Welchia worm slows Navy's net to a crawl

'Protection of networks and fighting network threats will be a continuing requirement.'

'Vice Adm. Richard Mayo

Henrik G. de Gyor

The Welchia worm taught the Navy a tough lesson last week: Patch a vulnerability as quickly as possible.

The service had been testing the patch Microsoft Corp. made available a month ago for the MSBlaster worm, which exploits the same Remote Procedure Call vulnerability as Welchia. In fact, it was preparing to roll it out last week when Welchia ripped through the Navy-Marine Corps Intranet's defenses and brought 50,000 PCs' Web services to a near standstill.

'We were erring on the side of caution. Usually, it rewards you; sometimes it penalizes you,' said Capt. Chris Christopher, deputy NMCI director for future operations, communications and business initiatives. Previous experience with problem patches has led the service to test each one thoroughly before deploying across multiple systems, he said.

The Navy network had been spared MSBlaster attacks because the service had updated its antivirus software to spot the signature code for the earlier worm. But there was no update available from Symantec Corp. of Cupertino, Calif., for the Welchia signature code until last Monday night. By then, the virus had affected thousands of unclassified NMCI systems.

Christopher said had he known that by the time a signature file was developed for Welchia, thousands of Navy PCs would be infected, he would have rushed to roll out the MSBlaster patch sooner.

'It makes me wish I was prescient,' he said. 'In light of events, it certainly would have been nice if we pushed the patch out two days earlier.'

Since the first computer was connected to NMCI two years ago, there have been roughly 350,000 unauthorized probes and 85,000 malicious virus and worm attempts to penetrate the network, Navy officials said.

Welchia, which contains code intended to benefit networks by ridding systems of the MSBlaster virus, clogged Internet, e-mail and some shared drive traffic on unclassified Navy computers.

Saturation point

Christopher said Welchia saturated NMCI in a sort of inadvertent denial-of-service attack, but the Navy did not shut down the network. 'We were able to manage our way through it,' he said.

NMCI contractor EDS Corp. said it was working to determine the exact point the worm entered the system.

After identifying the problem, the Naval Network Warfare Command, Naval Network and Space Operations Command, EDS and Symantec worked to eradicate the virus. EDS began installing defensive software for Welchia within minutes of its availability.

By Wednesday morning, the virus had been contained and a cleanup was in progress, Christopher said.

EDS has cut over 96,815 users to the network. Ultimately, NMCI, which EDS manages under an $8.82 billion contract, will support voice, video and data communications for 400,000 Navy and Marine Corps users.

Lynda A. Lukschander, program manager for the Marine Corps' NMCI IT infrastructure team, said the worm did not breach Corps systems because the service has not completely cut over to the intranet.

'We are still operating under the Marine Corps Enterprise Network,' she said.

In the face of so many new virus and worm programs, large organizations such as the Navy need to increase the intelligence mechanisms they use to learn about viruses, said Ken Dunham, a malicious-code intelligence manager for iDefense Inc. of Reston, Va.

It's easy to sneak a Trojan horse program into a network, Dunham said, making it difficult to ward off attacks such as Welchia.

'It's becoming increasingly difficult for large organizations to patch and protect before a strike,' Dunham said.

The service has a response plan for such systems threats, said Vice Adm. Richard Mayo, commander of naval network warfare. 'As use of networks becomes more crucial to national defense, protection of networks and fighting network threats will be a continuing requirement for us all.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above