Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Claims They Knew About Slammer In Advance

Posted by michael on from the marketing-ploy dept.

truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".

36 of 548 comments (clear)

  1. Big Surprise by Anonymous Coward · · Score: 3, Insightful

    Do you honestly believe that all the viruses come from joe sixpack sitting in his basement with nothing better to do?

  2. makes it worth it by Anonymous Coward · · Score: 3, Insightful

    thats what makes the extra special account worth it.if they told everyone, then whats the point in paying for the extra notice?

    (not that I agree with not telling everyone, that just seems to be the why)

  3. Moral obligation? by nakhla · · Score: 5, Insightful

    Since when does Symmantec have a moral obligation to do anything? They're a corporation. Their service is to detect and prevent network attacks. If you are willing to PAY for the service, then you get the benefits of it. If not, then it sucks to be you. Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

    1. Re:Moral obligation? by phil+reed · · Score: 5, Insightful

      The Internet is a cooperative enterprise. It behooves all the users to play nice with each other. Symantec evidently decided that their customer base was a higher priority than playing nice with everybody else. That's fine, and they are welcome to make that choice. They then get to live with the consequences, including the one where everybody else decides not to play with Symantec because of their attitude.

      --

      ...phil
      "For a list of the ways which technology has failed to improve our quality of life, press 3."
    2. Re:Moral obligation? by Quixote · · Score: 4, Insightful
      OK, then why do companies like Microsoft bitch and moan about individuals releasing exploits before they have had time to "study" the bug (read: sit around and do nothing) ?

      "Moral responsibility" is a two-way street: if you (the company) expect me to have some, then show some towards me too.

    3. Re:Moral obligation? by CelloJake · · Score: 3, Insightful

      I think there is a moral obligation. Knowing about a virus is, essentially, knowing about a crime that is about to be or is being committed. They at least had an obligation to report anything they know to legal authorities, short of proprietary solutions.

    4. Re:Moral obligation? by dpilot · · Score: 4, Insightful

      Do we really hold corporations to such low standards?

      Do you hold your friends or family to such low standards?
      Do you hold other members of your community to such low standards?
      Do you hold your elected officials and their appointees to such low standards?

      This came up during the hearings for Edwin Meese for Attorney General. The Attorney General is the highest Officer of the Law in the land. For him to merely say, "I have been convicted of no crimes." is not ANY sort of endorsement for the office. It's barely a qualification.

      When we rant against the poor and welfare, we argue that putting a safety net under these people will encourage them to fall into it, and not try to better themselves.

      Isn't the law really an ethical and moral safety net? So is it any wonder that *some* sink to the net, just like some poor do with welfare? But the real problem comes when we EXPECT people and corporations to sink to the net, take for granted that they will, and dont' see a problem with that situation.

      Businesses are a member of the community, too. I'd expect them to behave as ethically and civilly as any person. With a business, I only have my words and money as tools to 'encourage better behavior.'

      --
      The living have better things to do than to continue hating the dead.
  4. Re:Imagine if CNN knews about 9/11 by RT+Alec · · Score: 3, Insightful

    Sorry, but that is not a similar situation. Not even close.

  5. Timezones? by remmy1978 · · Score: 5, Insightful

    From the article:

    "According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

    Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?

    1. Re:Timezones? by fname · · Score: 4, Insightful

      Yup. So, Symantec forgets abouts time zones and starts congratulating themselves for their good work. Wired forgets about time zones and reports on Symantec's irresponsible acts. A Slashdot reader breezes through the article and submits it, whilst forgetting about time zones. Slashdot editor, rushing to post the article, forgets about time zones and posts the news item.

      Shame on Symantec. Shames on Wired. Good thing we have the good folks at Slashdot to keep the news in perspective.

  6. So? by fobbman · · Score: 5, Insightful

    Heck, Microsoft released a patch to fix this problem in June of 2002. Windows sysadmins had 6 months notice that it was a problem.

    I don't mean to sound like a troll or the least bit insensitive, but if the Windows sysadmins aren't keeping their servers patched then that's the sysadmin's fault. The finger of blame should be pointed right at the mirror. Keeping their servers updated and safe is their JOB, unless they have a security specialist, in which case it's their job.

    1. Re:So? by stratjakt · · Score: 3, Insightful

      Yep.

      And plenty of unix admins still running insecure versions of apache, ftpd, and openssl.

      MSFT has no monopoly on laziness, percieved or real.

      A big part of it is the propellerheads releasing the MS-hotfixes or OS-patches dont realize that in an enterprise environment you dont always have the time to bounce a server, apply the patch, test, validate all code that was running prior to the patch.

      --
      I don't need no instructions to know how to rock!!!!
  7. Gotta agree with the poster... by TopShelf · · Score: 4, Insightful

    This sounds like Wired trying to stir up a controversy from scratch. Besides, what would have been the impact of them posting a warning a few hours earlier? If an admin saw the notice before the widespread nature of Slammer was known, would they instantly apply patches that they hadn't already installed for one reason or another? I doubt it...

    --
    Stop by my site where I write about ERP systems & more
  8. Hmm.. by zulux · · Score: 5, Insightful

    ..... unless they had something to do with its release.

    I have wondered why a lot of these Microsoft-worms never seem to have a destructive payload. If you imagine a script-kiddie working hard in his mom's basement, you'd think he'd add a payload of some sort.

    (hell, if I had the inclenation and the time to create a virus, I'd atleast change the Windows statup .JPG to the 'gentleman who is affiliated with goats.')

    It's almost like these Microsoft-worms were desingned to create panic and purchasing action, but no legalally actionable damage.

    Just a rambeling thought.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  9. 9PM PST == 12AM EST by kaosmunkee · · Score: 5, Insightful
    From the article...
    According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.
    So explain to me again how they knew about it before anyone else? -kaos
  10. Agreed by Adam9 · · Score: 5, Insightful

    I don't see why people expect companies to donate information that costs them to find. They could've used this info in two ways, the way I see it. First, is to share it to their corporate customers who pay to have this kind of early warning. Second, release it to the media, CERT, and other organizations and make sure they "advertise" that Symantec found it first.

    So they chose the first. Big deal. Do you really think even a majority of these sysadmins would have firewalled their MS SQL server hours before it would be infected? Doubtful. If they didn't apply the patch from July of '02, then they're not going to immediately respond in a few hours to patch an impending threat.

    1. Re:Agreed by enjo13 · · Score: 3, Insightful

      Let me us an extreme example..

      Lets say your run a business cleaning up crime scenes (Such business really do exist). You find out, hours before, that someone is going to walk into a mall and just open fire. Do you A) Tell your friends not to go to the mall, and make sure that you just happen to be around before the massacre occurs? or B) do you call the police?

      Go with option A and you are an accessory to the crime and you go to jail. Even IF it was good for business.

      The same thing occured here. If in fact symantec KNEW about the transimission of a crime before it occured, then they most likely broke the law by not contacting the proper authorities. Would it have prevented Slammer? Nah.. but it doesn't change the fact that YES they are completely required to share this information. The issue of morality is irrelevant, this is an issue of law.

      --
      Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
  11. PST vs. EST by shawn.fox · · Score: 3, Insightful
    From the article:

    Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24." Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

    For those of you who don't know the difference, EST is 3 hours ahead of PST. Thus DeepSight identified Slammer at about the same time as the 'rest of the Internet'
  12. Troll? by fobbman · · Score: 4, Insightful

    "According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

    Uhh...that's about the same time isn't it Sparky?

  13. Would it have changed anything? by Junta · · Score: 4, Insightful

    Probably not. Those forewarned took it seriously because they pay for the service. If Symantec had said that a huge attack was imminent and to block the port and patch your SQL servers, how many people do you think would have listened? Of those who listened, how many of those have processes in place so that the requisite network or software changes would have required approval that would have come too late to do any good?

    The people who paid for the warning are going to take it very seriously, but aside from that, I would wager that there would be enough doubt about the validity that measures wouldn't have been taken anyway. Patching the server has the obvious implication for many mission critical databases of a potential restart and potential for undesired change in functionality, so patching in many cases would require a testbed server and evaluation, which this warning provided insufficient time for. Blocking the port, or disabling that part of SQL server, for those with it enabled without needing it, means they need to understand what it does or does not do for them. If they already knew, they would have disabled it sooner, so you can't say they would immediately realize and shut it down.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  14. Re:Hmm.. by Bastian · · Score: 4, Insightful

    I see two possibilities:

    1) It was done for hack value, not vandalism.

    2) With how many Windows computers there are out there, a simple worm has the ability to cause more than enough trouble.

    As for Slammer not having a payload, that's because it was designed to fit in a single 505-byte UDP packet. There wasn't room for a payload.

  15. Re:Moral obligation? I'd say so. by tjwhaynes · · Score: 4, Insightful

    Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

    No - get the analogies right. If I, as a car servicing firm, knew of a part in a Ford car that could fail and cause the car to go off the road at random and I only let my best customers know, I would be sued for screwing around with peoples lives.

    Not that I have any sympathy for either MS or Sympantec - Symantec gets to make money off the loopholes in MS's operating system in a strange almost parasitic relationship. The only thing that isn't clear to me is which company is the host...

    Cheers,

    Toby Haynes

    --
    Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
  16. no morals by DuckWing · · Score: 3, Insightful

    In order for Symantec to have a "moral obligation" you must first assume that Symantec has Morals to begin with. They do not. It's that simple.

    --
    -- DuckWing
  17. Re:It's not that easy. by cheezedawg · · Score: 5, Insightful

    So Borland Delphi and 6 other applications wont run without admin rights, and somehow that is Microsoft's fault? Why not blame Borland?

    --
    "The defense of freedom requires the advance of freedom" - George W Bush
  18. They knew nothing by doc_traig · · Score: 4, Insightful

    It's a marketing gimmick to get less savvy IT managers to think that going with Symantec will get them ahead of the game. They're burning themselves twice: they'll alienate the infosec community that rightfully believes that knowledge of a potential devastating exploit gained in advance of its use should be shared, and they'll make very poor relationships with customers who fall for this kind of marketing and never have their expectations met down the road.

    --
    So long, michael. Don't let the door hit you...
  19. They didn't quite say that by jpmorgan · · Score: 5, Insightful
    They said 'We knew all about it, but only told our paying customers. You should become one of our paying customers.'

    It's a fairly fundamental difference.

  20. Re:Symantec... should be more careful! by Sun+Tzu · · Score: 4, Insightful
    Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

    I would think that they would be more careful about raising people's suspicions about their prior knowlege of absurdly fast propagating worms.

    Maybe they are believers that 'any publicity is good publicity' -- even in their business.

    Send us your Linux Sysadmin articles!

    --
    Geeky modern art T-shirts
  21. Re:Doubtful. by ipxodi · · Score: 5, Insightful

    If all copies of MS products were magically replaced with *nix versions tomorrow, we'd see *nix oriented viruses the day after tomorrow. It isn't the label on the box, it's the popularity of the software.
    Virus writers are like vandals -- nobody is going to make graffiti where it doesn't get lots of public exposure.

    --
    load "windows7" ,8,1
  22. Symantec.... by wowbagger · · Score: 4, Insightful

    Symantec.

    The same Symantec who's Norton Anti-virus product is prominently featured in a rash of spams in my inbox?

    The same Symantec who claims to follow up on reports of this to spamwatch@symantec.com? That never seems to lead to any sort of actions?

    The same Symantec who just changed their auto-renewal to cost people more money IN THE MIDDLE OF THE RENEWAL CYCLE?

    Huh, who'd'a thunk it?

    Glad I use somebody else's anit-virus software.

    --
    www.eFax.com are spammers
  23. Re:Doubtful. by manyoso · · Score: 3, Insightful

    Last time I checked, Linux/Unix dwarfed Windows in the enterprise. Windows has a majority on the desktop, but it is only *one of many* players amongst servers and is not the most widely used.

    Time for a new theory :)

  24. Re:Moral Responsibility??? by Anonymous Coward · · Score: 3, Insightful

    Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.

    I think you're confusing moral responsibility and legal responsibility.

  25. Re:Doubtful. by manyoso · · Score: 5, Insightful

    Unix/Linux dominate the market for servers and databases. Oracle is the most widely used database the last time I checked and SQL Server was third. Unix/Linux *is* ubiquitous for servers. Microsoft is the niche player and it is Microsoft that is producing softare so buggy that it is hobbling the internet.

  26. Warnings Are Useless by RedSynapse · · Score: 3, Insightful
    At the University where I work our entire network was down for about 6 hours due to Slammer/Sapphire. This is an institution with 30,000 students and Oh happy coincidence, it was the last day to drop courses without academic penalty - which could only be done online. The problem is that each department, faculty, club, etc. runs their own servers so what ends up happening is Professor so-and-so's graduate student's cousin who once started studying for the A+ exam becomes the system administrator. Security Bulletin? Patch? Hotfix? What's that?

    Network Operations had to manually disconnect MANY servers which were just saturating the network. After doing this we got calls days later from people saying "My students are complaining that they can't access my server, any idea why this is?" So if you're expecting that every server has some crack squad of administrators scouring the net to make sure it's updated to the fullest - well sorry, it takes some people days to notice that their server isn't even on the network anymore.

    I mean you'd think people would turn on CNN and see SQL WORM RAVAGES INTERNET, and think, gee don't I have a machine running an SQL server, maybe I should check up on that? But no.

    The reality is that there was a patch available for this months before and nobody bothered to install it, I don't think a few more hours would have made much of a difference at least where I work.

  27. Re:Doubtful. by pi+radians · · Score: 3, Insightful

    While attempts with viruses and worms may be more due to populartiy, there are other factors that result in an insecure system.

    Just saying that viruses and worms are more popluar because of Microsoft's success is mearly a cop-out. Their success should be a benefit to their security (more resources should be dedicated to it), not an excuse for it.

    --

    sin(6cos(r)+5A)
  28. Wake up people! by FrankieBoy · · Score: 3, Insightful

    Who do you think is writing these sophisticated viruses and worms? Do really believe that the hundreds of new viruses that get released every month is because of some bored hackers who have nothing better to do? There are many stories of "Men-in-Black" style approaches to out-of-work developers in countries with a large high tech community. Someone shows up at your door with a big bag of money and no identity and asks you to write a particular type of virus, you might be inclined to take the money and not ask too many questions. It's called "Creating the Market".

  29. Re:Imagine if CNN knews about 9/11 by lvdrproject · · Score: 3, Insightful

    Please stop equating/comparing/relating every single fucking thing to 09/11. It's only a similar situation in that they knew but didn't tell anyone. What if i knew the exact time you would be born, but i didn't tell your mom? Similar situation, right? What if i knew how long the cookies were going to last before you bought them, but i didn't tell anyone? Similar situation, right?