<<< Date Index >>>     <<< Thread Index >>>

RE: New LSASS-based worm finally here (Sasser)



One thing most people fail to note when speaking of
vulnerability-to-worm timelines shrinking is that your basing your
timeline off of when a vulnerability is disclosed, to when a worm is
discovered, NOT when a worm is released. The importance of this is that
your timeline is not specifically based off of when the "bad guy"
decides to do a bad thing and more so when the "good guys" discover a
"bad guy" has done something bad.

With all of these security companies scrambling to be first (even if
they have nothing intelligent to say, other than some nifty name for the
worm) it means they are investing a lot of resources into being the
first to detect these worms. Which means that as their detection
capabilities grow, the timeline of how quickly they are able to detect a
worm is going to shrink. Which therefore can help lead to the appearance
(right or wrong) that worms are being released faster, when in reality
it is that they are now being detected faster.

Take CodeRed for example... There was about a weeks time where many
Microsoft IIS web servers were being crashed and "no one" understood
what was happening. There is much evidence of this if you look at any
Microsoft newsgroups around the time of CodeRed. So there is a week, or
maybe even more, that the worm had been released (which changes the
timeline) but no one knew about it. Now today, in some ways due to the
fame of CodeRed, worms are sexy and appealing to companies and media
alike... And therefore they get a lot more attention. We would never
have the case today where there would be public discussion of web
servers randomly crashing for a week without people figuring out there
was a worm on the loose (Well I shouldn't bet on other peoples
intelligence, but... ;-). 

In the real world most of these discussions about timelines of
vulnerability-to-worm do not matter, depending on your goal. For me
personally I think the goal is trying to create as much accurate threat
awareness as possible. We do not need to get down to the number of
specific days of this worm vs that worm to know that for a fact there
have been a few worms lately that have been released/discovered within a
timeline that is shorter than a month or two. For any company that is a
data point to think hard about, and how your company handles security.
Are you running around putting out fires every time some kid has a bad
day and writes a worm, or are you being proactive and pitying your
peers?

BTW: The witty worm was the fastest released worm ever. I know you
mentioned OS but we've not seen many, if any, OS worms. That is to
clarify that most worms have ALWAYS been for vulnerabilities in
applications that ran on top of the OS. But I digress... If you want to
read about some real OS flaws then check out:
http://www.eeye.com/html/Research/Advisories/AD20040413D.html

Signed, 
Marc Maiffret 
Co-Founder/Chief Hacking Officer 
eEye Digital Security 
T.949.349.9062 
F.949.349.9538 
http://eEye.com/Retina - Network Security Scanner 
http://eEye.com/Iris - Network Traffic Analyzer 
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities


-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:jfernandez@xxxxxxxxxxxx] 
Sent: Monday, May 03, 2004 1:46 AM
To: Ben Ryan
Cc: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: New LSASS-based worm finally here (Sasser)


Ben Ryan wrote:

> As expected, LSASS exploit-based worm seems to have arrived. Fasten 
> your seatbelts, those unpatched please use the spew bags provided :) I

> hope PSS resolves the issues discussed in KB835732.

What's more disturbing is that this worm has established a new record 
for Microsoft worms [1]. Blaster was the fastest worm (25 days since 
the patch was published to the worm), this one has been even faster 
(17 days for the first variant since the patch was published to the 
worm). Of course, I'm not considering the fact that this issue was 
known, at least to eEye and Microsoft, for over 5 months.

Regards

Javier

[1] Approaching the record of worms in other OS, which, I believe, is 
held by Scalper (10 days from patch to worm). But hey, they could 
browse the source changes for that one.