Re: CRIME SQLSlammer Worm

From: Crispin Cowan (crispin@private)
Date: Mon Jan 27 2003 - 22:51:11 PST

  • Next message: Andrew Plato: "RE: CRIME SQLSlammer Worm"

    Kuo, Jimmy wrote:
    
     >I've argued within our circles that whoever isn't calling it Slammer or
     >Sapphire doesn't believe in name synchronization.  Because those two names
     >were the first on the scene.
     >
     >We call it Slammer, or SQLSlammer, or something like that.  But we have a
     >relationship with ISS.
    
    I'm at a DARPA meeting this week. An airforce guy from AFCERT claimed 
    that they saw & reported it first, about 5 minutes ahead of Symantec. 
    Symantec is giving it the catchy name W32.SQLExp.Worm 
    <http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html> 
    so I can see why people are calling it "slammer" :)
    
    Caveats:
    
        * I'm sure that AFCERT claimed to have found it first, but less sure
          that they said "Symantec" was second.
        * I don't do this kind of research directly, so it's all hearsay to me.
    
    
     >And the funny thing, when we gave the thing to the other AV companies, we
     >said, "Here it is!"  They said, "No, we want the file!"  I said, 
    "that's it.
     >This is memory only.  You only have 'traffic' to deal with."  Still didn't
     >believe me for a whole hour.  sigh.
    
    Fitting the entire exploit into a single UDP datagram is definitely a 
    cute hack. Allegedly the thing swamped the Internet in 4 minutes, posing 
    a serious threat to the idea of coordinated response to worms, and 
    validating Paxon & Staniford's Warhol Worm conjecture 
    <http://www.cs.berkeley.edu/%7Enweaver/warhol.html>
    
    Crispin
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                    Just say ".Nyet"
    
    
    
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 23:19:45 PST