worm blog: Back-Door'ed by the Slammer

« Worms as Attack Vectors: Theory, Threats, and Defenses | Main | Worms do China's spying »

Back-Door'ed by the Slammer

Another SANS GIAC paper. This one studies the SQLSlammer/Sapphire worm and the disaster recovery process that took place when that worm hit.

On Sunday, January 26, 2003, The Company I work for was involved in an incident caused by SQLSlammer. What makes this particularly interesting is that the course of the infection happened from within the company, actually starting at our corporate headquarters. It found its way through a small 56k frame relay connection that had been monitored, but through a configuration mishap, the traffic was allowed through undetected. To make matters worse, a few days before we were hit, we had been in contact with another company that was infected and were taking precautions to avoid being infected ourselves.
The goal of this paper is show how the incident was handled, and demonstrate that even though you may think you're protected, it's imperative to double check your perimeter protection and have good lines of communication with sites that have direct access to your network. I also plan to touch upon the reasons behind not being sufficiently patched and the importance of patch management, along with how the incident was handled, and in parts, mis-handled.
In each of the 6 steps of incident handling: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned, I will describe how the process took place at the time of the incident and also add comments on how the incident could have been handled more efficiently with the knowledge attained from this class.

Source: Back-Door'ed by the Slammer, John Hally

July 30, 2005 in papers, SQLSlammer | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

This paper is a great example for why prior assumptions can get you into hot water. It also is an example of why additional intelligence in your security infrastructure is needed.

I outlined those points in more detail here:

http://esphion.blogs.com/esphion/2005/08/dont_assume_or_.html

The additional intelligence I'm talking about would have brought the time to resultion down from hours to seconds.

Juergen Brendel
CTO
Esphion Ltd.
URL: http://www.esphion.com
Blog: http://esphion.blogs.com

Posted by: Juergen Brendel | Aug 1, 2005 7:58:52 PM

The comments to this entry are closed.