Debate rages over NT virus
Network Associates' handling of the "Remote Explorer" virus is prompting heated debate, with critics and rivals hurling accusations.
From the start, the story of Remote Explorer has been driven more by publicity, Internet postings, and hyperbole than by antivirus researchers, who encounter new viruses every day, the critics said.
"We acted appropriately to make the [antivirus research] community aware of this virus," said Vincent Gullotto, manager of Network Associates' antivirus lab. Company spokesman Jennifer Keavney added: "This story took on a life of its own."
The Remote Explorer story was unusual in several ways.
First, the victim, MCI WorldCom, was quickly identified, violating a tenet of modern security practice: Don't say who got hurt. But the very first report of the virus Monday morning, on CNN, named MCI WorldCom; the company confirmed the report. It also carried a live interview with the telecommunications giant's antivirus vendor, Network Associates.
Second, Network Associates initially branded the incident "the first instance of cyberterrorism," a characterization that had disappeared by noon after critics slammed it. But Network Associates stood its ground in calling Remote Explorer a new form of virus.
Third, Network Associates researchers admittedly did not share the virus code with other antivirus vendors for more than four days. The company defends that action, saying it needed to help its customer first, then share the code with others. But other antivirus firms contend that under the unwritten law of the antivirus community, the code should have been shared immediately, given the high level of concern among customers.
"We put the code out there as soon as we could responsibly put it out there," Keavney said.
"We would share it with them immediately, so they should do the same," said Enrique Salem, vice president for the antivirus unit of Symantec, a Network Associates competitor and often foe.
Fourth, although coverage of Remote Explorer has generally indicated only one customer has been hit, the publicity led administrators of Windows NT networks--the only kind hit by the virus--to believe they might have serious problems.
"We got hundreds of customers calling up and freaking out," Salem said. Network Associates likewise had a huge surge in customer interest.
"If it was contained in MCI's network and Network Associates was aware of that, then all this hype scared Windows NT administrators back from vacation," said Russell Cooper, moderator of the Windows NT Bug Traq Web site.
Cooper also contends Network Associates will be responsible if the virus spreads because it didn't make the code available to other researchers sooner.
"We have followed our procedures, and we would never consider withholding anything," said Keavney of Network Associates, who added that the company released the virus code to other researchers faster than it would under normal circumstances.
Cooper even contends Remote Explorer might have been written as a "useful virus" to solve network administrators' problems, a claim to which not even Symantec's Salem subscribes.
"I definitely believe it was somebody writing a malicious virus," said Salem. "If you were trying to do something beneficial, you wouldn't try to do all the things it was doing."
Despite the controversy, several new facts about Remote Explorer have emerged in the last 48 hours. Symantec says, for example, that the virus should not be able to pass through a properly configured firewall and onto a corporate network.
Antivirus vendors Symantec, Network Associates, and Trend Micro all have "detectors" available from their Web sites to find the virus on Windows NT machines. Most, however, require use of that vendor's antivirus software.
Network Associates has a patch available to repair damage by Remote Explorer, and Symantec expects its fix to be available next week.