Kuo, Jimmy wrote: >I've argued within our circles that whoever isn't calling it Slammer or >Sapphire doesn't believe in name synchronization. Because those two names >were the first on the scene. > >We call it Slammer, or SQLSlammer, or something like that. But we have a >relationship with ISS. I'm at a DARPA meeting this week. An airforce guy from AFCERT claimed that they saw & reported it first, about 5 minutes ahead of Symantec. Symantec is giving it the catchy name W32.SQLExp.Worm <http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html> so I can see why people are calling it "slammer" :) Caveats: * I'm sure that AFCERT claimed to have found it first, but less sure that they said "Symantec" was second. * I don't do this kind of research directly, so it's all hearsay to me. >And the funny thing, when we gave the thing to the other AV companies, we >said, "Here it is!" They said, "No, we want the file!" I said, "that's it. >This is memory only. You only have 'traffic' to deal with." Still didn't >believe me for a whole hour. sigh. Fitting the entire exploit into a single UDP datagram is definitely a cute hack. Allegedly the thing swamped the Internet in 4 minutes, posing a serious threat to the idea of coordinated response to worms, and validating Paxon & Staniford's Warhol Worm conjecture <http://www.cs.berkeley.edu/%7Enweaver/warhol.html> Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 23:19:45 PST