- NEW YORK (CNNfn) - Employees at MCI WorldCom were confronted with a science
fiction scenario made cold fact on Monday when a computer virus struck
the company's sprawling network, encrypting and destroying files.
-
- To make things worse, virus consultants
Network Associates say that the virus -- called "Remote Explorer"
-- is unlike any other and may be the smartest, most dangerous computer
bug to date. "We've never seen a virus of this type that has the capabilities,
the sophistication and the potential to do such widespread damage so quickly
across computer networks," said Peter Watkins, general manager at
Network Associates.
-
- MCI called in Network Associates' network
security experts when an employee couldn't get to certain computer files.
Soon after, the consultants discovered the subversive hand of Remote Explorer
at work. The complexity of the virus alarmed Network Associates, which
alerted all its customers worldwide to the threat. Network Associates still
doesn't know how Remote Explorer infected MCI. Perhaps the contagion began
with a downloaded file, or through a malicious installation from an employee.
-
- How the virus spreads
-
- Once the virus infects a network server
running Microsoft's Windows NT, it quickly hijacks the server, replicating
across the network. Remote Explorer ends up on an individual PC, sometimes
masquerading as another piece of software. Then the dirty work begins,
as the virus selects folders on the computer and randomly encrypts them,
making them unreadable.
-
- Network Associates is now working to
unscramble some of MCI's files, but is finding that Remote Explorer is
unusually complex -- hundreds of times larger than typical viruses, which
can be as small as a few lines of code. "It was written by a very
competent and very sophisticated computer scientist or group of computer
scientists who really know what they're doing," Watkins said.
-
- Analysts say that as computer networks
become more common, viruses will evolve in step in order to exploit their
complex computing environments. "This is the type of threat network
admins are going to have to deal with into the future," said Jim Bladterston,
an analyst at Zona Research. "I bet in a year we may be talking about
the next generation of virus that does something even more horrendous than
this one."
-
- Network Associates spokespeople said
MCI was lucky because Remote Explorer was detected before spreading too
far. Another week -- easy to imagine during the hectic holiday season
-- and the damage could have been costly and extraordinarily difficult
to repair. As it turns out, MCI said the virus is no longer spreading and
no customers were affected, but the company refused to give any further
details.
-
- Network Associates stock soared 6-3/8
to 60-3/8 on the news, cracking a new 52-week high.
-
- _________________
-
- Self-replicating virus attacks MCI Network
attacked by code that mimics human administrator By Jim Kerstetter, PC
Week Online 12-22-98
-
- Dec. 21 - The computer network of MCI
Worldcom was broadly attacked last week by a new virus that one official
called "the first legitimate incident of cyber-terrorism" he
had ever seen. The virus, called Remote Explorer, pretends to be a network
administrator and can spread without human help. That makes it more dangerous
than traditional viruses requiring infected e-mail or a floppy disk for
transmission. "I don't think it's hyperbole to call this an information
time bomb," Hodges said.
-
- Security Experts From Network Associates,
Inc. described it as a "new era in the virus field ... an entirely
new kind of virus."
-
- Once in place, Remote Explorer wreaks
havoc by encrypting files on users machines - from programs to text files.
These were not destroyed, however, and Network Associates says it will
soon have a fix on its Web site which can restore the encrypted files.
-
- The "smart virus" attacks Windows
NT-based networks and propagates over the local network, said Gene Hodges,
a general manager at Network Associates in Santa Clara, Calif. Remote Explorer
goes by the file name IE403r.sys and utilizes NT's remote management tools
to act like a human network administrator. It then orders copies of itself
around the network. Once on a workstation, it loads a process into Task
Manager.
-
- "To someone not suspecting this,
you wouldn't notice Remote Explorer just sitting as a service," said
Vincent Gullotto of Network Associates. "If you do discover it, you
can't close it down." The virus had been running for at least a week
before detection, the company said.
-
- It was unclear whether the virus was
downloaded from the Internet or planted on a server internally. Because
part of the source code of the virus was encrypted, it will be difficult
to determine the motivation of its author. Files encrypted by the virus
were apparently chosen at random.
-
- But a spokesman for Computer Associates
said the program was too sophisticated to be the work of indiscriminate
pranksters. "These guys were very smart," Hodges said. The company
estimates the program took 200 hours to write. "They had a good enough
idea of where to put it in order to make it spread very quickly."
-
- The virus compresses the executable files
of servers and workstations that it encounters, rendering them unusable.
It also encrypts .DOC or .XLF files with a cipher that researchers still
have not identified, making it impossible to gain access to those files,
Hodges said.
-
- The virus compresses the executable files
of servers and workstations that it encounters, rendering them unusable.
It also encrypts .DOC or .XLF files.
-
- "Clearly, we don't know who developed
this virus," he said. "But it's clear as to how it was first
planted and how it spreads and that this person was very knowledgeable
of network administration features and planned for this virus to cause
serious damage."
-
- The virus itself, which is written in
C and also partly encrypted, is a savvy piece of programming, Hodges said.
It logs itself in through domain administrative controls and then copies
itself over the network, attacking other servers and even workstations
that access those servers. It can use any link that can identify NT resources.
It cannot propagate in a Unix on NetWare-based network.
-
- It is also huge by virus standards at
120KB. Discovered Thursday, it was operating on a timing mechanism so that
it propagated faster between 3 p.m. and 6 a.m. - hours when network administration
staffing is typically lower at the infected company. The company severed
its WAN connections in order to isolate the problem. "It's clear
that the virus writer has a good Unix and NT background," Hodges said.
-
- Researchers at Network Associates say
they have broken the compression algorithm and will post a fixing technique
that is specific to Network Associates software by early this afternoon.
Peter Watkins, general manager, Network Security Division, said the virus
did not destroy any data - the fix will be able to restore infected, encrypted
files.
-
- A detector for the "smart virus"
has already been posted. Hodges said the company is working with Microsoft
Corp., has also been in touch with other anti-virus groups and is developing
a formal warning. "I don't think it's hyperbole to call this an information
time bomb," Hodges said.
-
- MSNBC's Bob Sullivan contributed to this
report.
|
