One thing most people fail to note when speaking of vulnerability-to-worm timelines shrinking is that your basing your timeline off of when a vulnerability is disclosed, to when a worm is discovered, NOT when a worm is released. The importance of this is that your timeline is not specifically based off of when the "bad guy" decides to do a bad thing and more so when the "good guys" discover a "bad guy" has done something bad. With all of these security companies scrambling to be first (even if they have nothing intelligent to say, other than some nifty name for the worm) it means they are investing a lot of resources into being the first to detect these worms. Which means that as their detection capabilities grow, the timeline of how quickly they are able to detect a worm is going to shrink. Which therefore can help lead to the appearance (right or wrong) that worms are being released faster, when in reality it is that they are now being detected faster. Take CodeRed for example... There was about a weeks time where many Microsoft IIS web servers were being crashed and "no one" understood what was happening. There is much evidence of this if you look at any Microsoft newsgroups around the time of CodeRed. So there is a week, or maybe even more, that the worm had been released (which changes the timeline) but no one knew about it. Now today, in some ways due to the fame of CodeRed, worms are sexy and appealing to companies and media alike... And therefore they get a lot more attention. We would never have the case today where there would be public discussion of web servers randomly crashing for a week without people figuring out there was a worm on the loose (Well I shouldn't bet on other peoples intelligence, but... ;-). In the real world most of these discussions about timelines of vulnerability-to-worm do not matter, depending on your goal. For me personally I think the goal is trying to create as much accurate threat awareness as possible. We do not need to get down to the number of specific days of this worm vs that worm to know that for a fact there have been a few worms lately that have been released/discovered within a timeline that is shorter than a month or two. For any company that is a data point to think hard about, and how your company handles security. Are you running around putting out fires every time some kid has a bad day and writes a worm, or are you being proactive and pitying your peers? BTW: The witty worm was the fastest released worm ever. I know you mentioned OS but we've not seen many, if any, OS worms. That is to clarify that most worms have ALWAYS been for vulnerabilities in applications that ran on top of the OS. But I digress... If you want to read about some real OS flaws then check out: http://www.eeye.com/html/Research/Advisories/AD20040413D.html Signed, Marc Maiffret Co-Founder/Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities -----Original Message----- From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com] Sent: Monday, May 03, 2004 1:46 AM To: Ben Ryan Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; bugtraq@securityfocus.com; full-disclosure@lists.netsys.com Subject: Re: New LSASS-based worm finally here (Sasser) Ben Ryan wrote: > As expected, LSASS exploit-based worm seems to have arrived. Fasten > your seatbelts, those unpatched please use the spew bags provided :) I > hope PSS resolves the issues discussed in KB835732. What's more disturbing is that this worm has established a new record for Microsoft worms [1]. Blaster was the fastest worm (25 days since the patch was published to the worm), this one has been even faster (17 days for the first variant since the patch was published to the worm). Of course, I'm not considering the fact that this issue was known, at least to eEye and Microsoft, for over 5 months. Regards Javier [1] Approaching the record of worms in other OS, which, I believe, is held by Scalper (10 days from patch to worm). But hey, they could browse the source changes for that one.
