Latest scary virus draws skeptics

An Israeli security company finds an ingenious hack that has impacted no one and has yet to be spotted on the Internet, and everyone gets upset. But should they?
Written by Jim Kerstetter, Contributor

This time, the danger is in malicious mobile code hidden on Web sites. Finjan Inc., with U.S. headquarters in California detailed the attack, called the Russian New Year, during a teleconference yesterday.

The genius of this attack, according to Finjan officials, is in taking two functions normally used separately -- HTML and the CALL function available in Microsoft Corp.'s Excel 95 and 97 -- and combining them to form an attack. With this combination, an attacker could steal or copy Internet users' documents and spreadsheet files. The Excel application does not have to be running to execute this exploit. It just has to be installed on a PC.

The victim would never know what happened, said Bill Lyons, Finjan's president and CEO. Lyons said he is not aware of any companies that have been exposed to the attack, although another Finjan official said he has heard of a few but couldn't disclose their names. They also said no one had pinpointed a site that's conducting such attacks.

A Finjan customer notified the company about the security "hole" after being alerted by a colleague in Russia (hence the "Russian New Year" tag). Finjan, in turn, contacted Microsoft (which had already posted a security alert last month that said such a thing was possible with Excel), alerted the highly regarded CERT (Computer Emergency Response Team), added a patch to its own mobile code-scanning software, gave The Wall Street Journal a heads-up and called a press conference.

The problem appears to be preventable, although at the cost of losing some of the Web's interactive features, said Lyons.

  • Install or upgrade to Microsoft's Office 97 and install Service Release 1 and then install Service Release 2 plus patch to eliminate the CALL function.
  • If using Microsoft's Internet Explorer version 4.x, adjust the security setting on the browser to the highest level.
  • If using Netscape Communications Corp.'s Navigator browser, install or upgrade to Navigator 4.5. Finjan is also offering a free 30-day trial of its SurfinGate server software that deals with the problem.
  • To some industry observers, the Russian New Year is more water than vodka. They say by all means pay attention to such alerts and take steps to protect against such attacks. But a company -- or a consumer -- cannot be a fortress and still function in an Internet economy. Fears of hackers, malicious Web sites and internal saboteurs can't derail a company from taking advantage of the Internet. "I fear that the media focus on things like this is making people make unwise security investments," said Ted Julian, an analyst at Forrester Research Inc.

    What Julian says is: Be prepared, be safe and expand your security plans to include issues like giving customers and business partners access to data via authentication mechanisms like digital certificates. Maintaining tough security policies is often more beneficial than buying expensive software. Whatever you do, he said, don't become so paranoid that your business becomes an island on the Internet. "Application access control is far more important in the long run than a lot of these issues," Julian said. So far, most highly publicised security breaches have been isolated to a single company or even the laboratory.

    Last month, for example, Network Associates Inc. called a press conference to talk about a virus that had been set loose on the internal network of MCI/Worldcom. One Network Associates official dubbed the attack "cyberterrorism," although the company later played it down. MCI/Worldcom officials even called reporters to refute such characterisations. And last summer, researchers at Bell Laboratories exposed a hole in the Secure Sockets Layer security used in most browsers. Netscape and Microsoft quickly released patches and the hole was never exploited outside of a lab.

    Sprinkle in the dozens of Microsoft Office macro viruses and other nuisance attacks, and it would appear that the world is a very dangerous place. And it can be, said analysts. But the more worrisome attacks, like one on Caterpillar Inc. last summer that lasted for two weeks, still rely more on guile than technical savvy.

    Forrester's Julian chaffed at an assertion by Finjan that the Russian New Year attack is the worst thing since the Morris Worm, which virtually brought down the Internet about 10 years ago. Robert Morris, a student at Cornell University at the time, created a self-replicating virus -- more of an experiment than a malicious act -- and set it loose on the university's network to see what would happen. Within days, it had spread across the Internet and even disabled part of AT&T's phone system, according to the book, "Cyberpunk: Outlaws and Hackers on the Computer Frontier" by Katie Hafner and John Markoff. "Give me a break," said Julian. "There is no comparison between a malicious code incident with no fallout and what was one of the seminal hacks of all time."

    Editorial standards