Feeds

Symantec explains its ‘we spotted Slammer’ claim

Over-excited marketing people, it seems

  • alert
  • submit to reddit

Seven Steps to Software Security

Symantec finally stepped in last night to clarify its handling of the discovery of the prolific SQL Slammer worm.

Last week Symantec raised hackles in the security community by claiming that it discovered the prolific worm "hours before it began rapidly propagating".

The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss.

Actually, as we intimated in a previous article, this was a case of inflated marketing claims disguising a more complicated sequence of events, rather than a serious lapse of ethics.

Well-established practices among AV vendors call for virus samples (or information on attacks) to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible.

If Symantec's analysts had developed an accurate picture of impending cyber- apocalypse - but withheld that information from the wider world for hours - then its behaviour would quite rightly be criticised as irresponsible.

But that's not what happened, as Vincent Weafer, senior director at Symantec Security Response in Santa Monica, California, explained to us last night.

Here's the sequence of events, according to Symantec:

2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.

2300 (approx) PST Friday, January 24: First third-party posts on the phenomenon to BugTraq.

0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.

0200 PST, Saturday, January 25: First public Web alerts providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.

So what Symantec sent out to its DeepSight early alert warning system customers initially was only "raw information", according to Weafer, certainly not more well defined alerts regarding an ongoing (very serious) attack.

Weafer defends Symantec's press release as promoting the benefits of early alerts but said he "recognised the confusion" caused by Symantec's failure to differentiate between early alerts and attack information in its PR blurb.

"At first we only knew it was a network anomaly, but starting around midnight we knew it was an attack," he told us.

Looking back, Symantec believes Slammer began spreading around 9.30pm (2130) PST and reached saturation at around 10pm (2200) PST. The "general peak" of the attack occurred within a three-hour time window, according to Weafer.

Although a widely quoted analysis by Silicon Defence and the University of Berkeley suggests Slammer spread more rapidly than this, there's therefore general agreement here about the onset of its spread - 9.30pm PST or 5.30am (GMT).

Weafer goes on to explain Symantec's general handling of serious Internet attacks.

"Although our first, and primary responsibility, is to our customers we continue to believe in sharing information on attacks," he told us.

Slammer, the first Warhol worm (famous in 15 minutes), calls for a major industry rethink on how security firms deal with a new generation of fast-spreading Internet worms, Weafer believes.

"We've never dealt with anything before that spread at the same speed as Slammer and we're still discussing its propagation on mailing lists. With the emergence of blended threats, like Nimda and Code Red, in 2001 we introduced wireless alerting.

"With the compressed timeframe in which something like Slammer can spread, we need to look again at how we can get accurate information out there as soon as possible," he added. ®

External Link

CERT advisory on SQL Server (Slammer) worm

Related Stories

Security experts duped by Slammer 'jihad' rot
Slammer: Why security benefits from proof of concept code
Korean Net users blame MS for Slammer carnage
ATMs, ISPs hit by Slammer worm spread
MS struggles to contain the Slammer worm
SQL worm slams the Net
'Secure by design', claims MS op-ed ad
Out of the Slammer

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.