Full Disclosure mailing list archives
Re: Re: New LSASS-based worm finally here (Sasser)
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Tue, 04 May 2004 10:28:50 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason wrote: > > Javier Fernandez-Sanguino wrote: > > [...] > >> >> [1] Approaching the record of worms in other OS, which, I >> believe, is held by Scalper (10 days from patch to worm). But >> hey, they could browse the source changes for that one. >> > > It did not attack an OS directly but I believe the witty worm [1] > holds the record to date. A 1 day window from advisory to release, > it attacked and destroyed a security component that was supposed to > protect against these issues... You're right. I forgot about witty, I read CAIDA's analysis of the worm just yesterday. Still, the infected population of witty was pretty small (I believe ~12,000 machines in a day?) compared to SQLexp (~200,000 [1]), Slammer (~75,000-100,000 [2]), CodeRed (~360,000 in 12 hours [3]), Nimda (around 1.6 times CodeRed, maybe over 500,000 systems? [4]). I don't find data for Blaster, but I presume it infected many more systems than Nimda. So I believe we might be facing a worm that will infect over 1,000,000 systems. Probably anti-virus vendors will have more accurate data. But I haven't seen it, not even in Symantec's (excellent) Threat Report V (December 2003) [5]. In any case, this worm was "predicted" by that same report. I would like to suggest everyone to read it thouroughly (Disclaimer: I don't work at Symantec). Regards Javier [1] http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf [2] http://www.caida.org/analysis/security/sapphire/ [3] http://www.caida.org/analysis/security/code-red/ [4] http://www.first.org/events/progconf/2002/d5-02-song-slides.pdf [5] http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID= 0 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJdUO6O1I0N5hzVfEQI+agCg3bZ9mm3JdKZpb2EL/z7rqRtlYs8AoKT3 10ew7+BsihlP//bdpD06yTzJ =FCNK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Unpacking Sasser, (continued)
- Unpacking Sasser youssef ALAOUI (May 03)
- RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
- Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
- Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
- Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
- Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
- Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- Re: New LSASS-based worm finally here (Sasser) Gadi Evron (May 04)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 05)