTP, the mass-mailed email it creates that
attacks via the audio/x-wav vulnerability, the appended html pages or any
of its other forms – will be referenced by one CME identifier.
When did this effort start? Who is involved?
This effort started in mid-2004. In early 2005, the CME Editorial Board and
sample redistribution group were established. Both are currently comprised
of organizations actively involved in the mitigation of malware threats, including
representatives from Computer Associates, F-Secure, ICSA Labs, Kaspersky Lab,
McAfee, MessageLabs, Microsoft, Norman , Sophos, Symantec, and Trend Micro.
What is the status of CME?
We are currently assigning identifiers to high-profile malware threats, and
some anti-virus vendors are referencing those in their descriptions of malware
threats. We hope that others will do so in the future. We also will have a
Web site with profile information about the malware threats for which identifiers
have already been assigned.
What content will be provided on the CME Web site?
Initially, the CME Web site will provide the list of identifiers, brief profiles,
and alias information. As the website matures, it will include full profile
information such as file modifications, networking information, etc.
Who will this information help?
It will help the computer incident responders and the general public.
Who will provide the analysis information?
Analysis information will be provided by the CME participants and will be
supplemented and compiled as necessary by MITRE and US-CERT.
Are CME participants expected to put extra resources toward the CME effort?
As much as possible, we are trying to integrate the assignment of CME identifiers
into the existing workflow of participating organizations.
Will anti-virus companies continue to provide their own names for malware
threats?
Yes, anti-virus companies may continue to apply their own naming schemes,
but we hope that they will reference CME identifiers in their encyclopedias
and products.
What do CME identifiers look like?
Initially, CME identifiers will be in the format CME-N where N is a seven
digit integer—initially restricted to 3 digits until more digits are needed—between
1 and 9999999 . In Web pages, encyclopedias, alerts, media releases, etc.,
CME identifiers should appear in the official format (e.g., CME-123), but
in vendor products, identifiers can appear in either full or abbreviated formats
(e.g., VirusName.Variant!CME-123 or VirusName.Variant!M123).
Why don't CME identifiers follow the format of CVE numbers?
CVE identifiers include date information. For example, the number CVE-2000-1234
indicates that the vulnerability was assigned in the year 2000. However, experience
with CVE has shown that users rely on the date information incorrectly and
that it is preferable for identifiers to be devoid of meaningful information.
For this reason, date information is not embedded in CME identifiers. CVE
identifiers will be migrating towards a dateless numeric format in the future.
What is the scope of CME? Are you planning to identify every threat?
For the time being, we are focusing on the top threats, particularly those
discussed in the media that could lead to public confusion. We are relying
on CME participants to identify and submit those threats.
Will the scope be expanded in the future?
Depending on the response to CME identifiers for high-level threats, we will
consider expanding the scope in the future.
Will spyware and adware be assigned CME identifiers?
In the short term, spyware and adware will not be assigned CME identifiers.
The CME scope may be expanded in the future, however, to include assigning
identifiers to a variety of security threats.
How does the process work? How are identifiers assigned?
Each of the CME Sample Redistribution Group (SRG) members has access to the
CME submission server. When there is a virus outbreak, an SRG member will
log onto the server, fill out a Web submission form, and upload a sample of
the virus. An identifier is then automatically issued and information about
the virus is immediately distributed to SRG members. There is a 2-hour deconfliction
window, so once a sample has been submitted and an identifier assigned, any
other samples that are submitted in the next two hours will not automatically
be issued an identifier. The SRG members will discuss whether the new submission
is the same as the one previously submitted, a variant, or a completely new
threat. If it is not equivalent to any sample previously identified, the SRG
members can override the CME system and assign a new identifier to the new
sample.
How quickly after an outbreak will an identifier be assigned? When will
profile information be available on the web site?
The identifier is assigned immediately. It can take up to a couple of days
for the SRG to discuss the virus before profile information is posted on the
CME Web site. As the process improves, we hope to be able to post within a
12-hour timeframe.
Is identification sample based?
Yes, a sample must be submitted before a CME identifier can be assigned.
To date, how many identifiers have been assigned?
As of late September 2005, approximately twenty-three (23) CME identifiers
were assigned.
Is there a call to action for anti-virus companies?
The effort is voluntary, but we are requesting that anti-virus companies
reference CME identifiers in the information they provide to their customers.
We hope that the public and the security community will find the CME identifiers
useful and will encourage anti-virus companies to adopt CME identifiers.
Are anti-virus companies voluntarily participating?
Several anti-virus companies are participating in CME. Their participation
has been very positive.
Is this a U.S. effort or a worldwide effort?
The charter of CME's sponsor, US-CERT, is to protect the United States '
Internet infrastructure. Just as with CVE, however, and due to the nature
of malware threats, the CME effort relies upon international cooperation,
and we anticipate it will benefit the worldwide community.
How can I participate?
We encourage members of the security community to reference CME identifiers
in their products, advisories, etc. Those organizations interested in taking
a more active role in the initiative should send email to cme@mitre.org .
Back to top
|
