e-v-mail |
|
 (home page) Alerts: CNET News reports: Korova Multimedia:
Got a question? Try |
January 3, 1999 Not all Internet virus hype and deception (intentional and otherwise) comes from the grass roots, and dark, anonymous sources on the Net. Anyone who remembers the mass-media hysteria surrounding the Michelangelo virus scare of 1992 can attest to the kind of inertia that can sweep common sense and reason into the bit bucket. As documented by Rob Rosenberger on his Computer Virus Myths home page, McAfee Associates (now Network Associates) had a key role in getting the news media whipped up into a paranoid fury about a computer virus threat that turned out to be a minimal risk. (Read more about the Michelangelo virus scare on the Computer Virus Myths and Crypt Newsletter sites.) Since that ignominious incident, McAfee and Symantec (makers of Norton AntiVirus) have repeatedly demonstrated a canny manipulation of a naïve press corps in favor of wailing Chicken Little-style, all in the name of selling more copies of their antivirus software. Just in time for Christmas 1998, Network Associates again played the "alert" press release game, warning the entire industry of "the most destructive virus ever seen."
|
|
"I don't think it's hyperbole to call this an information time bomb." Gene Hodges |
According to various reports, a new virus called "Remote Explorer" (or
RICHS) was discovered on MCI WorldCom computers on or about December 17,
1998. When the executable is run by an administrator-level
account, it installs itself as a
Early December 21, Network Associates managers went public with the story, "working the phones" to warn customers (and reporters, naturally) of a new virus that recently attacked a "Fortune 100" client. A press conference was scheduled for 4:30 PM PT.
In an initial story on PC Week Online (December 21, 10:57 AM PT), Jim Kerstetter reported, "The computer network of a Fortune 100 company was obliterated last week by a new virus that one official [Hodges] called 'the first legitimate incident of cyber-terrorism' he had ever seen."
|
Although Hodges declined to name the attacked company, he said 10 sites and several thousand servers and workstations had been infected. It was also unclear whether the virus was downloaded from the Internet or planted on a server internally. Jim Kerstetter |
(As an interesting anomaly, the HTML version of this report, dated 12:45 AM ET -- one hour earlier -- identifies MCI WorldCom instead of "a Fortune 100 company." In this version, Hodges states "... it's clear as to how it was first planted and how it spreads and that this person was very knowledgeable of network administration features....")
By the time of the scheduled press conference, it was public knowledge that MCI had been the victim. A story by Kerstetter on ZDNET (4:43 PM PT) starts with the bylines "Self-replicating NT virus obliterates MCI/WorldCom's network. Will it spread?" and "A massive, hybrid virus attacked MCI WorldCom, taking down its servers and scrambling data last week."
Not to be outdone, local broadcast journalists took to the air with a tale of danger well-suited for a Bruce Willis potboiler. In a live story that aired locally at 6:00 PM (available on the Web as a RealVideo file), KRON-TV's Pete Wilson announced that MCI WorldCom was "under very real attack this evening." KRON couldn't resist using the Internet as a loaded buzzword to get viewers' attention: "It's a serious scare for just about anyone who surfs the 'Net."
|
"We're not talking about a single company here, but one of the Internet's most important backbones." "This has all the markings of what could've been the most destructive event yet for the Internet..." "This past weekend dozens of computer security and encryption experts frantically tried to contain a vicious new software virus that could've literally destroyed the Internet..." Jim Goldman |
To further dramaticize his report, Goldman included a film clip from the Dustin Hoffman film, Outbreak, in which an Ebola-like virus threatens to decimate the United States. Huh? It must've played well in the editing room. Anchorman Pete Wilson shook his head at the end of the story, muttering, "Scary stuff."
In a story the following morning for the San Francisco Chronicle ("Network Associates Says Killer Virus Hit MCI WorldCom"), Benny Evangelista quoted Network Associates as stating that Remote Explorer is the "most destructive virus ever seen." Peter Watkins, general manager for Network Associates' security division, tempered the alarm by saying, "It does represent an entirely new kind of virus, but at this point, there's no reason to panic." Remote Explorer, he continued, "is the first one that is really targeted at attacking a network environment."
Actually, it's NOT the first, as any credible programmer or computer security expert knows. Network worms have been around for quite some time, at least since Robert T. Morris' infamous Internet Worm (November 2, 1988). Morris was known for his concern about Internet security weaknesses (in February, 1985, he published "A Weakness in the 4.2BSD UNIX TCP/IP Software"), and he apparently wrote the Internet Worm in 1988 to demonstrate these. As a demonstration of the Internet's security weaknesses, his worm was surprisingly successful. Nicknamed "The Great Worm," it provided a watershed event in the evolution of the Internet, and computer security law.
I hate to spoil a good story with boring ol' facts, but I have to wonder why a security expert at Network Associates would overlook this new bug's resemblance to a network worm. The coincidence of this virus incident at MCI WorldCom occurring circa the 10th anniversary of the Internet Worm ... leads me to suspect more than just a coincidence.
(For an excellent primer on computer security issues, take a look at O'Reilly & Associate's most excellent primer on the subject, Computer Security Basics. To read more about Morris' Internet Worm, take a look at Thomas Darby and Charles Schmidt's account of the case.)
From Kerstetter's escalating hysteria ("NT virus obliterates MCI/WorldCom's network"), you'd think that MCI would be irate about their identity being divulged. Quite the contrary, according to the telecommunications giant, the virus was discovered and isolated quite quickly. Jim Monroe of MCI WorldCom, speaking to the Chronicle and others, downplayed the incident: "It had no impact on our customers or our operations." The virus had effected some "thousands" of servers and workstations at 10 sites, and WAN access was halted temporarily to remove the bug, but MCI's Internet services were undisturbed. (A subsequent CERT incident report identified that only 50 servers, and an undetermined number of workstations, had been infected.)
All this hysteria was not without a silver lining, of course. At the end of the day, CNNfn reported, "Network Associates stock soared 6-3/8 to 60-3/8 on the news, cracking a new 52-week high." Imagine that, news of Networks Associates "spearheading the effort" to contain the "smart virus" [KRON-TV] actually made their stock price soar.
A unrelated circumstance? Perhaps. But I doubt it.
The warning (in the form of a press release) of a catastrophic virus epidemic has served the antivirus software developer before. Rob Rosenberger wrote an excellent article tracing the mutation of the Michelangelo virus scare of 1992 from a few minor incidents into a full-scale, national media scare-fest. A key component of the hysteria was an exaggerated estimate of the potential damage, attributed to none other than John McAfee. His shareware antivirus program was widely exhibited as a great way to "protect" users' computers from the deadly threat. (I recall that Symantec also released a "special," free version of Norton AntiVirus coded to only look for this specific virus.)
It turned out that the actual damage from Michelangelo was far less than predicted, and a gullible media establishment congratulated itself for helping the public avert an epidemic by spreading the word.
The "computer virus as sales tool" tactic has continued to serve McAfee Associates very well in the years since Michelangelo. In fact, the antagonistic press release has been a primary marketing tool for antivirus industry, with McAfee and Symantec taking the lead.
In one instance, McAfee's Beta-test division found an obscure ActiveX security flaw in The Norton Utilities 2.0, when used with Microsoft Internet Explorer 3.x. Rather than reporting the weakness to Symantec, McAfee reported the problem to Windows Sources magazine, and provided a test utility that demonstrated the weakness. Symantec almost immediately provided a fix.
But was such extreme alarm necessary? According to Symantec Senior Product Manager Tom Andrus, "To our knowledge, there are no Norton Utilities users in the world that have run into this." In other words, it was almost a non-problem. Symantec complained about Windows Sources providing the test utility on the Web for anyone to download and exploit, and the magazine subsequently removed it from their Web site. It was as if McAfee had concocted a virus to show up a competitor's product weaknesses, then provided the virus to the media, and the computing product.
In a second instance, McAfee's Beta-test division found a heuristic "cheat mode" in Dr. Solomon's AntiVirus Toolkit. In yet another "j'accuse" press release through the PR Newswire, they inferred that this function caused the product to produce unrealistic results in tests by reviewers:
|
"The cheat mode can cause Dr. Solomon's Anti-Virus Toolkit to show inflated virus detection results when the product is being reviewed by trade publications or independent third party testing organizations. McAfee has forwarded its evidence to the National Computer Security Association [NCSA]..." McAfee Associates press release |
Solomon's responded with a press release that confirmed the "heuristic" function, but asserted that reviewers get the exact same product that is sold commercially. After some more "he said, she said" press releases between the two companies, the NCSA released their own statement. The heuristic function "did not and does not affect the NCSA labs present or past certification testing." So there.
There have been other incidents of the "McAfee Media Manipulation" technique. One such tirade against Symantec in 1996 demanded no less than a worldwide recall of Norton Antivirus.
To date, most major antivirus software developers host pages to identify and alert customers to new, deadly viruses (and some host pages about false alarms, as well). Generally, these pages feature convenient links to their latest "virus data" updates, and download links to evaluate their software. It's something akin to insurance companies hosting news pages about disasters.
[Much of this historical background was drawn from articles written by Rob Rosenberger, Computer Virus Myths home page ("McAfee's media-assault tactics," "Stop arguing over Symantecs"), and George Smith, The Crypt Newsletter ("The Little Virus That Didn't!", "The Competition Virus"). Please visit their web sites for continuing news on viruses, antiviruses and virus hoaxes.]
The reason for all this hubbub must be plain. Advertising doesn't sell antivirus software, news does. There's no better way to advertise your antivirus product than to get your name, your quotes, your frowning "I told you so" face into news reports of the latest, greatest virus incident. Network Associates and Symantec know this, and so use the almighty press release as their most potent marketing tool. They can do this because an uninformed media is anxious to parrot their tales of doom and lost data, without wasting a precious minute doing a little fact-checking or analysis. Only a few reporters actually corroborated the story with independent analysts and experts. (Antivirus developers are often more than happy to provide "independent experts" of their own.)
In the case of the MCI incident, the danger is far less than some members of the press led the public to believe. (Trust me, the Internet IS NOT in danger of being destroyed. It was designed to withstand a nuclear attack.) Based on previous experience, and some of the quotes attributed to Gene Hodges and Peter Watkins, it's clear that once again Network Associates has used the computer virus incident, and the subsequent press release, as an effective sales tool, either to move product, or simply boost their stock value.
There's only one thing truly frightening about this event: the tactic worked. Within a few days, Network Associates stock value climbed 22%.
"Scary stuff."
January 31, 1999
Inter@ctive Week ascertained that MCI WorldCom Inc. dismissed some of their technical staff a few weeks before the discovery of the Remote Explorer virus.
Noise
|
I'm not at all skeptical about a connection between the two events, considering the earlier conjecture that this was "an inside job." I'd bet my bottom dollar that a disgruntled soon-to-be ex-employee bit back by planting the virus. Laying off personnel during the Thanksgiving and Christmas holiday seasons is just asking for a swift kick in the WAN.
David Spalding
Updated: 31 January 1999
(A wave of the tricorn to Rob Rosenberger, George Smith, and Jim Tunnicliffe.)
NT admin tips from Korova Multimedia
Learn more in O'Reilly & Associates' Windows NT User Administration, Essential Windows NT System Administration, and Windows NT In a Nutshell. |
