Skip to content

Proposal: Modify MalwareLabelEnum Enumeration

Ivan Kirillov edited this page Jul 29, 2015 · 9 revisions

Status: CLOSED
Comment Period Closes: July 28th, 2015
Affects Backwards Compatibility: No
Relevant Issues:

https://github.com/MAECProject/schemas/issues/62

https://github.com/MAECProject/schemas/issues/64

Background Information

There are a few issues relating to some of the malware label values captured in the MalwareLabelEnum-1.0 enumeration: some do not have accurate descriptions, there are some potentially useful values missing, and one value is too broad.

Proposal

We propose to update MalwareLabelEnum-1.0 to MalwareLabelEnum-1.1 in the MAEC Default Vocabularies schema by making the following changes:

  • The malcode value will be removed because it is too broad to be useful.

  • Descriptions for the fork bomb and wabbit values will be changed as follows.

Value Description
fork bomb The 'fork bomb' value specifies a program that replicates many times on one system, usually until the system runs out of memory or disk space, causing a denial of service. The replicated programs also replicate so that the number grows exponentially. A fork bomb is a type of wabbit.
wabbit The 'wabbit' value specifies a form of self-replicating malware. Unlike worms, wabbits do not attempt to spread across networks. Also known as a 'rabbit'.

The following new values will be added.

Value Description
joke program The 'joke program' value specifies a program that interferes with the normal behavior of a machine, creating a nuisance.
scareware The 'scareware' value specifies a program that reports false or significantly misleading information on the presence of security risks, threats, or system issues on the target computer.
parental control The 'parental control' value specifies a program that monitors or limits machine usage. They can run undetected and can transmit monitoring information to another machine.
security assessment tool The 'security assessment tool' value specifies a program that can be used to gather information for unauthorized access to computer systems.
trackware The 'trackware' value specifies a program that traces a user's path on the Internet and sends information to third parties. Compare to spyware, which monitors system activity to capture confidential information such as passwords.

Impact

As an optional, updated version of the MalwareLabelEnum, this change will be backward compatible.

Requested Feedback

  1. Are the proposed descriptions changes accurate and necessary?
  2. Are the proposed additional values appropriate?
Clone this wiki locally