Full Disclosure mailing list archives

Re: [sean () donelan com: Symantec detected Slammer worm "hours" before]

From: Michael Scheidell <scheidell () secnap net>
Date: Thu, 13 Feb 2003 13:08:16 -0500 (EST)


Wow, Symantec is making an amazing claim.  They were able to detect
the slammer worm "hours" before.  Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier?  Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.


It might be possible that they saw some of the initial 'load' traffic,
source port 69, or src port 53, dst port udp 1434, but this was mostly
some code almost 100% based on the litchfield exploit.

(oh, we saw it on December 19th and DID notify several IPS's and have
the logs to prove it)

-- 
Michael Scheidell, CEO
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[sean () donelan com: Symantec detected Slammer worm "hours" before] Len Rose (Feb 13)
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Rick Updegrove (security) (Feb 13)
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Michael Scheidell (Feb 13)
- RE: [sean () donelan com: Symantec detected Slammer worm "hours" before] Jason Coombs (Feb 13)
- <Possible follow-ups>
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] tecky (Feb 13)
  - Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Ron DuFresne (Feb 13)