Name That Worm

Ant wrote to mention a C|NET article reporting on the Common Malware Enumeration (CME) initiative, now emerging from its test phase. From the article: "Next month, the U.S. Computer Emergency Readiness Team (CERT) plans to officially take the wraps off the effort, meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests. The project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected ..."

Re:In Soviet Russia..

[eklitzke]

Can people NOT moderate these as funny? Because really, they're not.

Re:In Soviet Russia..

[Anonymous Coward]

maybe they are funny and you just don't have a sense of humor.

Re:In Soviet Russia..

[Anonymous Coward]

ha ha ha ha ha.
Come on somebody. Genuinely funny doesn't happen on slashdot that often...

Proposal

[b100dian]

Run all antiviruses on a machine.
Exec the worm.
Blitblt the screenshot into an OCR buffer.
Compute the name of the worm

extra step: see if all AVs fired: if not so, the naming can become "AV killer"

did...

[dosle]

Did you get my joke email? just save the billgatespie.exe and run it for a fun game

Re:did...

[KillShill]

did you know that if you rename billgatespie.exe to .scr you can install it as a screensaver?

then install a password on it and no one can stop it short of a reboot... or 30 mins, give or take.

It's obvious

[Anonymous Coward]

All worms should be named "Bill"... after the man that made them all possible!

Compliance will be an issue...

[Anonymous Coward]

I think the most difficult part of this proposal will be getting the virus writers to include the unique identifier in their code. Besides, isn't the evil bit already supposed to take care of this issue?

Re:Compliance will be an issue...

[TheGazelle7]

hmm... let's see... oh yeah... is written into the virus.... MD5.... SHA1? These ring a bell? It's called cross correlation. CMEID=~MD5=~SHA1

just a though...

I'd like to nominate

[Anonymous Coward]

The use of the name "FruitFucker 2000".

Thank you and good nite

Re:I'd like to nominate

[Tackhead]

> I'd like to nominate
> The use of the name "FruitFucker 2000".

Sure thing, but we'll have to wait until my OS X box gets hit.

Re:I'd like to nominate

[Incadenza]

I think you have been listening to Nurse With Wound [www.last.fm] a wee bit too long.

Re:I'd like to nominate

[WillerZ]

More likely a penny-arcade reference. http://www.penny-arcade.com/view.php?date=2005-09- 21&res=l [penny-arcade.com] is the latest in the FF2000 series.

Re:I'd like to nominate

[Incadenza]

Ignorant me. Makes note: Must read more comic strips.

Welcome, if not overdue

[Sv-Manowar]

If this step does anything to simplify the myriad of naming schemes provided by security & antivirus companies, then its more than welcome. Working out exactly what worms have which effects is hard enough without the confusion of complex names and differing schemes. However, the voluntary nature of this new naming scheme may mean it sits alongside the current identifiers and names, which would significantly lessen its effect. I guess only time will tell which way the companies decide to go..

What?

[Overly Critical Guy]

What's an "internet worm?"

Signed,
Every OS X user

Re:What?

[Mancat]

What is "Mac OS X?"

Signed,
Ninety Percent of the Personal Computing Consumer Market

Re:What?

[Have Blue]

Something really awesome.

Signed,
The Top Ten Percent of the Personal Computing Consumer Market

Re:What?

[Kent Recal]

Internet bites worm.

Signed,
In Soviet Russia

Re:What?

[drsquare]

Something very expensive and lacking in functionality.

Signed,
Sandal-wearing, turtle-neck jumpered, left-wing, limp-wristed graphic designers who pay half a day's wages for a cup of sugary coffee from a trendy cafe.

Re:What?

[Rosco P. Coltrane]

What's OS X?

Signed,
97% of all computer users.

Mac fanboi mods on crack yet again.

[titzandkunt]

Mac fanboi mods on crack yet again.

Re:What?

[R3d M3rcury]

Something that doesn't affect you, as long as you've applied this patch. [apple.com]

Politics?

[gmuslera]

Why the article is in that section?

Naming Worms - Virii's pride

[Fox_1]

To be honest I imagine it's pretty kewl to have created a nasty piece of software that takes down millions of computers and costs billions in damages. At least in a perfect world where everybody is happy, corners are round and nobody ever gets hurt. It's even cooler if the virus you create gets a name like 'code red' or 'blaster' or 'buddy the smackhappy clown' and gets all sort of media coverage and everybody recognizes the name. I maen that's pretty awesome. So I hope that this naming system the 'Common Malware Enumeration' , makes names that are as exciting as it's own. In other words, boring. Take away some of the fun that the virus writers have been enjoying from their nasty little creations.

Re:Naming Worms - Virii's pride

[Locke2005]

You mean, you're not likely to brag about being the creator of the "Sociopath trying to compensate for tiny penis" worm?

Please mod parent up.

[msauve]

For the sake of language.

http://linuxmafia.com/~rick/faq/plural-of-virus.ht ml [linuxmafia.com]

Re:Naming Worms - Virii's pride

[Vellmont]

So I hope that this naming system the 'Common Malware Enumeration' , makes names that are as exciting as it's own.

It's not a naming scheme, it's an enumeration scheme. The "names" will be CME-123 for instance. There's still need for a common name for a virus to be referred to as.

Re:Naming Worms - Virii's pride

[NickBilo]

Actually names will be like W32/Bagle.A!CME-123 or WORM_BAGLE.B!M123 etc... either that or name will continue to be W32/Bagle.A but it will have an ALIAS of CME-123 on the antivirus vendor website.

Re:Naming Worms - Virii's pride

[jayloden]

I have to agree with you whole-heartedly here. I make a virus removal tool in my spare time that deals with IM-specific viruses. There was one virus that I was able to track back to the author (which is a whole nother story), and he got a little upset when I pointed out his name and contact info on my website for infected users to contact him. Shortly thereafter, "someone" attempted to access both my gmail account and free DNS accounts and reset the passwords, among other threats and such that I received.

T

Re:Naming Worms - Virii's pride

[arbitraryaardvark]

So, from that angle, is my idea about naming them after congresscritters a good or bad idea?

Re:Naming Worms - Virii's pride

[ozbird]

YAWN - Yet Another Worm Name.

Re:Naming Worms - Virii's pride

[GrumpySimon]

It's not going to work - sure the official name will be CME-1234etc but it will still have some k3wl script kiddy name. This means the media will use THAT term instead of the boring CME name. Face it - the next worm to break into the 15 seconds of media attention won't be CME-xyz but CME-xyz AKA "secret elite name that sounds scary and weird to average people".

Not hard to do

[Red Flayer]

Why don't we just use the Linnean system?

I'm all about latin names for malware -- for one thing, malware creators won't feel so cool when their piece of code gets designated "Caenorhabditis Crapiticus" of the phylum Nematoda.

Ya know...

[Shadow Wrought]

It's not a like a hurricane in which everyone can agree on which worm is which. How do you know that Worm Bob really is an unique new worm, and not just a variant of Worm Jimbo? And what happens when the 21 names run out?

Re:Ya know...

[rodoke3]

Plus if they had a finite namespace, it would probably be a PR nightmare when virus writers exhausted it.

I imagine there would be some kind of honor in writing the "omega-omega-omega-omega-shit"* worm.

* "&-o-m-e-g-a;" kept getting eaten.

[rodoke3]

nt

Re:Ya know...

[drsquare]

Well, how do you know that Rita isn't just the follow-through of Katrina?

And more importantly: do you recycle lists?

[ArsenneLupin]

Hurricane name lists are recycled every 6 years (except for names that stood for particularly well devastating hurricanes; these are replaced by new ones).

For Hurricanes, this makes sense, because hurricanes only exist for a couple of weeks each. Viruses on the other hand may well still be active 6 years after...

Good first step, common name still needed though.

[Vellmont]

It's great that there will be at least one recognized identifier for worms, but when people talk about the worm are they really going to refer to it as CME-123 (for example)? There still needs to be a common name that's accepted. We don't for instance have 15 different names for chicken pox. The virus is called varicella-zoster, or human herpes virus 3. Everyone knows what chicken pox is though.

Re:Good first step, common name still needed thoug

[Anonymous Coward]

hmm... all they really need is ONE common base name.

windows _________

windows killer
windows stopper
windows blaster
windows wiper
windows zapper
windows destroyer
windows billyboygonemad
windows replacer (aka linux)

Re:Good first step, common name still needed thoug

[Mathness]

Everyone knows what chicken pox is though.

Unless you are not from an English speaking nation, in which case varicella-zoster makes more sense.

Let's use AOL disk passwords

[G4from128k]

Instead of hard-to-remember ID numbers for malware, why not use those funky passwords that AOL puts on their CDs for creating new accounts. I'd like to here about viruses names such as WONTON-FLOES or GRAVEL-TAPE, to use two passwords from recently mailed AOL CDs.

Re:Let's use AOL disk passwords

[denbesten]

... use AOL disk passwords for viruses names ...

But there are thousands of viruses discovered every year. Where would one come up with thousands of AOL CDs to extract names?

... oh ... Nevermind.

Off topic Norton rant!

[Humorously_Inept]

What will the agreed-upon name be for that piece of malware? Seems like Norton's more tenacious than and presents a larger array of system-wide issues to users than do the many of the viruses/worms/trojans it's supposed to protect against.

Re:Off topic Norton rant!

[crabpeople]

use norton corporate. thin lightweight and non intrusive.

CARO?

[Leebert]

Whatever happened to the Compute Antivirus Research Organization (CARO)? I thought they were the de facto standard for naming of viruses.

Re:CARO?

[Anonymous Coward]

Yes, I wondered about that as well. The CARO system has worked well for a long time now, and there have been a number of initiatives to regularise the virus naming taxonomy - I remember Jim Bates coming up with one in the 80s, which was all numeric!

The problem is that the researcher working on a virus has to name it very rapidly. Viruses are often varients of others, so you need expertise in name allocation - it can only be done by the researchers. I would have though that the CARO system had sorted out all

Re:CARO?

[NickBilo]

As someone who works in the industry I can comment: CARO developed the naming standard (e.g. W32/FamilyName.Variant@reference) not the actual names for the malware. CARO members run a discussion forum that actually will decide which new malware warrants a new CME IDs. So CARO and other Antivirus groups all collaborate on this.

Worm naming...

[jemenake]

Are they going to use alphabetical-ordered human names like with hurricanes?

Can't you just see the newspaper headlines already? "Worm Andrew Batters Microsoft Servers! The worm overtopped firewalls and flooded into data-centers throught the country. Emergency officials said that it will take a week to repair the firewalls and begin letting users back into the data..."

i can...

[KillShill]

name that worm in 3 infections.

How is this any different?

[Anonymous Coward]

How is this any different from using a single firm for virus/worm names?

If I always look at the AVG name of whatever gobbledygook is out there, it doesn't matter what else it's called. If i'm searching for info on it, other vendors will have the Symantec / McAfee / TrendMicro / YourMomAV name alongside their own.

It's just another "vendor" name to add to the list:

Vendor A calls it this
Vendor B calls it this
Vendor C calls it this
Government A calls it this

Much like Common Vulnerabilities & Exposures (

[Josh Triplett]

This project is likely intended to do for viruses, spyware, and other malicious programs what CERT's existing Common Vulnerabilities and Exposures (CVE) [mitre.org] does for security issues. CVE has attained widespread acceptance for use in unique and unambiguous identification of security issues; hopefully this project will have the same level of success.

Re:Much like Common Vulnerabilities & Exposure

[Arthen]

I think you're exactly right that CME is trying to do for malware identifiers what CVE has done for vulnerability ids. CVE's adoption is a good example of how a voluntary standard can make real progress. Seems from the article that the major players (Symantec, McCaffee, Trend Micro, Kaspersky) are already on board with CME, too, which is very encouraging.

One clarification, though: I believe CVE is run by MITRE, and funded by US-CERT. CERT/CC uses CVE IDs in their publications, but doesn't control the eff

I will hold him...

[isecore]

and cuddle him and call him George.

Just use the same naming system

[Orion Blastar]

they use for hurricanes. It is very simple, just name them after the ex-boyfriends and ex-girlfriends of every employee in the organization that names such things.

"Katrina discovered that I was cheating on her with Rita? I'll show them both after I get my organization to name hurricanes after them!" -Anonymous Weather Scientist

Perhaps they can name them after strippers, like the Melissa worm was named? Better yet, how about celebrities? I got infected with the Tom Cruse worm. Yeah well I got infected with P

A futile effort

[sd_diamond]

Usually when I get to the point where I feel like naming the worm, I'm already near the end of the bottle so I'm not likely to remember what name I come up with.

Standardize a format

[MECC]

softwareproduct-year-n

where year is the year, and n is count of worms/viruses/trojans/ that have hit that product that year.

Ex:

Internet explorer-2001-55
Microsoft Excel-1999-33
Firefox-2004-44
MacOSX--2005-2
windows-2003-666

Oh, and people would be all better off just leaving computers alone for the holidays...

Seldon Naming

[SEWilco]

I lean toward Harry Seldon's naming approach: "Idiot number 1", "Idiot number 2", etc. For both a virus creator and their product. His emperor's approach of following that with execution is an optional enhancement.