Viruses 101

Anti-Virus Software

The Role of CERT

Legal Implications

Social Impact

The Future

The Role of CERT

[Response Teams]  [What is CERT?]  [Threat Response] [Case Study]  [Sources]

What is the role of response teams?  [Top]
Computer emergency response teams are the human counterparts to anti-virus software. When new viruses or computer security threats are discovered, these teams document these problems and work to fix them. Because these teams are made up of people who can react to new situations, they are much more capable of dealing with new virus threats than anti-virus programs would be by themselves. When the computer security experts that make up the response teams discover a new dangerous virus, they work around the clock to create a remedy for it. They often work closely with anti-virus software companies to establish virus definitions and solutions, and they work with other software makers to help plug up any security holes that allowed the virus to propagate itself.

What is CERT?  [Top]
CERT was the original computer emergency response team. It was formed in November 1988, after Morris released his Internet worm. A collection of researchers from the academic and government community came together to contain the worm, and shortly after that, the Defense Advanced Research Projects Agency of the U.S. government funded the development of the CERT Coordination Center (CERT/CC). Though it started out simply as a computer emergency response team, it has since grown to assume a much broader role, and "CERT" is no longer considered to be an acronym.

According to CERT's website, its goals include the following:

1. Establish a capability to quickly and effectively coordinate communication among experts during security emergencies in order to prevent future incidents.

2. Build an awareness of security issues across the Internet community.

In addition to handling reports of computer viruses and security holes, CERT/CC also trains and coordinates with other computer security incident response teams across the U.S. and the globe. Many other response teams with "CERT" in their name have sprung up and are part of the Forum of Incident Response and Security Teams (FIRST), of which CERT/CC was a founding member. They all work independently toward a common goal of computer security. These teams include AFCERT (Air Force CERT), AUSCERT (Austrailian Computer Emergency Response Team), BCERT (Boeing CERT), and many more. SUNSeT, the Stanford University Network Security Team, is also a member of FIRST.

In addition to CERT/CC and the organizations that make up FIRST, many private anti-virus software companies also have divisions that play the role of the emergency response team.

The process of responding to a new threat  [Top]
When a new virus is released onto the Internet at the speed of email, incident response teams need to act fast. Quick response is necessary in order to keep the virus from spreading to too many hosts and to help users with infected systems get back on their feet.

The first stage of virus response is the reporting of threats. The web sites of most virus response groups have sections that allow people to send them samples of viruses they have received or other information on system vulnerabilities. These groups depend on the assumption that concerned computer users will send them this information early on in the virus's life cycle. The faster that people tell them about the threat, the faster they can respond. Some groups, such as CERT/CC, ask users to encrypt system vulnerability information before sending it, to keep it from falling into the wrong hands.

After receiving information about a virus or security hole, response teams then begin reviewing it to determine how dangerous it is and how difficult it will be to fix. In the process of reviewing a new virus, groups can build a virus profile or definition, which they can then post on their web site in order to spread awareness about the virus. For every significant virus it reviews, the research team at Symantec (which also produces Norton Anti-Virus software) puts together a detailed profile which includes assessments on how much damage the virus causes, how fast it can replicate and distribute itself, and how widespread it is. Some teams, like the team at www.sophos.com, also put up profiles of viruses hoaxes when they receive virus alerts that they determine to be inaccurate.

Finally, after a response team has assessed a virus and built a profile, it can then work on building a recovery tool for that virus. A recovery tool looks for a specific virus, removes it from the system if it is found, then attempts to repair any damage that the virus may have caused. Because recovery tools are individually built in response to specific viruses, they are generally much more effective against particular new threats than general anti-virus software, which attempts to protect against all viruses.

Of course, recovery tools are only useful to people whose systems have already been infected. They are useful for helping people recover, but insufficient when it comes to containing the virus. For this reason, the virus definitions built by response teams during the review phase are eventually included in updates to anti-virus programs, so that people can protect their systems from being compromised in the first place.

Case study: response to the Anna Kournikova virus  [Top]
On February 11, 2001, VBS.SST@mm, also known as the Anna Kournikova virus, first appeared in Europe. By the 14th, it had spread to over one million computers worldwide. This worm was able to spread rapidly and infect many systems partly because, like any new virus, anti-virus programs could not yet detect it. Emergency response teams needed to react quickly in order to help the many that were infected and keep the virus from becoming even more widespread.

The response teams did not dissappoint. By February 12, Symantec had found out about the virus, reviewed it, profiled it, built a recovery tool, and built an update to Norton AntiVirus that would recognize it. Everything necessary to detect, contain, and recover from the virus was available to the public within a day of the first infection.

The very short timelime of virus outbreak and containment is typical of computer viruses today. Response teams are very quick to respond to new viruses, but even so, many users are infected in that short period of time. Also, many systems still become infected even after the recovery tools are available because many people are unaware of them and/or do not update their anti-virus software. For this reason, the Kournikova virus remains at the top of Symantec's list of threats more than a month after it first appeared. Emergency response teams can be a godsend to those who look to them for help, but only can do as much as people let them. Without the awareness and cooperation of all computer users, viruses will continue to propagate.

Sources  [Top]
http://www.cert.org/ The CERT Coordination Center.

http://www.first.org/about/ Information about the Forum of Incident Response and Security Teams.

http://www.symantec.com/avcenter/ Virus information from Symantec.

http://www.stanford.edu/~security/ The SUNSeT web site.

http://www.sophos.com/ Sophos Anti-Virus site.

http://www.cnn.com/2001/TECH/internet/02/14/kournikova.virus.02/index.html "Man charged over Kournikova virus", February 14, 2001.