Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Will The Next Slammer Strike?

Posted by timothy on from the not-to-pick-on-anyone dept.

scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."

3 of 408 comments (clear)

  1. Could someone explain... by zerosignal · · Score: 5, Interesting

    ...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.

  2. This is nothing yet by Scarblac · · Score: 5, Interesting

    The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).

    Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)

    --
    I believe posters are recognized by their sig. So I made one.
  3. Worm indicates massive back-end udp exposures? by pophop · · Score: 5, Interesting

    1. The worm was strictly based on UDP 1434 transfer
    I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
    So: I rule our direct penetration from the Internet for most corporate environments.

    2. Worm was memory resident only. Reboot cleared it.
    Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
    if they would be able to bring an already infected machine into work via VPN.

    Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
    is that this is NOT common.
    So: I rule out employee remote access as a primary vector.

    3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame ) .
    I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
    allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.

    The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
    the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
    trusted partners - affectively a "fuse" linking the worlds computing infrastructures.

    That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
    other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.

    --
    "very like a whale..."