It wasn't long ago that
I remember saying “Chris, since you enjoyed the open letter to Microsoft so much, I nominate you to write the open letter to the antivirus vendors ranting about non-standard naming conventions throughout the industry.” Chris Mosby took the ball and ran with it, and ran well he did. SANS posted his
Open Letter to Anti-Virus Software Companies in the
Handlers Diary at the Internet Storm Center on 11NOV04. I created a
Bagle Virus Decoder Chart to help illustrate the frustration that Chris wrote about in his open letter. It wasn't long after that SANS posted a
coordinated response from
US-CERT, Department of Homeland Security, and prominent members AV industry.
An article was published today at Techworld, titled “Security experts criticise malware list”, but where do we stand on the Common Malware Initiative?
I visited the CME website and reviewed a bagle or beagle, well lets just call it CME-245 that was one of the first to make the list:
CME-245
CA: Win32/Bagle.AQ!Worm
Kaspersky Lab: Email-Worm.Win32.Bagle.au
McAfee: W32/Bagle.bd@MM
Norman: Bagle.AR@mm
Sophos: W32/Bagle-AU
Symantec: W32.Beagle.AW@mm
Trend Micro: WORM_BAGLE.AU A worm that spreads as an attachment to an infected email. The worm harvests addresses from the local address book and installs a proxy server. This Bagle variant spreads either as Windows PE EXE file or a Windows Control Panel Applet (CPL) file, both about 20 KB in size. 2004-11-22
I then searched some of the vendors websites for the descriptions of the virus.
McAfee
Symantec
Trend Micro
Sophos
I was not surprised, but a little disappointed that McAfee and Symantec did not reference CME-245. I was however pleased to see that Trend Micro and Sophos both listed CME-245. It would have been nice to have the CME-245 text link to the listing on the CME website, but at least I can say that there was progress made here for two of the vendors. I would go as far as saying that they should replace the original name given to the virus with the CME name, and list the original name as an alias, but lets one step at a time. I did visit some of the descriptions for the newer viruses with similar results. My visit to the CME list had similar issues. There were references to some of the vendors that allowed me to find the various names easily, but links to the vendor sites would have been a big help. There does not seem to be very many CME's considering that there were so many viruses released this year. I also would have liked to see a link for more technical details listed. I was happy to see RSS being used for the list, and I will definitely be adding it on VirusIntel.com.
I would have to say, that I partially agree with Graham Cluley when he said “We mustn't criticise it for not being a 100 percent solution, it's a definite step in the right direction”. It is a big step in the right direction, but a little criticism is a good thing, and I think that everyone in the industry needs to step up to the plate take a healthy dose of criticism and make the Common Malware Initiative work.