Another great article pointing out the security threats to computer networks.
Self-replicating virus attacks MCI
Network attacked by code that mimics human administrator
By Jim Kerstetter, PC Week Online
ZDNN
Dec. 21 — The computer network of MCI
Worldcom was broadly attacked last week by a
new virus that one official called “the first
legitimate incident of cyber-terrorism” he had
ever seen. The virus, called Remote Explorer,
pretends to be a network administrator and can
spread without human help. That makes it more
dangerous than traditional viruses requiring
infected e-mail or a floppy disk for transmission.
Lack of vigilance could cause virus outbreak, experts warn
Discuss viruses on the Bugs BBS
“I don't think it's
hyperbole to call
this an information
time bomb,”
Hodges said.
SECURITY EXPERTS FROM NETWORK
ASSOCIATES Inc. described it as a “new era in the virus
field ... an entirely new kind of virus.”
Network Associates executives were working the
phones this morning to warn users about this new “smart
virus,” which attacks Windows NT-based networks and
propagates over the local network, said Gene Hodges, a
general manager at Network Associates in Santa Clara,
Calif.
Remote Explorer goes by the file name IE403r.sys and
utilizes NT's remote management tools to act like a human
network administrator. It then orders copies of itself around
the network. Once on a workstation, it loads a process into
Task Manager.
“To someone not suspecting this, you wouldn't notice
Remote Explorer just sitting as a service,” said Vincent
Gullatto of Network Associates. “If you do discover it, you
can't close it down.”
The virus had been running for at least a week before
detection, the company said.
It was unclear whether the virus was downloaded from
the Internet or planted on a server internally.
“These guys were very smart,” Hodges said. “They had
a good enough idea of where to put it in order to make it
spread very quickly.”
The virus compresses the executable files of servers
and workstations that it encounters, rendering them
unusable. It also encrypts .DOC or .XLF files with a cipher
that researchers still have not identified, making it impossible
to gain access to those files, Hodges said.
The virus
compresses the
executable files of
servers and
workstations that
it encounters,
rendering them
unusable. It also
encrypts .DOC or
.XLF files.
“Clearly, we don't know who developed this virus,” he
said. “But it's clear as to how it was first planted and how it
spreads and that this person was very knowledgeable of
network administration features and planned for this virus to
cause serious damage.”
The virus itself, which is written in C and also partly
encrypted, is a savvy piece of programming, Hodges said. It
logs itself in through domain administrative controls and then
copies itself over the network, attacking other servers and
even workstations that access those servers. It can use any
link that can identify NT resources. It cannot propagate in a
Unix or NetWare-based network.
It is also huge by virus standards at 120KB.
Discovered Thursday, it was operating on a timing
mechanism so that it propagated faster between 3 p.m. and
6 a.m. — hours when network administration staffing is
typically lower at the infected company. The company
severed its WAN connections in order to isolate the
problem.
“It's clear that the virus writer has a good Unix and NT
background,” Hodges said.
It cannot
propagate in a
Unix or
NetWare-based
network.
Researchers at Network Associates say they have
broken the compression algorithm and will post a fixing
technique that is specific to Network Associates software
by early this afternoon. Peter Watkins, general manager,
Network Security Division, said the virus did not destroy
any data — the fix will be able to restore infected,
encrypted files.
A detector for the “smart virus” has already been
posted.
Hodges said the company is working with Microsoft
Corp., has also been in touch with other anti-virus groups
and is developing a formal warning. “I don't think it's
hyperbole to call this an information time bomb,” Hodges
said.
MSNBC's Bob Sullivan contributed to this report.
Barrie Einarson
Investor Relations
bbruin@home.com |
