[ISN] Slammer Source Code Provides Clues

From: InfoSec News (isnat_private)
Date: Tue Jan 28 2003 - 10:42:03 PST

  • Next message: InfoSec News: "[ISN] Crime Is Soaring in Cyberspace"

    By Dennis Fisher
    January 27, 2003 
    As corporate IT departments go about the business of cleaning up their 
    networks, there are strong indications that the SQL Slammer worm that 
    brought down portions of the Internet over the weekend is based on the 
    work of an obscure Chinese cracking group. 
    Signatures within the worm's source code indicate that a group known 
    as the Honker Union of China - also known as the Hacker Union of 
    China - may be responsible for writing the code, according to security 
    experts who have analyzed the code. However, experts caution that 
    although they are certain of the code's origins, someone else may have 
    actually loosed the worm on the Internet. 
    "We're 100 percent certain this was based on the CNHonker code," said 
    Chris Rouland, director of the X-Force research team at Internet 
    Security Systems Inc., in Atlanta. "But that doesn't mean they 
    released it." 
    Although the Honker Union has not yet claimed responsibility for the 
    worm, it has posted on its Web site in the past several versions of an 
    exploit for the vulnerability used by Slammer. The group has been 
    quite active in pro-Chinese and anti-American hacking activity in the 
    past and was involved in a U.S.-Chinese cyber-skirmish that erupted in 
    early 2001. 
    The worm did most of its damage in Asia, particularly South Korea, 
    which was effectively taken off the Internet for several hours 
    Saturday. And some experts have pointed out that the Slammer worm was 
    released on the anniversary of a major offensive in the Korean War 
    that began pushing back Communist Chinese forces that had penetrated 
    South Korea. 
    Despite the possible political motivations behind the worm's release, 
    White House security officials downplayed the idea that this was an 
    act of terrorism. 
    "We'd rather characterize terrorism as something that physically kills 
    people," said Marcus Sachs, director of communications infrastructure 
    protection in the Office of Cyberspace Security in Washington. "There 
    was no lasting damage done to the infrastrucutre. We'd like to see the 
    term cyber-terror dropped." 
    The worm, known variously as Slammer and Sapphire, hit the Internet 
    around 12:30 a.m. Eastern on Saturday and began spreading quickly. 
    Within the first hour, it had infected more than 50,000 machines, 
    Rouland said. It continued to spread throughout the day Saturday and 
    has now found its way into more than 200,000 machines, experts say. 
    Its infection rate was much faster than the Code Red worm of 2001, 
    even though there are far fewer SQL servers on the Internet than there 
    are Web servers running the Microsoft Corp. IIS software that Code Red 
    But, while Code Red continued to spread for several days, Slammer was 
    contained relatively quickly. The shorter life-cycle is due to several 
    factors, but much of it has to do with quick reactions from ISPs and 
    large network operators who all agreed to block traffic on port 1434, 
    which is the port Slammer uses to infect machines. This kind of 
    wholesale filtering is virtually unheard of and would not have been 
    possible with Code Red. Also, government agencies reacted much more 
    quickly to Slammer than they did to previous attacks, thanks mainly to 
    experience and help from private-sector security firms. 
    "There was quite a bit of activity going on here," said Sachs. "We 
    first saw it, I think at the [National Communications System] at about 
    1 a.m., and by 3 a.m. or 4 a.m. everyone who needed to know was out of 
    bed and notified." 
    Others agreed that the cooperation among the various ISACs, government 
    agencies and private firms was key to the worm's containment. 
    "I was the first one to call the [National Infrastrucutre Protection 
    Center] and that was at about 3:45 a.m., and we had a pretty good 
    handle on the analysis by then," said Pete Allor, director of 
    operations for the Information Technology Information Sharing and 
    Access Center and manager of the threat intelligence service at ISS. 
    "We had the packet captures early, and the analysis was pretty 
    straightforward. We talked to the Financial Services ISAC, [and] 
    worked closely with the telecom folks, all of them." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 15:08:12 PST