funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CME: A Total Failure -- Throw in the Towel

From: Drsolly <drsollyp () drsolly com>
Date: Sun, 12 Mar 2006 18:39:53 +0000 (GMT)
On Sun, 12 Mar 2006, David Harley wrote:


Were you expected the CME 
numbers to be a substitute for the existing naming 
conventions?  I can't speak for the CME guys, but I think 
that wasn't a goal.  


That wasn't my understanding either. From that point of view,
CME isn't a complete failure. But...


If I am able to determine that two 
malware names refer to the same thing because they have the 
same CME number, then it's a success as far as I'm concerned. 


Kind of. If you can make that assumption (see below).


 I get the impression that they have't kept up with the 
volume well, that would be the only failure I could see.


But maybe that's the whole point. Glut has always been a problem,
but it's a little more complicated now. Variants, subvariants,
subvariants with multiple packers, multiple malcodes with 
common code, malcode that mutates as new mods become available.
Traditionally, naming has depended on exchange of samples to 
establish a common code set, as has testing. But we're not in
Kansas anymore, and those models don't work.

 
Here's what I don't understand about the Mitre scheme.

Suppose I have a file on a floppy disk. How do I determine whether this is 
CME-24, or merely something that has some similarities to that? 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: