Re: CRIME SQLSlammer Worm

From: tobyhush@private
Date: Tue Jan 28 2003 - 10:09:51 PST

  • Next message: David M. Fetter: "Re: CRIME Security Consulting Services (revised)"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    The size of this and the use of UDP are probably the most interesting things about it.
    I'd suggest that we'll see a lot more worms that are:
    a. trying to keep their size down as this did
    b. taking advantage of services and protocols that will allow fast movement and movement through firewalls (e.g. DNS, more UDP, maybe an ICMP something?)
    
    It's going to be an interesting year.
    
    toby
    
    On Mon, 27 Jan 2003 22:51:11 -0800 Crispin Cowan <crispin@private> wrote:
    >Kuo, Jimmy wrote:
    >
    > >I've argued within our circles that whoever isn't calling it Slammer
    >or
    > >Sapphire doesn't believe in name synchronization.  Because those
    >two names
    > >were the first on the scene.
    > >
    > >We call it Slammer, or SQLSlammer, or something like that.  But
    >we have a
    > >relationship with ISS.
    >
    >I'm at a DARPA meeting this week. An airforce guy from AFCERT claimed
    >
    >that they saw & reported it first, about 5 minutes ahead of Symantec.
    >
    >Symantec is giving it the catchy name W32.SQLExp.Worm
    ><http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html>
    >
    >so I can see why people are calling it "slammer" :)
    >
    >Caveats:
    >
    >    * I'm sure that AFCERT claimed to have found it first, but less
    >sure
    >      that they said "Symantec" was second.
    >    * I don't do this kind of research directly, so it's all hearsay
    >to me.
    >
    >
    > >And the funny thing, when we gave the thing to the other AV companies,
    > we
    > >said, "Here it is!"  They said, "No, we want the file!"  I said,
    >
    >"that's it.
    > >This is memory only.  You only have 'traffic' to deal with."
    >Still didn't
    > >believe me for a whole hour.  sigh.
    >
    >Fitting the entire exploit into a single UDP datagram is definitely
    >a
    >cute hack. Allegedly the thing swamped the Internet in 4 minutes,
    > posing
    >a serious threat to the idea of coordinated response to worms, and
    >
    >validating Paxon & Staniford's Warhol Worm conjecture
    ><http://www.cs.berkeley.edu/%7Enweaver/warhol.html>
    >
    >Crispin
    >--
    >Crispin Cowan, Ph.D.
    >Chief Scientist, WireX                      http://wirex.com/~crispin/
    >Security Hardened Linux Distribution:       http://immunix.org
    >Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    >                Just say ".Nyet"
    >
    >
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify
    
    wl0EARECAB0FAj42x28WHHRvYnlodXNoQGh1c2htYWlsLmNvbQAKCRCCZA+ELDMXICQd
    AJ4tl2QxjseGzzC8LttyciwYM7izLQCfXXw93Whm4SmHIUMkCIcZroDmQv4=
    =2eGj
    -----END PGP SIGNATURE-----
    
    
    
    
    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2 
    
    Big $$$ to be made with the HushMail Affiliate Program: 
    https://www.hushmail.com/about.php?subloc=affiliate&l=427
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 10:30:19 PST