Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC Diary and Infocon change E-Mail Notification service (BETA)

Published: 2005-11-26
Last Updated: 2005-11-26 19:48:46 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Johannes has developed a Diary and Infocon change E-Mail Notification (BETA), "e-mail notifications are brief and should be "pager friendly". A typical notification will include all content as part of the subject, and a link to the relevant content in the body.". Sign-up!.
Keywords:
0 comment(s)

"the question is not ?why should we have CME IDs? but ?how do we make CME IDs work?"

Published: 2005-11-26
Last Updated: 2005-11-26 19:48:16 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Volunteer participants in security efforts (me in this case) are typically loath to ask questions about issues involving the outcome results of other volunteer efforts by security professionals and Vendors. Especially when they tackle significant issues like those tackled by the AV vendors participating in the Common Malware Enumeration (CME) initiative. And since I'm a volunteer here at the ISC I clearly see and understand what the huge demands are currently for all information security participants affected by the 2005 Malware Fe$tival.

That being said, why do the CME Identifiers lack "additional incident response information", information that it's participants develop during the course of an outbreak? Inserting links to participating Vendors technical malware analysis in the CME Identifier for each threat would do wonders in helping achieve the goal of providing "additional incident response information".

For instance, the "Secunia Sober.X - HIGH RISK Virus Alert" contains useful "additional incident response information", the links to the AV Vendor malware descriptions. Those links clearly improve "the malware information resources available to AV software users, first responders, and malware analysts ? anyone who depends on accurate, concise information about malware.".

At the CME site, on the other hand, look at CME-681, you do NOT get links to the Vendors technical analysis. Links to technical analysis was a hoped for outcome for the CME project since Vendors technical analysis is the critical "additional incident response information" needed by the people responding to malware outbreaks.

"A9. Does CME participate in link exchange arrangements?"

CME policy says "Only authorized links are allowed on the CME Web site such as references for CME identifiers on the CME List, and those for Products and Services Including CME Identifiers, CME Editorial Board Members, CME Sponsor, and News about CME".

A name by any other name is just a name.

Related;

In a Diary item from over a year ago, an "Open Letter To Anti-Virus Software Companies - A Response" from "members of US-CERT's Common Malware Enumeration (CME) initiative" it says "The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available." and "To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts ? anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.". That response  also contains the title for this Diary entry, "the question is not "why should we have CME IDs" but "how do we make CME IDs work?".

CME-ID CME-681 versus Secunia's Sober.X - HIGH RISK Virus Alert

Reports say discovery was on the 16th and the "outbreak" started kicking into gear on the 21st.

Outbreak trend info;

https://monitor.auckland.ac.nz/mail-marx/
http://www.f-secure.com/virus-info/statistics/
http://www.fortinet.com/FortiGuardCenter/global_threat_stats.html
http://wtc.trendmicro.com/wtc/summary.asp?sort=2&cmbTrack=1&cmbPeriod=2
http://www.avira.com/en/stats/index.html?top=7

Secunia Sober.X - HIGH RISK Virus Alert;
"Risk Rating: High Risk"
 
"Aliases: CME-681
Email-Worm.Win32.Sober.y
Sober.AH
Sober.Y
W32.Sober.X@mm
W32/Sober
W32/Sober-Z
W32/Sober-{X
W32/Sober.AA@mm
W32/Sober.AH.worm
W32/Sober.Y@mm
W32/Sober@MM!CME-681
W32/Sober@MM!M681
Win32.Sober.W
WORM_SOBER.AG
Z}
 
Virus Alerts:
Secunia issued a HIGH RISK alert for this virus.
2005-11-23 11:46

Secunia issued a MEDIUM RISK alert for this virus.
2005-11-22 16:24".

Common Malware Enumeration (CME) initiative
"CME-ID CME-681
http://cme.mitre.org/data/list.html#681
Date Assigned 2005-11-22

Aliases

CA: Win32.Sober.W
F-Secure: Sober.Y
Kaspersky: Email-Worm.Win32.Sober.y
McAfee: W32/Sober@MM!M681
Norman: W32/Sober.AA@mm
Panda: W32/Sober.AH.worm
Sophos: W32/Sober-Z
Symantec: W32.Sober.X@mm
TrendMicro: WORM_SOBER.AG
 
A new variant of the Sober mass-mailing worm."

Related Handlers Diaries from 2004;

SCANS, Babel (not Bagel/Bagle/Beagle) & Halloween - see "FROM THE MAILBAG

Open Letter to Anti-Virus Software Companies

Virus Naming
Keywords:
0 comment(s)
Diary Archives