Feeds

Symantec explains its ‘we spotted Slammer’ claim

Over-excited marketing people, it seems

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Symantec finally stepped in last night to clarify its handling of the discovery of the prolific SQL Slammer worm.

Last week Symantec raised hackles in the security community by claiming that it discovered the prolific worm "hours before it began rapidly propagating".

The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss.

Actually, as we intimated in a previous article, this was a case of inflated marketing claims disguising a more complicated sequence of events, rather than a serious lapse of ethics.

Well-established practices among AV vendors call for virus samples (or information on attacks) to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible.

If Symantec's analysts had developed an accurate picture of impending cyber- apocalypse - but withheld that information from the wider world for hours - then its behaviour would quite rightly be criticised as irresponsible.

But that's not what happened, as Vincent Weafer, senior director at Symantec Security Response in Santa Monica, California, explained to us last night.

Here's the sequence of events, according to Symantec:

2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.

2300 (approx) PST Friday, January 24: First third-party posts on the phenomenon to BugTraq.

0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.

0200 PST, Saturday, January 25: First public Web alerts providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.

So what Symantec sent out to its DeepSight early alert warning system customers initially was only "raw information", according to Weafer, certainly not more well defined alerts regarding an ongoing (very serious) attack.

Weafer defends Symantec's press release as promoting the benefits of early alerts but said he "recognised the confusion" caused by Symantec's failure to differentiate between early alerts and attack information in its PR blurb.

"At first we only knew it was a network anomaly, but starting around midnight we knew it was an attack," he told us.

Looking back, Symantec believes Slammer began spreading around 9.30pm (2130) PST and reached saturation at around 10pm (2200) PST. The "general peak" of the attack occurred within a three-hour time window, according to Weafer.

Although a widely quoted analysis by Silicon Defence and the University of Berkeley suggests Slammer spread more rapidly than this, there's therefore general agreement here about the onset of its spread - 9.30pm PST or 5.30am (GMT).

Weafer goes on to explain Symantec's general handling of serious Internet attacks.

"Although our first, and primary responsibility, is to our customers we continue to believe in sharing information on attacks," he told us.

Slammer, the first Warhol worm (famous in 15 minutes), calls for a major industry rethink on how security firms deal with a new generation of fast-spreading Internet worms, Weafer believes.

"We've never dealt with anything before that spread at the same speed as Slammer and we're still discussing its propagation on mailing lists. With the emergence of blended threats, like Nimda and Code Red, in 2001 we introduced wireless alerting.

"With the compressed timeframe in which something like Slammer can spread, we need to look again at how we can get accurate information out there as soon as possible," he added. ®

External Link

CERT advisory on SQL Server (Slammer) worm

Related Stories

Security experts duped by Slammer 'jihad' rot
Slammer: Why security benefits from proof of concept code
Korean Net users blame MS for Slammer carnage
ATMs, ISPs hit by Slammer worm spread
MS struggles to contain the Slammer worm
SQL worm slams the Net
'Secure by design', claims MS op-ed ad
Out of the Slammer

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.