Feeds

Symantec explains its ‘we spotted Slammer’ claim

Over-excited marketing people, it seems

  • alert
  • submit to reddit

Security for virtualized datacentres

Symantec finally stepped in last night to clarify its handling of the discovery of the prolific SQL Slammer worm.

Last week Symantec raised hackles in the security community by claiming that it discovered the prolific worm "hours before it began rapidly propagating".

The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss.

Actually, as we intimated in a previous article, this was a case of inflated marketing claims disguising a more complicated sequence of events, rather than a serious lapse of ethics.

Well-established practices among AV vendors call for virus samples (or information on attacks) to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible.

If Symantec's analysts had developed an accurate picture of impending cyber- apocalypse - but withheld that information from the wider world for hours - then its behaviour would quite rightly be criticised as irresponsible.

But that's not what happened, as Vincent Weafer, senior director at Symantec Security Response in Santa Monica, California, explained to us last night.

Here's the sequence of events, according to Symantec:

2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.

2300 (approx) PST Friday, January 24: First third-party posts on the phenomenon to BugTraq.

0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.

0200 PST, Saturday, January 25: First public Web alerts providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.

So what Symantec sent out to its DeepSight early alert warning system customers initially was only "raw information", according to Weafer, certainly not more well defined alerts regarding an ongoing (very serious) attack.

Weafer defends Symantec's press release as promoting the benefits of early alerts but said he "recognised the confusion" caused by Symantec's failure to differentiate between early alerts and attack information in its PR blurb.

"At first we only knew it was a network anomaly, but starting around midnight we knew it was an attack," he told us.

Looking back, Symantec believes Slammer began spreading around 9.30pm (2130) PST and reached saturation at around 10pm (2200) PST. The "general peak" of the attack occurred within a three-hour time window, according to Weafer.

Although a widely quoted analysis by Silicon Defence and the University of Berkeley suggests Slammer spread more rapidly than this, there's therefore general agreement here about the onset of its spread - 9.30pm PST or 5.30am (GMT).

Weafer goes on to explain Symantec's general handling of serious Internet attacks.

"Although our first, and primary responsibility, is to our customers we continue to believe in sharing information on attacks," he told us.

Slammer, the first Warhol worm (famous in 15 minutes), calls for a major industry rethink on how security firms deal with a new generation of fast-spreading Internet worms, Weafer believes.

"We've never dealt with anything before that spread at the same speed as Slammer and we're still discussing its propagation on mailing lists. With the emergence of blended threats, like Nimda and Code Red, in 2001 we introduced wireless alerting.

"With the compressed timeframe in which something like Slammer can spread, we need to look again at how we can get accurate information out there as soon as possible," he added. ®

External Link

CERT advisory on SQL Server (Slammer) worm

Related Stories

Security experts duped by Slammer 'jihad' rot
Slammer: Why security benefits from proof of concept code
Korean Net users blame MS for Slammer carnage
ATMs, ISPs hit by Slammer worm spread
MS struggles to contain the Slammer worm
SQL worm slams the Net
'Secure by design', claims MS op-ed ad
Out of the Slammer

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.