lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1C3A9EBC-3130-11D7-9F77-000393958954@kramse.dk>
From: hlk at kramse.dk (Henrik Lund Kramshøj)
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

On s?ndag, jan 26, 2003, at 06:52 Europe/Copenhagen, Schmehl, Paul L 
wrote:

> Cyberterrorism????  Getting a bit hyped up, aren't we?  It's just
> another stupid worm.
No, I dont think so

Why do you consider it terrorism only when people are hurt directly?
In Denmark where I live and many other countries monetary damage is
being acted upon even more harsh than "just maiming/hurting" people

Note that I dont say this is right, but in many places the punishment 
for
stealing somebodys property is harsher than if you hurt them physically
- especially if you're drunk, people get away with murder by car etc.

SO, the point is - was the damage caused big enough to consider this
terrorism? Close call, but I dont think so, since the payload was rather
non-malicious and the real effect was a side effect. Had it been 376 
byte
worm and 124 bytes HARMFULL code then I would consider this an
act of cyberterrorism
- even though the actual target in that case would be hard to predict.

we hear quotes like:
Starting 06:30 UTC ( 00:30 EST ) on Saturday Jan 25th 2003, worldwide 
traffic for port 1434 UDP increased rapidly causing major Internet 
links to fail. ISPs responded quickly by blocking port 1434.
While traffic is still strong in some areas. It dropped to about 5% of 
peak globally.

Single ms-sql servers have been reported to generate traffic in excess 
of 50 MBit/sec. after being infected.

Keystone's Internet Health report is still reporting a link 
degradation: http://www1.internetpulse.net/ As a result of degraded 
links, root DNS servers and other resources have been unavailable at 
times.

"This has effectively disabled 5 of the 13 root nameservers."
------------------

I would rate this quite serious, but thanks to the quick response from 
the
network operators the people who should know this and update their 
servers in the future
WONT learn
*sheeez* they already had the example of SQLsnake worm and Code Red, 
but STILL didnt
do anything about this vuln, or even firewalled the port in the first 
place.

Best regards

--
Henrik Lund Kramsh?j
hlk@...amse.dk|inet6.dk|sikkerhedsforum.dk|security6.org}
Please read email policy at http://www.kramse.dk/email

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ