RE: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Fri Oct 03 2003 - 23:23:42 PDT

Next message: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"

Previous message: George Heuston: "CRIME FW: Message from William Pelgrin-NYS OCSCIC-Cyber Advisory:New Microsoft Internet Explorer Vulnerabilit"
Next in thread: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Reply: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>Like Code Red, Nimda, Sapphire, and Blaster, each of which were 
>>>capable of wiping out most Windows systems, and did. Seems like a 
>>>pretty credible claim.

>>But they didn't! You proved my point. Code Red, Nimda, Blaster, etc. all
>>had the ability to wipe out the Internet and grind every machine to a
>>halt. But they didn't. Code Red was probably the worst and it hit maybe
>>25% of the Windows machines. Why?  Again - third party mechanisms
>>(anti-virus, firewalls, intrusion prevention systems, etc.) contained
>>that spread. Normalcy was restored within hours. 

>So the diversity that Geer et al say we need to preserve worked.

How many Windows machines are there?  Yet these named viruses each hit a
couple hundred thousand or maybe up to a half million machines.  I don't
know about you, but my definition of "most" requires at least a half.

>>>When the August NE American blackout happened, there was a
>>>significant report of some of the power grid being controlled by 
>>>a Windows RPC DCOM system, which is precisely the Windows component 
>>>that Blaster exploited. This may not have been the proximate cause 
>>>of the blackout, but there's essentially no reason why it could not 
>>>have been.

>>Yes I have heard the same thing too.  That situation could have been
>>easily and painlessly mitigated with effective AV,

>How could AV possibly have mitigated a server worm like Blaster? How 
>could *any* signature-based defense defend against a fast spreading worm
>that hits your machines faster than any AV company can distribute an 
>update? This was the point of Staniford et al's Warhol Worm paper 
><http://www.vnunet.com/News/1132084>: that worms can spread across the 
>entire Internet in minutes, far faster than AV vendors can get a new 
>signature out.

Crispin, I will thank you not to make speeches on AV technology.

McAfee's VirusScan detected Blaster as "Exploit-DcomRpc" using DATs released
the previous week.  (Similarly, Nachi/Welchia.)  You will find that most of
the articles about networks that got taken down referred to the Blaster
and/or Welchia virus.  The interesting thing about that...  McAfee's names
for the same two are Lovsan and Nachi.  Symantec's name for those two are...
Blaster and Welchia.  :-)

Jimmy

Next message: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Previous message: George Heuston: "CRIME FW: Message from William Pelgrin-NYS OCSCIC-Cyber Advisory:New Microsoft Internet Explorer Vulnerabilit"
Next in thread: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Reply: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 04 2003 - 00:16:12 PDT