Feeds

Symantec explains its ‘we spotted Slammer’ claim

Over-excited marketing people, it seems

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Symantec finally stepped in last night to clarify its handling of the discovery of the prolific SQL Slammer worm.

Last week Symantec raised hackles in the security community by claiming that it discovered the prolific worm "hours before it began rapidly propagating".

The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss.

Actually, as we intimated in a previous article, this was a case of inflated marketing claims disguising a more complicated sequence of events, rather than a serious lapse of ethics.

Well-established practices among AV vendors call for virus samples (or information on attacks) to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible.

If Symantec's analysts had developed an accurate picture of impending cyber- apocalypse - but withheld that information from the wider world for hours - then its behaviour would quite rightly be criticised as irresponsible.

But that's not what happened, as Vincent Weafer, senior director at Symantec Security Response in Santa Monica, California, explained to us last night.

Here's the sequence of events, according to Symantec:

2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.

2300 (approx) PST Friday, January 24: First third-party posts on the phenomenon to BugTraq.

0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.

0200 PST, Saturday, January 25: First public Web alerts providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.

So what Symantec sent out to its DeepSight early alert warning system customers initially was only "raw information", according to Weafer, certainly not more well defined alerts regarding an ongoing (very serious) attack.

Weafer defends Symantec's press release as promoting the benefits of early alerts but said he "recognised the confusion" caused by Symantec's failure to differentiate between early alerts and attack information in its PR blurb.

"At first we only knew it was a network anomaly, but starting around midnight we knew it was an attack," he told us.

Looking back, Symantec believes Slammer began spreading around 9.30pm (2130) PST and reached saturation at around 10pm (2200) PST. The "general peak" of the attack occurred within a three-hour time window, according to Weafer.

Although a widely quoted analysis by Silicon Defence and the University of Berkeley suggests Slammer spread more rapidly than this, there's therefore general agreement here about the onset of its spread - 9.30pm PST or 5.30am (GMT).

Weafer goes on to explain Symantec's general handling of serious Internet attacks.

"Although our first, and primary responsibility, is to our customers we continue to believe in sharing information on attacks," he told us.

Slammer, the first Warhol worm (famous in 15 minutes), calls for a major industry rethink on how security firms deal with a new generation of fast-spreading Internet worms, Weafer believes.

"We've never dealt with anything before that spread at the same speed as Slammer and we're still discussing its propagation on mailing lists. With the emergence of blended threats, like Nimda and Code Red, in 2001 we introduced wireless alerting.

"With the compressed timeframe in which something like Slammer can spread, we need to look again at how we can get accurate information out there as soon as possible," he added. ®

External Link

CERT advisory on SQL Server (Slammer) worm

Related Stories

Security experts duped by Slammer 'jihad' rot
Slammer: Why security benefits from proof of concept code
Korean Net users blame MS for Slammer carnage
ATMs, ISPs hit by Slammer worm spread
MS struggles to contain the Slammer worm
SQL worm slams the Net
'Secure by design', claims MS op-ed ad
Out of the Slammer

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.