quote:

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

quote:

Thursday, November 11, 2004
Some MyDooms renamed to Bofra Posted by Gergo @ 13:18 GMT

--------------------------------------------------------------------------------


Even though they seem to originate from the same source code, some samples we called MyDoom earlier have been renamed to Bofra. More specifically this affects MyDoom.AG, MyDoom.AH and MyDoom.AI.

The Bofra family of worms uses a different way of propagation which we explained in this earlier post.

A link page for the Bofra family has been posted to

http://www.f-secure.com/v-descs/bofra.shtml

quote:

Open Letter To Anti-Virus Software Companies - A Response

On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an " Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:

http://isc.sans.org/diary.php?date=2004-11-05

Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:

http://isc.sans.org/diary.php?date=2004-11-08

Yesterday, we received the following response from members of the USCERT' s CME (Common Malware Enumeration) initiative. While we don' t have any policy about providing " equal time" , we thought that their response was also interesting enough to publish:

------------------begin letter------------------

As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.

As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.

As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.

As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.

We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”

Desiree Beck, CME Technical Leader
US-CERT

Andy Purdy, Acting Director NCSD
Department of Homeland Security

Larry Hale, Deputy Director NCSD
Department of Homeland Security

Jimmy Kuo
McAfee Fellow - McAfee, Inc.

Matthew Braverman, Program Manager
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Mady Marinescu, Development Lead
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Randy Treit, Program Manager
Microsoft Corporation
Security Business and Technology Unit - Antivirus Team

Vincent Weafer, Senior Director, Symantec Security Response
Symantec Corporation

Oscar Chang, Executive Vice President
Trend Micro, Incorporated

Joe Hartmann, Director North American
Anti-virus Research Group
Trend Micro, Incorporated
-------------------end letter-------------------

quote:

ORIGINAL: hwaldron

Chris - Maybe you and many others have made a difference with the new CME standard For example, Sober.R is CME-151 everywhere (although when multiple variants packed slightly different emerge it could still get a little confusing. Still, it' s one step forward in the right direction.