As malicious network viruses increasingly resemble terrorist attacks, the security industry is developing its own version of SWAT teams that aim to swiftly diffuse crises and get hostages out of a jam. 

Recently, security vendor Network Associates (NAI) was faced with a difficult virus to eradicate when its customer MCI WorldCom contracted the Remote Explorer virus, which affects Windows NT machines and encrypted data. 

To combat the virus, NAI called on its anti-virus researchers in the United States, Japan, and England to fix the damage. The company even recalled a team manager from vacation in Mexico. 

"That is the job. The guy carries a beeper. The customer has a problem, and the customer wants it fixed now," says Peter Watkins, general manager of the Net Tools Secure division at Network Associates, in Santa Clara, California. "The guy we had to pull back from Mexico was the manager of the lab. This is the guy that has to determine the priorities. We just pull them in. You have to." 

No longer is it enough to purchase anti-virus or intrusion-detection software and install it on a network. Users must now evaluate security vendors' capability to address a new virus or attack and quickly respond with a fix to the problem. 

"As the networks become ever more intertwined and the code becomes more self-replicating and vicious, the amount of damage is growing exponentially," says Jim Balderston, an industry analyst at Zona Research, in Redwood City, California. "The key, now and into the future is shrinking response times so the damage can be limited or minimized." 

As customers evaluate possible security solutions, most SWAT teams point to several key points of differentiation of which to be aware. 

-- What is the size and availability of the team? 

-- What kind of turnaround time does the group usually have on viruses? 

-- What is the ease of attaining updates for products? 

-- Do they provide the services you need to keep up and running? 

-- Which platforms do they support? 

-- What is their virus-detection track record? 

But SWAT team members often enjoy the challenges of their positions regardless of strange hours and extreme demands. 

"I love my job," says Vincent Gullotto, manager of Anti-Virus Emergency Response Team at Network Associates, in Beaverton, Oregon. "It's definitely what we live for. Most of these people are hard-core anti-virus people. A lot of them eat, sleep, and breathe these sort of things." 

"I love my job a lot," says Carey Nachenberg, chief researcher on Symantec Anti-virus Research Team, or SARC, at Symantec, in Santa Monica, California. "I look forward to every day. It's actually quite challenging." 

Users dealing with security issues, however, expect this level of commitment when it comes to getting networks back online after a virus attack. 

"Any kind of company that deals with the ongoing threat of viruses would have some system in place where if we came to them with a virus they would come to us with a fix," says a virus security administrator at a large software publication company in California, who wished to remain anonymous. "You don't hear a lot of stories about viruses, but our company has been passing a lot of viruses lately. Thankfully none that have been very malicious." 

The simple fact is, however, if a major virus hits, the first thing most administrators will do is remove their systems from a network. 

That leaves users without network access and unable to conduct business as usual, and a company at a standstill is a company not making money. 

"Basically if you don't have to wait and your users don't have to wait, that's important. Turnaround time is going to be critical in this field," says SARC's Nachenberg. "Every minute that an IS manger is waiting, they have people who are waiting to get their systems back." 

SARC has an average response time of 19 hours. In an effort to cut response times to virus alerts, SARC is working with IBM to create and perfect a digital immune system that will use computers to scan, identify, and fix viruses without the need for human intervention. 

"Rather than humans doing the analysis, we're going to have computers do it," Nachenberg says. "That way we won't have to come back from our vacations." 

NAI has set the bar high for itself and is taking a slightly different approach, according to Watkins. 

"I'd like to get that cycle time to less than six hours," Watkins says. "Over the next year, I'd like to have some of our electronic analysis tools onsite on the server. 

"What I'm doing here is having more points of analysis near the customers, because the key here is quick containment," Watkins adds. 

Chronology of the Remote Explorer virus 

Dec. 17, 1998 Network Associates' Anti-Virus Emergency Response 

Team (AVERT) branch of NAI Labs was approached by 

MCI WorldCom, where the virus was found. 

Dec. 17, 1998 AVERT received samples at approximately 6 p.m. 

Dec. 21, 1998 Removal and inoculation was made available to the 

public at 8 a.m. after being tested in the customer 

environment.(*) 

(*) Total AVERT labor hours for the project were approximately 200 to 225. 

29A Labs issue #3 
- 01/18/98 
Issue #3 of 29A Labs a very active virus coding group has been released. 

Download issue #3 

Download issue #2 

Download issue #1 
 
 

HWA Haxor News 
- 01/17/98 
Issue #4 of HWA Haxor News has been released. 
HWA Haxor News #4 

New Java Virus 
- 01/16/99 
Ikarus , an Austrian antivirus company, Thursday issued a warning about the latest Java virus to be discovered. 

The new virus is called BeanHive, and is significantly more stealthy than the previous version of the Java virus known as "Strange Brew." 

According to Java virus expert George Wu of Ikarus Software, the latest virus is targeting end users, while the first virus was "mainly a topic for developers." The BeanHive virus utilizes the user's Web browser to gain access to the user's data. 

Wu said the virus prompts the user through the browser to accept a certificate called "Landing Camel." The infection is not invisible since the virus accesses the PC through this certificate, but many Internet users may be unaware of the implications of accepting such a certificate. 

When the user's computer is reached, the virus (or bees, as they're known) tries to contact its "queen," which is in fact the file named "BeanHive.class." When the contact is established, the virus has full access to the user's PC. 

As of late Thursday, the author of the BeanHive virus has only placed the virus on the Internet as a non-invasive demonstration, but according to Wu "there are no limitations on the functions of BeanHive and (they) could be activated any time." 

The virus story was first reported by Dr. Karlhorst Klotz, senior editor of CHIP computer magazine in Munich, Germany. 

Java configuration hints 
 
 

Help Net Security 
- 12/27/98 
Help Net Security has a new member - Goltha He is a programmer, and you will often see his new projects:) First project for HNS is Universe-Millenium edition , a program designed to find and secure your system of the millenium trojan. 
 
 

The Deltasitez needed files library 
- 12/27/98 
The Deltasitez needed files section is up and running with over 3000 (...) DLL, OCX and VBX files. Yes, I had to do something with the empty space at the deltasitez.nu server so I thought this might be a good idea. Originally the FTP server had a capacity of 100MB.....to small for all those files so it's expanded to 200MB. The files are all zipped but the filesize listed behind the filename is the size after they are unzipped! Webmasters: Please do not link to the files listed at The Deltasitez FTP server. Instead you can add a link to: http://www.deltasitez.nu. When you do so, I will add a link back to your site at The Deltasitez needed files archive main page! 
 
 

Deltasitez News 
- 12/27/98 
It will take some time before The Deltasitez is fully operational at our new server but except the fact that a great part of our file library isn't available for download till then, the site is working very well now! The news section will be updated daily again now and the search for new nifty programs continues either. 
 
 

Virus hits State Farm computers 
- 12/26/98 
Computers connected to State Farm Insurance Co. are being hit with a computer virus. Officials say today the virus has infected about 1,000 of its roughly 105,000 computers across the country, affecting regional and claims offices, as well as individual agents. The virus can also infect the home computers of people who contact the insurance company through the Internet or e-mail. The Bloomington Pantagraph says special computer software will have to be used on each affected terminal in order to clear the virus. The MS Word macro virus came into the State Farm system on Microsoft Word, but it is capable of attaching itself to other software. Officials do not know when or how it got into the system. When a person attempts to log on to the system, a message states the user's name and follows it with the words, "...is a big stupid jerk." 
 
 

Download aimr2.zip 
Website Dark-E.com 

NetBus Snooper 1.31 
- 02/03/99 
Netbus Snooper was Created as a supplement to Using Netbus. The author found that he had alot of problems with the scanner that is built into Netbus 1.7 as well he found that Netbus 1.6 Scanner is too slow. Netbus Snooper not only finds sites on Subnets but will also change the password on hosts that are found. ... To perform a scan using Netbus Snooper simply enter the Subnet of the Scan followed by an asterisk. For example xxx.xxx.xxx.*

Features added since version v1.3:

Download NetBus Snooper v1.31 
Website NB Snooper Website 

The jammer 
- 02/03/99 
The Jammer does monitor ALL UDP traffic on your computer, so you can sleep well & have all passwords of miserable hackers. When the Jammer program gets the BO request packet it starts the decryption process & generates the workable password of BO server. At the end of decryption the program puts the password string into the readable file on your hard disk & sends the warring massage toward the source about the Jammer protection. The Jammer works with low level network driver & always communicates with Network Driver Interface Specification (NDIS), unlike Nuke Nabber, NoBo and BOFreeze (they use the higher level such as Winsock). 

Download The Jammer 
Website Jammer Website 

NetBus Update 
- 02/02/99 
The official release of NetBus has been delayed! Earlyer, the author of NetBus scheduled the program to be finished among the 1th of February. It's no doubt somebody is waiting for the program to be released! The official website of NetBus has been visited over 50.000 times in the last 18 days! 

Download NetBus 2.0 Pro Beta 
Website The Official NetBus Website 

BusJack 
- 01/20/99 
Responding to the recent release of NetBus Pro, Fresh software created BusJack a very succesful Remover of the server part from NetBus Fresh Software isn't a stranger when it becomes to Trojan hunters. Short after the first release of Back Orifice they developed Antigen 1.0 wich was the first good answer against BO. 

Download BusJack 
Website Fresh Software 

BO Spy V1.85 
- 01/19/99 
Did you like catching NetBus intruders with NetBuster?? You certainly gonna like BO Spy to do the same with BO Intruders. The Chaplin Corp. just released V1.85 of the popular program 
More Info: BO Spy Website 

NetBus 2 Pro Beta - 01/15/99 
Carl-Fredrik Neikter had to do something these cold dark days up there in Sweden! Just 2 months after the release of Version 1.7 he now already finished a successor of the very popular Trojan Horse program NetBus: V2.0 Pro Beta 
CF decided to rewrite the greatest part of the program and has changed the name to NetBus Pro to get rid of the programs virus associations. The interface of the program is dramatically changed and Carl-Fredrik call's the program: "a product with better performance and more robustness." the following additional features will be found in it: 

• New, good-looking graphical user interface (GUI). 
• Proxy (SOCKS 4) support through client. 
• The File manager is enhanced and improved. 
• Chat with other users on a NetBus server. 
• Capture web-camera images. 
• Complete window manager. 
• Registry manager. 
• Plugin manager. 
• Host scheduler (run commands on predefined times). 
• Enhanced system information. 
• Online help manual. 

Screenshot: NetBus 2 Pro Beta 
Download: (1.42MB) NetBus 2 Pro Beta 

Lockdown2000 - 01/15/99 
LockDown 2000 prevents hackers and unauthorized users from accessing your computer across the Internet or a local network. LockDown quickly and automatically disconnects, traces and identifies unauthorized users. It prevents hackers from invading your privacy, deleting files, or placing a virus or a trojan horse program on your PC. LockDown allows you to watch or log in real-time what remote users do on your computer. You can trace all connections, and identify the source through their IP address, domain name, and machine name. You can block all users or, if you share your resources, you can allow certain individuals to access your computer by listing their specific IP. Other features include: the ability to automatically disconnect users, and an optional audio or visual warning that appears if someone connects to your computer. This latest release adds background Trojan scanning, support for detecting unknown trojans, the ability to add an unlimited number of IP addresses to the IP filter, and the ability to run Whois or Traceroute when a new connection is made. 
Download: Lockdown2000 
Website : Lockdown2000 

Backfire 
- 01/15/99 
Ever wondered who was trying to hack into your computer using Back Orifice?, BackFire is your answer. It is design for those ex-Back Orifice's victims who think that removing the Trojan is not enough for them. They want take revenge, fooling those intruders back! BackFire will fake as the Back Orifice server and able to intercept Back Orifice communication port, track down IP that sending BO message to you. Furthermore, you have the power to flood them back! If lucky, their Back Orifice client will hang 
Download: Backfire 

NetBuster BUSTER 
- 01/15/99 
Having fun using NetBus on people while sometimes being fool back by someone using NetBuster? Due to unstable design of NetBuster, LEEBROS has designed NetBuster Buster. It will make those NetBuster user hang, having lame beep and forcing them to close down the program! 
Download: NetBuster BUSTER 

Bus Conquerer v1.3 
- 01/15/99 
For those who having a hard time hacking password protected Netbus trojan; This tool is just what you need. It hacks the Netbus trojan password within seconds. Actually you are taking over somebody's trojan by hacking its password. It simply just replaces the password with your own password. The best part is, it searches multiple IPs for trojan and change password automatically, and you won't even have to know who are the victims. Efficiency is approx. 99%.Currently it won't work on Netbus v1.70. 
Download: Bus Conquerer 
Screenshot: Conquerer.jpg 

The Cleaner 2 
- 12/06/98 
It took a little while and some pre-releases. But the ultimate trojan cleaner is finally there!! Puppet has released The Cleaner 2. The very hands-on tool cleans the most common trojans (38) and is a must if you are a frequent downloader of underground files (no offense to the good guys, but they ain't all good) The Cleaner 2 isn't freeware and a 30 day trial version. A good description and a list of the removable trojans by The Cleaner can be found at Puppets website 
Download 
Puppet's website 

BO is History 
- 12/02/98 
BO Freeze is the name of the latest program in the war against Back Orifice. If you have had the misfortune to get Back Orifice (a remote administration tool) installed on your system, you will realize that it is not at all amusing. With the server installed, other users on the internet have complete open access to your computer. They can view, edit, delete and upload files, run DOS command line sessions through telnet, even find out your internet account login name and password! The other clever ability the BO client has is ping sweeping. It can easily locate all the computers out of 254 on the net which have the BO server running on them. As a result, the BO "crises" is drastically blowing out of proportion and causing major problems to unaware internet and PC users all over the globe. But when you've got BO Freeze installed, a sweep will turn out in a lock of the attackers system. With this program you do not only help yourself but everybody on the internet!! 
BO Freeze Homepage 

Backdoor 2.03 Released 
- 12/02/98 
Dark Eclipse Software has released Backdoor 2.03, a Remote administration tool like NetBus and BO.The File and Dir views improved dramatically in speed but the program still needs some OCX/DLL files, In a short time DE will release Backdoor 2.5 Gold. This program is programmed in C++ so it doesn't require these files and it won't be freeware either. 
Website Dark Ecplipse 
Download 

BO Detect v2.05 
- 12/01/98 
HELP Website reports the release of CBSoftSolutions BoDetect v2.05 Beta. BoDetect is capable of removing Back Orifice AND Netbus.CBSoftSolutions strongly advises to read the manual before you start to download the program 
HELP Website 
CBSoftSolutions 

NetBuster 1.31 
- 11/17/98 
NetBuster 1.30 has just been released a couple of days ago and now another release of the program is given public by Eclipse: NetBuster 1.31. NetBuster is a NetBus remover but is also capable to trick the perpetrator and log's his IP 

Contributors Wanted !!! 
- 11/24/98 
If you are an expert with graphics, you must already have noticed that our graphic's skill can be improved. Deltasitez is looking for programmers/designers to make this site even better then it already is. Please contact Deltasitez by E-Mail if you think your expertise can be used by this website!! 

Fringe of the Web 

- 11/23/98 
When you have some time left and you are willing to do me a very big favor you can vote for the Deltasitez at the Webfringe By voting you will help this site getting a higher ranked position in the top 100 and obviously more visitors. You must leave the Fringe through another site, otherwise your vote doesn't count.