Symantec Claims They Knew About Slammer In Advance

truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".

How does this announcement gain Symantec?

[Max+Romantschuk]

OK, I don't get it... How does Symantec going "We knew all about it but we didn't tell you" make Symantec look good in any way? I know I get annoyed when people behave like that... So anyone have a thought on exactly how this benefits Symantec?

It's not that easy.

[BoomerSooner]

I fix a lot of systems (windows based) and the difference is you can actually run software without being root in UNIX. I would bet over 1/2 the software out there won't run on Windows unless you have admin rights. A girls computer I had to repair (for the 3rd fscking time) has this POS Cattery software (Delphi, give me a break) and it cannot connect to it's JDataStore since her user doesn't have admin rights. So I'm screwed, I have to give her rights for that and about 6 other programs that won't run. I cannot believe the piss poor planning (any planning MS?) that went into Windows.

MS Linux like OS X would be good. Windows isn't that bad of a UI it's just a piss poor backend that causes problems.

Re:Hmm..

[Pxtl]

I've always noticed that too. The fact that there's never any large-scale loss really does encourage the idea that its not your garden-variety blackhat. When I was a kid, your computer contracting a virus meant that you could kiss all your files goodbye. These days, it means your connection will be lagged and maybe some e-mail sent. All ILOVEYOU even did was delete some jpgs and mp3s. I'm surprised that none of these worms don't wait for an hour or two(for the computer to finish spreading) then wipe the machine or something - or maybe begin spewing the contents of the SQL database onto the 'net (heaven forbid credit card #'s be in there).

I always say when something like this happens - at least the attacker wasn't going for raw damage.

Re:So?

[Matty_]

I think we can pretty much assume that most informed administrators would patch the security hole on their systems.

My guess is that the vast majority of Windows administrators do not subscribe to Microsoft's security advisories list and were not aware that they needed to fix a problem. This is probably due to shear ignorance and/or lack of responsibility.

Furthermore, tons of Windows servers are sitting out there which don't have anyone administrating them and keeping them up-to-date.

A lot of small companies simply don't want to pay someone a service contract to maintain such things, but GOD FORBID they don't get to have their expensive Exchange/File/Print server.

Not enough time anyway..

[harborpirate]

Another important point is this:

The worm spread around the entire globe in minutes. And Symmantec didn't know about the worm in advance, they are simply saying that they knew about it before anyone else. (Which other posters have pointed out is BS - apparently journalists and corporate managers don't understand time zones)

Which leaves us with this simple fact: even if a sysadmin had gotten and read symmantec's message immediately, it is unlikely they would have had time to block the port and/or patch their server in time anyway! They may have already been hit in the time it took them to read the virus alert.

The fact that symmantec noticed it was happening is hardly surprising, they make money by detecting and stopping viruses. Of course they would notice when a ton of traffic on a certain port started inundating the internet.

This whole story is a load of crap. Hopefully wired will be more do a little more research in the future into the stories they display, but somehow I doubt it.

Re:Moral obligation? I'd say so.

[liquidsin]

Maybe you should get *your* analogies straight. Everyone is acting like Symantec did something horribly wrong. Let's not forget that there has been a patch available for this since july of last year. So if we must make analogies, how about this one:
I, as a mechanic, know that cars made by Ford had a recall (say for something like tires...). Now, of course it's in my best interest to inform *my* customers, but am I "morally obligated" to stop every passer-by on the street who's driving a Ford and tell them?

The point is, Microsoft admitted there was an issue and fixed it six months ago. Why is it Symantec's obligation to remind us all to secure our servers?

Symantec lies

[helix400]

Symantec has a bad history of not telling current customers about their viruses. When they discover a virus, they first take a few days to figure out a fix, and when they find a fix...THEN they announce it as "Discovered". Sure makes them look good when they claim to discover and fix most viruses the same day

I saw this first hand. When Opaserv variants were coming out almost weekly last fall, Symantec was very slow to acknowledge their existance. A few people I know sent them executables of a new variant on October 19. Finally, on October 23, they announced they "Discovered" it...4 DAYS AFTER WE SENT IT TO THEM! Those Symantec liars didn't even tell us that they discovered it, but they're working on a fix. No, they sat on the virus for 4 days! (Want proof? Check out Symantec's Oct 23 discover day for brasil.pif, here, and compare that with the Oct 19 date that many of us first noticed that virus on this discussion sire here.) And of course, following true to Symantec policy, they claimed to have released a fix either the day of discovery or the the next day...to show they're working hard for their customers.

Stupid liars.

Re:Symantec lies

[CrazyDuke]

I experienced this on what should have been routine for them by now, yet another sub7 varient. I didn't know it was sub7 at the time other than it did basically what the sub7's before it did. I tried it on a dummy box, and it waltzed past Norton Antivirus. I verified the infection when my firewall started complaining about illegal requests from the trojan phoning home. I submitted the executable as packaged, discribed its infection stratagy, removal guide, and packaged it all in a nice little email explaining that I had the latest and greatest patches and list for their current corporate version antivirus. This took me about 3 hours total, from research, infection, tracing, removal, verifying removal, formating a report, and submiting it.

About a month an a half later, I get a terse email from Symantic, stating that they already knew about sub7 and that they had had the definitions for a month now. They recommended that I should keep my antivirus updated more often. This was conveyed in a nice little way that sounded like I was some AOL newbie that couldn't tell the left from the right mouse button. Needless to say, I am no fan of Symantic now.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

I had the opportunity to interview with Symantec about 5 years ago, for the Norton Anti-Virus unit.

It's safe to say by your post that you haven't.

To post the assertion that these guys have anything to the propagation and dissemination of viruii is retarded - not only do they have to contend with regular build issues, feature requests, etc. - but they also have to keep up with the dozens of virii released into the wild on a weekly basis. The heuristics involved in developing the software necessary to *fix* an already infected (sometimes by multiple virii) is pretty impressive. There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

Additionally, they aren't the only game in town as far as anti-virus software. They would be out of the fame in a New York minute if they were ever found to be involved in disseminating virii, intentionally or not.

Please turn off your computer and go back to your "X-Files" reruns.

P.S. - The coolest thing about the interview was when one of the Senior Engineers showed me the Quarantine Room, where they research different virii and repairing the damage.

Re:Doubtful.

[manyoso]

"What was the names of all those worms produced for apache again?"

Let me assist you in finding your clue: You can't remember the names of those worms because they had no discernible impact compared to Code Red or Slammer.

Everyone knows about Code Red and Slammer because they were frightening worms that caused a massive amount of damage. Hell, Gartner is telling people to not use IIS and migrate away because it is so damn buggy!

People do not hate IIS because it isn't *cool* they hate it because it is shit software that has caused millions and millions in damages.