Symantec Claims They Knew About Slammer In Advance

truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".

Doubtful.

[BoomerSooner]

Unless they helped the Korean program the thing. I unfortunately have to use MS products (my company pay's me to) and it's a constant waste of time applying the daily hotfix, backing up, testing, implementing, ...

Why doesn't MS just give up with their POS OS and go to a Unix core like OS X. MS Linux with a .Net front end would be secure, fast, OSS Core, and finally kill 99% of the reason the internet sucks.

Oh well, guess I'm dreamin.

Re:Doubtful.

[AnotherShep]

Wouldn't help at all. Shitty code is shitty code, no matter what's underneath it. It isn't the core of the OS that's broken (Well, at least not completely), it's the 'services' that run on top of it (SQL server, IIS, etc).

Re:Doubtful.

[kasperd]

Unless they helped the Korean program the thing.

Indeed, that was also my first thought. The graphs I have seen over the activity for the first minutes looked like exponential growth with a doubling time of less than one minute. That would give at most half an hour between the very first infection and worldwide spread. If Symantec notified their customers hours before, that would be before the worm was released. Of course it is theoretically possible, that the author notified Symantec prior to release.

Re:Doubtful.

[JWW]

Its always wonderful when the fix breaks an interface with another system as well.

AND when the people who wrote that interface call and tell you to remove the patch so that their interface will work again.

You were saying something about keeping up with all the hotfixes, or should I worry about the business being able to have systems that talk to each other?

This really is a serious issue and I think it happens more often than people expect. In this case the client program should have been fixed, but corporate politics were used to force me to make the change to the database instead of them changing their client program.

But the main point is that only better software right out of the gate, without the need for a gazillion patches is the answer. Once you've been burned by a patch breaking your previously working systems, you get very wary of future patches.

God I hate SQL Server.

Re:Doubtful.

[manyoso]

"What was the names of all those worms produced for apache again?"

Let me assist you in finding your clue: You can't remember the names of those worms because they had no discernible impact compared to Code Red or Slammer.

Everyone knows about Code Red and Slammer because they were frightening worms that caused a massive amount of damage. Hell, Gartner is telling people to not use IIS and migrate away because it is so damn buggy!

People do not hate IIS because it isn't *cool* they hate it because it is shit software that has caused millions and millions in damages.

How does this announcement gain Symantec?

[Max+Romantschuk]

OK, I don't get it... How does Symantec going "We knew all about it but we didn't tell you" make Symantec look good in any way? I know I get annoyed when people behave like that... So anyone have a thought on exactly how this benefits Symantec?

very intriguing

[greechneb]

Nothing better to increase your business like having something that scares potential customers.

How many windows users that you know that have virus protection software that came with their pc and has never been updated? They won't upgrade their virus software until they learn that it is necessary.

When do they find out it is necessary? When someone hits the web with a massive worm/virus. If nothing massive happens for a while, I'm sure antivirus companies are losing money. What better way to spike sales than by creating panic?

It's not that easy.

[BoomerSooner]

I fix a lot of systems (windows based) and the difference is you can actually run software without being root in UNIX. I would bet over 1/2 the software out there won't run on Windows unless you have admin rights. A girls computer I had to repair (for the 3rd fscking time) has this POS Cattery software (Delphi, give me a break) and it cannot connect to it's JDataStore since her user doesn't have admin rights. So I'm screwed, I have to give her rights for that and about 6 other programs that won't run. I cannot believe the piss poor planning (any planning MS?) that went into Windows.

MS Linux like OS X would be good. Windows isn't that bad of a UI it's just a piss poor backend that causes problems.

Re:It's not that easy.

[Cutriss]

Microsoft's own programmers don't follow the schema properly, though. Flight Simulator 2000 won't run properly unless you're using an Administrator-class user. Power Users need not apply. I used to do add-on development for FS2K, so I know this for a fact.

Would it have mattered?

[mgs1000]

If Symantec had release a warning, would it have made much difference? How many months did the nimda and code red viruses stay with us because people didn't bother updating their software. I even doubt Microsoft would have had a bug fix out in time.

Re:Timezones?

[Speed+Racer]

Especially since the virus didn't even debut until 12:30 AM EST on 25 Jan, according to the article. Either everybody noticed it before it was actually released or the times listed in the article are FUBAR. Either way, the Symantec spokesman is full of doublespeak.

Re:Hmm..

[Pxtl]

I've always noticed that too. The fact that there's never any large-scale loss really does encourage the idea that its not your garden-variety blackhat. When I was a kid, your computer contracting a virus meant that you could kiss all your files goodbye. These days, it means your connection will be lagged and maybe some e-mail sent. All ILOVEYOU even did was delete some jpgs and mp3s. I'm surprised that none of these worms don't wait for an hour or two(for the computer to finish spreading) then wipe the machine or something - or maybe begin spewing the contents of the SQL database onto the 'net (heaven forbid credit card #'s be in there).

I always say when something like this happens - at least the attacker wasn't going for raw damage.

Re:So?

[Matty_]

I think we can pretty much assume that most informed administrators would patch the security hole on their systems.

My guess is that the vast majority of Windows administrators do not subscribe to Microsoft's security advisories list and were not aware that they needed to fix a problem. This is probably due to shear ignorance and/or lack of responsibility.

Furthermore, tons of Windows servers are sitting out there which don't have anyone administrating them and keeping them up-to-date.

A lot of small companies simply don't want to pay someone a service contract to maintain such things, but GOD FORBID they don't get to have their expensive Exchange/File/Print server.

Not enough time anyway..

[harborpirate]

Another important point is this:

The worm spread around the entire globe in minutes. And Symmantec didn't know about the worm in advance, they are simply saying that they knew about it before anyone else. (Which other posters have pointed out is BS - apparently journalists and corporate managers don't understand time zones)

Which leaves us with this simple fact: even if a sysadmin had gotten and read symmantec's message immediately, it is unlikely they would have had time to block the port and/or patch their server in time anyway! They may have already been hit in the time it took them to read the virus alert.

The fact that symmantec noticed it was happening is hardly surprising, they make money by detecting and stopping viruses. Of course they would notice when a ton of traffic on a certain port started inundating the internet.

This whole story is a load of crap. Hopefully wired will be more do a little more research in the future into the stories they display, but somehow I doubt it.

Poor computer use

[rhino_badlands]

Its crap that they hold information back but heres what i think about any one who got wacked with it.

Some people and companies practice poor computer use ... If your car has a recall you sure as hell don't sit around and say ah ill get it fixed tomorrow, cause your ass could end up on the side of the road in itty bitty pieces. People should think they same way about computers, mantain, update, and keep it clean you will never have a problem, and get security patches !

I haven't had a problem with any of my computers with viri, worms, and other things, just because i keep them updated !

It also helps to not be an idiot with your e-mail !

An accessory for not reporting a felony?

[jeaster]

Someone help me out here. The article states: "If I witness a felony but refuse to call 911 because the victim hasn't paid me money to do so, I'm technically an accessory to that crime, not to mention a really rotten citizen." I don't believe this to be true. I have been advised, by poilice officers and law professors, that if I happen upon someone drowning in a pond and screaming for help, that I am well within my rights to pull up a chair, take out a bag of popcorn and a coke and watch. Our laws do not provide for forced intervention in crime by the citizens. Sure, it would make me a rotton person, but it does not make me an accessory. Can anyone site law differently?

Re:Symantec... should be more careful!

[Incongruity]

Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

That same claim can (and has) been leveled against the defense and intelligence industry for some time now. If we don't believe there to be a threat, then we (any given 'we') will not pay for a defense against that (non) threat. The point you make, however valid, isn't really all that new.

I'm not in any way trying to flame you, however...I'm just pointing it out because it seems interesting to see how once again it's the same old story (life, that is) with a new wrapper on it.

Not Unless They Wrote It

[hibachi]

Dozens of network administrators from around the world on the NANOG mailing list, and EFnet #nanog all saw the first packets of Slammer at 05:29:29 and 05:29:45 GMT. That's dozens of very well placed people all seeing the first incident within a 16 second window, and not one administrator saw one earlier. How am I supposed to believe that Symantec knew about this earlier when none of us did?

I would like to see a copy of this so-called alert they sent out before the worm hit, if it exists, and then an explanation of how they knew in advance this worm would hit. Dubious does not even begin to describe it.

Re:Moral obligation? I'd say so.

[liquidsin]

Maybe you should get *your* analogies straight. Everyone is acting like Symantec did something horribly wrong. Let's not forget that there has been a patch available for this since july of last year. So if we must make analogies, how about this one:
I, as a mechanic, know that cars made by Ford had a recall (say for something like tires...). Now, of course it's in my best interest to inform *my* customers, but am I "morally obligated" to stop every passer-by on the street who's driving a Ford and tell them?

The point is, Microsoft admitted there was an issue and fixed it six months ago. Why is it Symantec's obligation to remind us all to secure our servers?

Symantec lies

[helix400]

Symantec has a bad history of not telling current customers about their viruses. When they discover a virus, they first take a few days to figure out a fix, and when they find a fix...THEN they announce it as "Discovered". Sure makes them look good when they claim to discover and fix most viruses the same day

I saw this first hand. When Opaserv variants were coming out almost weekly last fall, Symantec was very slow to acknowledge their existance. A few people I know sent them executables of a new variant on October 19. Finally, on October 23, they announced they "Discovered" it...4 DAYS AFTER WE SENT IT TO THEM! Those Symantec liars didn't even tell us that they discovered it, but they're working on a fix. No, they sat on the virus for 4 days! (Want proof? Check out Symantec's Oct 23 discover day for brasil.pif, here, and compare that with the Oct 19 date that many of us first noticed that virus on this discussion sire here.) And of course, following true to Symantec policy, they claimed to have released a fix either the day of discovery or the the next day...to show they're working hard for their customers.

Stupid liars.

Re:Symantec lies

[CrazyDuke]

I experienced this on what should have been routine for them by now, yet another sub7 varient. I didn't know it was sub7 at the time other than it did basically what the sub7's before it did. I tried it on a dummy box, and it waltzed past Norton Antivirus. I verified the infection when my firewall started complaining about illegal requests from the trojan phoning home. I submitted the executable as packaged, discribed its infection stratagy, removal guide, and packaged it all in a nice little email explaining that I had the latest and greatest patches and list for their current corporate version antivirus. This took me about 3 hours total, from research, infection, tracing, removal, verifying removal, formating a report, and submiting it.

About a month an a half later, I get a terse email from Symantic, stating that they already knew about sub7 and that they had had the definitions for a month now. They recommended that I should keep my antivirus updated more often. This was conveyed in a nice little way that sounded like I was some AOL newbie that couldn't tell the left from the right mouse button. Needless to say, I am no fan of Symantic now.

Re:So?

[WNight]

If Microsoft was better at releasing bug fixes in small packages, so that you could keep your server do exactly that it does now, but without a buffer overflow, people would update more often.

Most admins are pretty trusting with Apache patches. Give them ten minutes of testing, mainly insure you didn't overwrite something during the install, and you're ready to go live. MS patches are larger and unwieldly. MS software also tends to have more unpredictable interactions than unix software. As a consequence, Unix admins who patch at all, tend to trust updates and patch more quickly. Of course not everyone will patch, many people have toy webservers they don't really admin, but that's beyond the scope of this.

Unix software also tends to be smaller and call other programs instead of doing everything in one executable. As long as the interface between the two works, you can keep your bug testing isolated to the segment you're patching. (Upgrade PHP, run PHP tests, not full webserver-and-CGI tests.)

Don't forget that MS themselves weren't in full compliance with this patch. There's the ability to auto-install updates, but they didn't for some reason. You'd think their admins would be the best, that they'd know all the tricks.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

I had the opportunity to interview with Symantec about 5 years ago, for the Norton Anti-Virus unit.

It's safe to say by your post that you haven't.

To post the assertion that these guys have anything to the propagation and dissemination of viruii is retarded - not only do they have to contend with regular build issues, feature requests, etc. - but they also have to keep up with the dozens of virii released into the wild on a weekly basis. The heuristics involved in developing the software necessary to *fix* an already infected (sometimes by multiple virii) is pretty impressive. There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

Additionally, they aren't the only game in town as far as anti-virus software. They would be out of the fame in a New York minute if they were ever found to be involved in disseminating virii, intentionally or not.

Please turn off your computer and go back to your "X-Files" reruns.

P.S. - The coolest thing about the interview was when one of the Senior Engineers showed me the Quarantine Room, where they research different virii and repairing the damage.

get it all for free at DShield !

well, if you don't want to pay $50k for some 'virtual' advanced warning, sign up with DShield and get it all for free.Just den them your logs and they will do the same thing Symantec does for you.