Analysts question "cyberterrorism" hype

This morning Network Associates dramatically announced it had identified a new family of computer viruses--the first example, it claimed, of "cyberterrorism"--but victim MCI WorldCom downplayed the incident, saying the virus infection did not affect its customers or operations.

By afternoon, Network Associates had dropped "cyberterrorism" as a term to describe the "Remote Explorer" virus, though it continued saying it was the most sophisticated virus the company has ever seen.

"Now that we've been able to repair the data, it's not as damaging," Network Associates spokesman Cabe Franklin said, noting that the company had posted a patch to detect and repair damage from the virus on its Web site.

Like most security firms, Network Associates did not reveal the name of MCI WorldCom. MCI WorldCom confirmed the attack after its name surfaced in media reports.

Security analysts are divided on how threatening the new virus is, noting that the antivirus firm had reason to exaggerate the threat, just as MCI WorldCom had reason to downplay it.

"Security firms across the board tell a very dark story concerning vulnerabilities and exposure," said Jim Balderston, network security analyst at Zona Research. "They are experts in the area and have thought about it a great deal, plus they hope to sell products."

Victims of security breaches generally downplay incidents, if they acknowledge them at all.

"To let people know that your security has been breached questions your competency in maintaining a proper security perimeter and indicates you may be vulnerable," Balderston pointed out.

Ted Julian, Forrester Research's security analyst, thinks security companies make a big mistake in hyping security threats.

"From the perspective of large companies, my budget to prevent threats is a lot smaller than my budget to enable e-commerce, so if I were a security vendor, I'd focus on enabling e-commerce," Julian said. "Most security companies have figured that out a long time ago."

How unique or serious Remote Explorer remains in question, in part because so far, only Network Associates and MCI WorldCom have their hands on the malicious code--though the company said it will make Remote Explorer available to other antivirus researchers, including competitors.

Symantec and Trend Micro, two other top-tier antivirus vendors, said they haven't seen the problem among their customers.

Rob Rosenberger, who runs Computer Virus Myths Web site, is a skeptic about most virus threats.

"To call it a world threat or other hyperbole, we have seen that for a decade. Extraordinary claims require extraordinary proof. I'm just asking for proof," Rosenberger said.

But Larry Dietz, security analyst at Current Analysis, takes the threat seriously.

"This means Windows NT is a very large target of opportunity now," Dietz said. "We have to make the leap of faith that attackers are as good as a certified NT administrator."

With NT servers proliferating on the Net and on corporate networks, he added, "This is telling me that there is at least one, and probably a team of very capable technical people behind this."

Dietz suggested the current version of Remote Explorer might not be the author's or authors' only effort. "[Attackers] don't have to do everything in their initial attack--these things are done a little at a time," he said, suggesting "the bomb hasn't gone off yet."

Balderston agrees but says he's surprised that so few new antivirus attacks have emerged lately.

"In a year or two, there will be stuff out there that makes this look relatively tame. There will always be an ever-escalating fight between virus makers and those who defend against them," the analyst said. "For anybody to think there's going to be a stasis in malicious code, that is a fool's vision."