[ISN] Debate rages over NT virus

From: mea culpa (jerichoat_private)
Date: Fri Dec 25 1998 - 14:59:33 PST

  • Next message: mea culpa: "[ISN] Berlin Prepares for Chaos"

    Forwarded From: Per Kangru <perat_private>
    Debate rages over NT virus
    By Tim Clark
    Staff Writer, CNET News.com
    December 23, 1998, 5:25 p.m. PT
    URL: http://www.news.com/News/Item/0,4,30291,00.html
    Network Associates' handling of a new virus called "Remote Explorer" is
    prompting heated debate, with critics and rivals contending the company
    overhyped the problem and didn't share the malicious code quickly enough. 
    >From the start, the story of Remote Explorer has been driven more by
    publicity, Internet postings, and hyperbole than by antivirus researchers,
    who encounter new viruses every day, the critics said. 
    "We acted appropriately to make the [antivirus research] community aware
    of this virus," said Vincent Gullotto, manager of Network Associates'
    antivirus lab. Company spokesman Jennifer Keavney added: "This story took
    on a life of its own." 
    The Remote Explorer story was unusual in several ways. 
    First, the victim, MCI WorldCom, was quickly identified, violating a tenet
    of modern security practice: Don't say who got hurt. But the very first
    report of the virus Monday morning, on CNN, named MCI WorldCom; the
    company confirmed the report. It also carried a live interview with the
    telecommunications giant's antivirus vendor, Network Associates. 
    Second, Network Associates initially branded the incident "the first
    instance of cyberterrorism," a characterization that had disappeared by
    noon after critics slammed it. But Network Associates stood its ground in
    calling Remote Explorer a new form of virus. 
    Third, Network Associates researchers admittedly did not share the virus
    code with other antivirus vendors for more than four days. The company
    defends that action, saying it needed to help its customer first, then
    share the code with others. But other antivirus firms contend that under
    the unwritten law of the antivirus community, the code should have been
    shared immediately, given the high level of concern among customers. 
    "We put the code out there as soon as we could responsibly put it out
    there," Keavney said. 
    "We would share it with them immediately, so they should do the same," 
    said Enrique Salem, vice president for the antivirus unit of Symantec, a
    Network Associates competitor and often foe. 
    Fourth, although coverage of Remote Explorer has generally indicated only
    one customer has been hit, the publicity led administrators of Windows NT
    networks--the only kind hit by the virus--to believe they might have
    serious problems. 
    "We got hundreds of customers calling up and freaking out," Salem said. 
    Network Associates likewise had a huge surge in customer interest. 
    "If it was contained in MCI's network and Network Associates was aware of
    that, then all this hype scared Windows NT administrators back from
    vacation," said Russell Cooper, moderator of the Windows NT Bug Traq Web
    Cooper also contends Network Associates will be responsible if the virus
    spreads because it didn't make the code available to other researchers
    "We have followed our procedures, and we would never consider withholding
    anything," said Keavney of Network Associates, who added that the company
    released the virus code to other researchers faster than it would under
    normal circumstances. 
    Cooper even contends Remote Explorer might have been written as a "useful
    virus" to solve network administrators' problems, a claim to which not
    even Symantec's Salem subscribes. 
    "I definitely believe it was somebody writing a malicious virus," said
    Salem. "If you were trying to do something beneficial, you wouldn't try to
    do all the things it was doing." 
    Despite the controversy, several new facts about Remote Explorer have
    emerged in the last 48 hours. Symantec says, for example, that the virus
    should not be able to pass through a properly configured firewall and onto
    a corporate network. 
    Antivirus vendors Symantec, Network Associates, and Trend Micro all have
    "detectors" available from their Web sites to find the virus on Windows NT
    machines. Most, however, require use of that vendor's antivirus software. 
    Network Associates has a patch available to repair damage by Remote
    Explorer, and Symantec expects its fix to be available next week. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:37 PDT