Like to see how your security measures up to a major worm outbreak? Symantec Corp. just unveiled a new tool that shows graphically the rate of infection globally and locally
"It's a simulation application that mimics typical real-world scenarios to give lay people a visual idea of the impact and speed at which worms and viruses spread," said Carey Nachenberg, chief architect at Symantec.
During the simulation, currently available on Symantec's Web site, the user sees two windows on a computer monitor: a rotating globe that depicts the worm spreading on the Internet and another that shows an individual network, including desktop machines, workgroups and larger company subnets. The simulation can be set to represent machines across the Internet that are vulnerable to a particular threat or show the entire Internet population.
Currently, the tool can simulate Mydoom, Netsky, Sasser, Slammer, Blaster and Sobig, each tailored to represent how the real worm spread in the wild. Symantec says that as the worm spreads, nodes in the network and on the globe start turning colors.
- White: nodes in the clean state are those that don't contain a copy of the worm, but haven't been patched. All nodes start the simulation in the clean state.
- Yellow: patched nodes have taken action to make themselves invulnerable to the threat being simulated, i.e. updated virus definitions or a flaw patched against the exploit.
- Turquoise: dormant nodes contain a copy of the worm that is not yet actively attempting to spread itself. For example, a copy of the worm in an e-mail not yet downloaded and executed.
- Red: infected nodes contain a running copy of the worm that is actively trying to spread.
- Gray: dead nodes rendered inoperable by the worm, possibly as a side effect from the worm causing a system crash or formatting the hard drive.
"The Sobig virus simulation quickly shows one corporate network turning red, while a different company turns yellow," the AV vendor said in a statement. "The yellow company has more machines that are patched or running security software, and are therefore resistant to the worm."
Symantec said a simulation can have a custom configuration of network topology and security policy. "For example, a simulation can specify how quickly machines are patched, whether security software is running on a particular machine, where firewalls are located and how often users open e-mail attachments."
Four simulated networks will show the effects that different security policies can have on identical "companies" during a worm outbreak.
- No security: Nearly all nodes are vulnerable to the worm, and machines are patched very slowly. The worm will infect this network quickly.
- Firewall only: The second network is protected by a perimeter firewall, however, a small number of users can connect from home through a VPN without going through the perimeter firewall. Since the connection isn't protected, the worm can enter the network through this "backdoor" by infecting one of the home users. A high number of nodes in this company are vulnerable, and patching takes place slowly. This network will also be overrun by the worm, but not as quickly as the first company.
- Strong host security and network security: The third network is similar to the second in that it has a perimeter firewall with a backdoor originating from home users, however, it has a better internal security policy. Many machines are patched against the worm, and most others are patched quickly after they are infected. Some nodes will be infected, but most will be patched quickly.
- Host security only: The last company has the same internal security policy as the third company, but doesn't have a perimeter firewall. Only a small percentage of the nodes in this company are vulnerable, patching of uninfected nodes is fast, and patching of infected nodes is even faster. However, many of the nodes will get infected before being patched.
Though educational, the worm simulator also serves to guide enterprises on configuration management, based on past outbreaks. Ultimately, Nachenberg said, "corporate networks might be able to be viewed in real time to see how an attack affects them."