Article

Does your network need this worm tool?

Shawna McAlearney, News Editor

Like to see how your security measures up to a major worm outbreak? Symantec Corp. just unveiled a new tool that shows graphically the rate of infection globally and locally

    Requires Free Membership to View

More on worm attacks

Potent Mydoom worm flooding inboxes

Netsky-B soars from Europe to the US

Sasser shows there must be a better way

Slammer lessons remain valid a year later

Virus update: Blaster

Sobig-F Trojan fails to make an impact

for some of the Web world's most notorious malicious code. Enterprises can use it to see how their configurations and security policies match against others that were either victimized or protected during an outbreak.

"It's a simulation application that mimics typical real-world scenarios to give lay people a visual idea of the impact and speed at which worms and viruses spread," said Carey Nachenberg, chief architect at Symantec.

During the simulation, currently available on Symantec's Web site, the user sees two windows on a computer monitor: a rotating globe that depicts the worm spreading on the Internet and another that shows an individual network, including desktop machines, workgroups and larger company subnets. The simulation can be set to represent machines across the Internet that are vulnerable to a particular threat or show the entire Internet population.

Currently, the tool can simulate Mydoom, Netsky, Sasser, Slammer, Blaster and Sobig, each tailored to represent how the real worm spread in the wild. Symantec says that as the worm spreads, nodes in the network and on the globe start turning colors.

  • White: nodes in the clean state are those that don't contain a copy of the worm, but haven't been patched. All nodes start the simulation in the clean state.
  • Yellow: patched nodes have taken action to make themselves invulnerable to the threat being simulated, i.e. updated virus definitions or a flaw patched against the exploit.
  • Turquoise: dormant nodes contain a copy of the worm that is not yet actively attempting to spread itself. For example, a copy of the worm in an e-mail not yet downloaded and executed.
  • Red: infected nodes contain a running copy of the worm that is actively trying to spread.
  • Gray: dead nodes rendered inoperable by the worm, possibly as a side effect from the worm causing a system crash or formatting the hard drive.

"The Sobig virus simulation quickly shows one corporate network turning red, while a different company turns yellow," the AV vendor said in a statement. "The yellow company has more machines that are patched or running security software, and are therefore resistant to the worm."

Symantec said a simulation can have a custom configuration of network topology and security policy. "For example, a simulation can specify how quickly machines are patched, whether security software is running on a particular machine, where firewalls are located and how often users open e-mail attachments."

Four simulated networks will show the effects that different security policies can have on identical "companies" during a worm outbreak.

  • No security: Nearly all nodes are vulnerable to the worm, and machines are patched very slowly. The worm will infect this network quickly.


  • Firewall only: The second network is protected by a perimeter firewall, however, a small number of users can connect from home through a VPN without going through the perimeter firewall. Since the connection isn't protected, the worm can enter the network through this "backdoor" by infecting one of the home users. A high number of nodes in this company are vulnerable, and patching takes place slowly. This network will also be overrun by the worm, but not as quickly as the first company.


  • Strong host security and network security: The third network is similar to the second in that it has a perimeter firewall with a backdoor originating from home users, however, it has a better internal security policy. Many machines are patched against the worm, and most others are patched quickly after they are infected. Some nodes will be infected, but most will be patched quickly.


  • Host security only: The last company has the same internal security policy as the third company, but doesn't have a perimeter firewall. Only a small percentage of the nodes in this company are vulnerable, patching of uninfected nodes is fast, and patching of infected nodes is even faster. However, many of the nodes will get infected before being patched.

Though educational, the worm simulator also serves to guide enterprises on configuration management, based on past outbreaks. Ultimately, Nachenberg said, "corporate networks might be able to be viewed in real time to see how an attack affects them."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: