FRAMINGHAM (12/31/99) - Despite concerns that computer crackers and virus creators might use the Y2K date change as a trigger to launch online attacks, those monitoring corporate security systems around the world say there is little evidence that such intrusions have occurred and only two new viruses have been detected so far.
The Pittsburgh, Pa.-based Computer Emergency Response Team (CERT), which has been monitoring Y2K-related security concerns at its Coordination Center is reporting no unusually high number of viruses or other attacks.
Ian Finlay, a member of the CERT technical staff, said the center has received the normal volume of 30 daily incident reports on systems that have been compromised or hit with an attempted attack. "Based on current information, we believe that the number of infections and new viruses will be about the same during the Y2K period as any other time," Finlay said. "We have seen no other activity to date that is related directly to Y2K."
CERT, which tracks virus reports, noted that about a dozen Y2K-related viruses have been reported, but they are not widespread. The likelihood of a virus spreading is greater as workers return to their jobs next week, but CERT says there is no reason to expect a major outbreak.
Antivirus software vendor Computer Associates International Inc. in Islandia, N.Y., has issued alerts for two new Y2K-related viruses, the Trojan.Kill Inst98 virus and the Zelu.Trojan virus, which have been reported by a small number of companies. According to CA, the Trojan.Kill virus is distributed through pirated copies of Windows 98 and activated by the Y2K date change.
Before the clock changes to 2000, the Trojan.Kill virus alters the file KEYB.COM, causing Windows to begin using the Spanish keyboard. Hiding behind a setup file called Instalar.exe, the virus then deletes all files on the C drive. Computer Associates is offering detection and cure software on its Web site that can combat Trojan.Kill.
"Since Trojan.Kill is directly related to Y2K and carried a destructive payload, we're concerned about the damage it can do," said Simon Perry, security business manager at CA.
Perry also warned about the Zelu.Trojan virus, which he said was discovered in the wild masquerading as a Y2K fix. He said the virus, which is launched via an executable program, is delivered via an e-mail or file-sharing systems. It overwrites all the files in an infected PC with the text, "This file is sick, it was contaminated by the radiation liberated by the explosion of the atomic bomb."
Other antivirus vendors have confirmed that they are not expecting significant virus activity during the Y2K rollover. Vincent Weafer, director of the Symantec Antivirus Research Center in Los Angeles, noted that while Christmas and New Year is traditionally a time when many new viruses are targeted at companies where vacationing IT personnel will be less vigilant, this year's vigil for Y2K software glitches changes the equation.
"We have heard of minor sporadic cases throughout the [U.S.] government, but so many corporations have people on duty watching for Y2K bugs, that even if the are attacks, they will be taken care of quickly," Weafer said.
Weafer added that customers in Pacific rim nations, which have now experienced the year 2000 for several hours, report no increased virus activity. He said Symantec expects some delayed reaction next week when viruses with Y2K payloads may make their presence felt, but he believes companies are prepared. "Because of extra security and people updating their virus definitions, it is going to be a safer year for these types of problems," Weafer said.
Ron Moritz, CTO of Finjan Software Ltd. in San Jose, Calif., which sells software that repels denial of service attacks and other exploits, said some customers have chosen to reboot systems as a precaution. "Some people have done slow reboots and shutdowns and systematic restarts of systems, and this is a good thing to stop these machines and reboot them one at a time," Moritz said.
According to Moritz, Finjan took another approach and prepared its systems by applying suggested patches to NT servers, assembling a quick response team and keeping all servers, including mail servers, FTP servers, Web servers and firewalls, in continuous operation. Still, Moritz expects that new threats might not emerge until this period of intense scrutiny subsides. "There is an expectation that if not today or tomorrow, by early next week we will see a flurry of activity," said Moritz. "I see evidence that the attacking community is trying to be decent, but there are people out there who are going to take advantage of the millennium turnover to cause a little more excitement."
The IDG News Service reported earlier today that computer hackers targeted the Web site of the Japanese Internet Y2K Coordination Center overnight but were unsuccessful at bringing it down.
The denial of service attack, which involved flooding the Web server with thousands of bogus requests in the hope of overloading it, occurred around midnight local time, said a spokesman for the center, located in a downtown office building of Nippon Telegraph and Telephone Corp. in Tokyo.
The center, which began operations as New Zealand entered the new year, is a cooperative effort of the nation's Internet service providers and the Internet Association of Japan.
As the date change moves its way around the planet, other security experts continued to report a quiet New Year's Day. Steve Schick, a spokesperson for Checkpoint Software Technologies Ltd., headquartered in Ramat Gan, Israel, says none of the company's large telecommunications customers have reported security incidents since the date change.
"We knew the firewalls and [virtual private networks] would work they are designed for Y2K compliance, our concerns were with software accounting system and other third-party software," Schick said.
Schick and other security analysts say they are weathering a high volume of calls and e-mail inquiries by IT managers seeking to stay on top of breaking developments.