Re: Symantec detected Slammer worm "hours" before

[Krzysztof Adamski <k () adamski org>]

On Thu, 13 Feb 2003, Martin Hannigan wrote:

> On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
> > Wow, Symantec is making an amazing claim.  They were able to detect
> > the slammer worm "hours" before.  Did anyone receive early alerts from
> > Symantec about the SQL slammer worm hours earlier?  Academics have
> > estimated the worm spread world-wide, and reached its maximum scanning
> > rate in less than 10 minutes.
> >
> > I assume Symantec has some data to back up their claim.
> >
> > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
> >   "For example, the DeepSight Threat Management System discovered the
> >   Slammer worm hours before it began rapidly propagating. Symantec's
> >   DeepSight Threat Management System then delivered timely alerts and
> >   procedures, enabling administrators to protect against the attack
> >   before their environment was compromised."
>
>
> One way they could have known about it is that some of their
> customers got nailed _and called them_.
>
> The other is IDS signature. I'm not sure if there was one already
> out there that would have caught this, but if the customers were
> calling they would have been able to create one quickly, as
> people did.
>
> If there's no alarm, no event tripped, there is no correlation
> data.

An other possibility is that they wrote the slammer them self so they had
early knowledge of it :-)

K