Re: New LSASS-based worm finally here (Sasser)

From: Javier Fernandez-Sanguino (jfernandez_at_GERMINUS.COM)
Date: 05/05/04

  • Next message: Aaron C. Newman (Application Security, Inc.): "[AppSecInc Security Alert] Microsoft Active Server Pages Cookie Retrieval Issue"
    Date:         Wed, 5 May 2004 10:54:36 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Marc Maiffret wrote:

    > One thing most people fail to note when speaking of
    > vulnerability-to-worm timelines shrinking is that your basing your
    > timeline off of when a vulnerability is disclosed, to when a worm
    > is discovered, NOT when a worm is released. The importance of this
    > is that your timeline is not specifically based off of when the
    > "bad guy" decides to do a bad thing and more so when the "good
    > guys" discover a "bad guy" has done something bad.

    You are absolutely correct. Moreover, the timeline does not take into
    account when the vulnerability was "found" (vs. disclosed) which is
    imposible to know.

    >
    > With all of these security companies scrambling to be first (even
    > if they have nothing intelligent to say, other than some nifty name
    > for the worm) it means they are investing a lot of resources into
    > being the first to detect these worms. Which means that as their
    > detection capabilities grow, the timeline of how quickly they are
    > able to detect a worm is going to shrink. Which therefore can help
    > lead to the appearance (right or wrong) that worms are being
    > released faster, when in reality it is that they are now being
    > detected faster.
    (...)

    I agree with your overall appreciation. However, since Klez/Code Red
    you can see that the "time to detect a worm since the vulnerability
    was published" has reduced from months (sometimes even close to a
    year) to less than a month. Even though the data might not be
    accurate
    to the day (if detection was weeks off) it still shows a trend.
    [BTW, If anyone wants the full data, please speak up, no black magic
    here, it's gathered from public sources]

    > In the real world most of these discussions about timelines of
    > vulnerability-to-worm do not matter, depending on your goal. For me
    > personally I think the goal is trying to create as much accurate
    > threat awareness as possible. We do not need to get down to the
    > number of specific days of this worm vs that worm to know that for
    > a fact there have been a few worms lately that have been
    > released/discovered within a timeline that is shorter than a month
    > or two. For any company that is a
    (...)

    I partly agree with your statement here. However, knowing that
    current
    worms are very vicious is as important as trying to see a trend
    there.
    Specially if that trend can raise threat awareness, and might people
    make a difference selection between, for example, choosing an
    inappropiate (IMHO) security measure like "keep your antivirus
    up-to-date" instead of better security measure like "harden your
    systems, ask for and purchase a hardened/secure OS/application and
    demand proactive security of your vendor (or else)".

    The first one is not going to save the day when worms start being
    releasing hours after a vulnerability is disclosed (or even before
    that). As Caida's data shows, current worm propagation methods assure
    that most of the vulnerable (and exposed) population is infected in a
    very short amount of time (less than a day?). The second one will
    probably do.

    Still, the worst threat will still be users themselves in insecure OS
    that allow them help somebody fully compromise their system when
    double clicking something :-)

    Regards

    Javier

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQA/AwUBQJiryqO1I0N5hzVfEQIHHQCg8KgQUNkcr+yqMArUUBXFiTqB6o8AoK99
    gnriCMy4Pd+rU2+8B/UytRss
    =7IdS
    -----END PGP SIGNATURE-----

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----


  • Next message: Aaron C. Newman (Application Security, Inc.): "[AppSecInc Security Alert] Microsoft Active Server Pages Cookie Retrieval Issue"

    Relevant Pages

    • Nimda Worm Alert
      ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
      (Incidents)
    • Nimda Worm Alert
      ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
      (Focus-IDS)
    • [Full-Disclosure] Re: New LSASS-based worm finally here (Sasser)
      ... > timeline off of when a vulnerability is disclosed, ... NOT when a worm is released. ... releasing hours after a vulnerability is disclosed (or even before ...
      (Full-Disclosure)
    • CERT Advisory CA-2001-23
      ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
      (Cert)
    • Re: Ingers spam email claims
      ... Suppose I'm a worm and I have just found a vulnerable share on ... machines, and because machines become vulnerable within hours of the ... last microsoft vulnerability patch release, ... therefore my work email account has been rendered virtually useless ...
      (sci.archaeology)