lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40975442.7030803@germinus.com>
Date: Tue, 04 May 2004 10:28:50 +0200
From: Javier Fernandez-Sanguino <jfernandez@...minus.com>
To: Jason <security@...enik.com>
Cc: Ben Ryan <ben@...c.edu.au>, NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM,
   bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Re: New LSASS-based worm finally here (Sasser)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason wrote:
 >
 > Javier Fernandez-Sanguino wrote:
 >
 > [...]
 >
 >>
 >> [1] Approaching the record of worms in other OS, which, I
 >> believe, is held by Scalper (10 days from patch to worm). But
 >> hey, they could browse the source changes for that one.
 >>
 >
 > It did not attack an OS directly but I believe the witty worm [1]
 > holds the record to date. A 1 day window from advisory to release,
 > it attacked and destroyed a security component that was supposed to
 > protect against these issues...

You're right. I forgot about witty, I read CAIDA's analysis of the
worm just yesterday.

Still, the infected population of witty was pretty small (I believe
~12,000 machines in a day?) compared to SQLexp (~200,000 [1]),
Slammer
(~75,000-100,000 [2]), CodeRed (~360,000 in 12 hours [3]), Nimda
(around 1.6 times CodeRed, maybe over 500,000 systems? [4]). I don't
find data for Blaster, but I presume it infected  many more systems
than Nimda.  So I believe we might be facing a worm that will infect
over 1,000,000 systems.

Probably anti-virus vendors will have more accurate data. But I
haven't seen it, not even in Symantec's (excellent) Threat Report V
(December 2003) [5]. In any case, this worm was "predicted" by that
same report. I would like to suggest everyone to read it thouroughly
(Disclaimer: I don't work at Symantec).

Regards

Javier


[1] http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf
[2] http://www.caida.org/analysis/security/sapphire/
[3] http://www.caida.org/analysis/security/code-red/
[4] http://www.first.org/events/progconf/2002/d5-02-song-slides.pdf
[5]
http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID=
0

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJdUO6O1I0N5hzVfEQI+agCg3bZ9mm3JdKZpb2EL/z7rqRtlYs8AoKT3
10ew7+BsihlP//bdpD06yTzJ
=FCNK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ