Tag Archives: malware

Malware to Vulnerability Mappings.. Anyone?

Unbeknownst to many of us, MITRE’s Common Malware Enumeration (CME) project was declared dead, and apparently has been for a while. What is CME? From their site:

CME was created to provide single, common identifiers to new virus threats and to the most prevalent virus threats in the wild to reduce public confusion during malware incidents. This community effort was not an attempt to replace the vendor names used for viruses and other forms of malware, but instead to facilitate a shared, neutral indexing capability for malware.

With the demise of CME, are there any projects or companies that perform the same role? Specifically, do any maintain mappings between malware and the exploit they use for propagation? Are there any anti-virus vendors that are specifically good about cross-referencing CVE identifiers (or any VDB) to malware?

OSVDB maintains a classification to denote if a vulnerability has been “wormified”, but does not have a mechanism to map more details. When readily available, we will include the malware’s name in keywords, but that is not a flexible solution either. With CME gone, and no obvious vendors or projects that perform this, OSVDB is considering enhancements to fill this void. Before we begin, we’d really like to be sure we aren’t re-inventing a wheel, just replacing a lost wheel (R.I.P. CME). To be clear, we’d only seek to track malware that had a ‘vulnerability’ component to it, not every variation of “CLICKMESTUPID.EXE”. We’ll leave that to the malware detection shops.

Why VDBs > AV Industry

Remember the recent Microsoft Windows WMF vulnerability that made news? You know, the “Shimgvw.dll SETABORTPROC function crafted WMF arbitrary code execution” issue? This was assigned OSVDB 21987, CVE 2005-4560, CERT VU 181038, BID 16074, FRSIRT ADV-2005-3086, OVAL 1433, SECTRACK 1015416, and Secunia 18255. While the vulnerability has a dozen different tracking numbers, they all correspond to the same issue, and many of them cross reference each other to avoid confusion. This issue is different than the “WMF processing ExtEscape POSTSCRIPT_INJECTION function overflow DoS” or the “WMF processing ExtCreateRegion function overflow DoS”, each identified by unique numbers for many of the VDBs.

Familiar with the CME-24/BlackWorm worm making the rounds? Oh, maybe you know it as W32/Kapser.A@mm? No, how about Worm/KillAV.GR? Maybe Win32/Blackmal.F? No?! Come on.. you have to know it by something? Check this handy list based on the Anti-Virus software you use:

Authentium: W32/Kapser.A@mm
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

Yes, that many names for the same little program. For those that frown upon the VDB industry, at least we have our standards =)

Excellent analysis of the worm: http://www.caida.org/analysis/security/blackworm/

Blog entry that prompted this one: Virus Naming Still a Mess