Worm Watchers

Software: Simulation tools fight new network parasites.

Kevin Hoganarchive page

March 13, 2002

Most people now know the drill when it comes to thwarting a computer virus. Receive an e-mail with a vague subject line? Trash it.

If only that were enough to keep the Internet free from the wanton devastation of Code Red II and Nimda, just two of the new automated menaces (both technically worms, rather than viruses) now infecting millions of computer networks. Security experts admit such attacks can’t be prevented entirely, but they say simulation technologies now in development might at least help network operators predict how their systems will respond to invaders, so they can prepare better defenses and contain the damage.

The latest rashes of corrupting code are particularly virulent because they don’t require any social engineering-a phrase used to describe how virus makers trick people into opening tainted e-mails-and can infect networks without anybody noticing. Code Red II scans the Internet for vulnerable Web servers and creates “back doors” that allow hackers to control the servers remotely, to date causing $2 billion worth of server downtime and Internet traffic jams. Nimda spreads automatically via shared files, Web pages, e-mail and other routes. Infected computers can be cleaned, but the worms spread with such speed and in such volume that networks can grind to a halt.

Security experts are working to remedy individual vulnerabilities, but they agree the virus makers will always be able to find new ways to intrude. “It’s no longer a question of How can we keep them from coming in?’ but What do we do now?’” says computer scientist David Fisher at the CERT Coordination Center, a government-funded research and development center for Internet security at Carnegie Mellon University. Fisher helped develop Easel, a software simulation tool that runs potential nightmare scenarios involving the likes of Code Red and Nimda. Using the collected data from previous attacks-how many servers were affected in what span of time, for instance-it creates reference models that computer security specialists can use to minimize damage in future attacks. They might, for example, configure a network to recognize a nascent infection and shut down affected servers before the virus can spread further.

The center recently released the beta version of Easel, and similar software is under development at companies such as McAfee and Symantec. “We can’t hope to stop them,” says Sam Curry, virus expert at McAfee, “but by knowing what might happen when they do hit, we can at least keep them contained.”