Expert weighs code release in wake of Slammer worm
IDG News Service - Saturday's Slammer worm was based on sample code published to help explain the threat posed by the security vulnerability that Slammer exploited, according to David Litchfield, the security expert who discovered the vulnerability.
The stunning success of the worm in spreading itself across the Internet had Litchfield questioning whether he will publish proof-of-concept (or "exploit") code in the future. Litchfield expressed his opinion that the Slammer worm was based on his proof-of-concept code in an e-mail message to the widely read bugtraq mailing list at SecurityFocus.
"On analysis of the code of the Slammer worm it is apparent that my code was used as its template," Litchfield wrote.
Many parts of the worm's code were identical to the published proof-of-concept code, but the worm wasn't simply a copy of the published example, Litchfield said. "It [is] apparent that whoever authored the worm knew how to write buffer overflow exploits and would have been capable of doing this without using my shellcode as a template."
The code taken from Litchfield's published exploit saved the worm's real writer "about 20 or so minutes," he wrote.
The e-mail message from Litchfield was in response to questions raised on the bugtraq list after an article was published in The Washington Post. In that article, Litchfield suggested that, after seeing the damage wrought by Slammer, he would probably no longer publish exploit code.
Later, he backtracked on that statement.
Exploit code serves an educational role in forums of computer security experts like the Blackhat Security Briefings, where Litchfield presented the SQL Server exploit and sample code in August 2002, he said. "People who attend such conferences go with the expectation that they will get 'up-to-the-minute' and pertinent lectures."
Providing as much information as possible about new vulnerabilities ensures that "both attendees and organizers get what they want," Litchfield wrote. More often than not, the benefits of publishing proof-of-concept code outweighs any "bad" that comes out of it.
That position seemed to have support among other security experts.
Writing to bugtraq on Saturday, when Slammer was still spreading rapidly (see story), Marc Maiffret, chief hacking officer at eEye Digital Security Inc., thanked Litchfield's company, Next Generation Security Software Ltd. (NGS), for discovering the worm and publishing a detailed technical write-up of it.
The details provided by NGS, based in Sutton, England, enabled Aliso Viejo, Calif.-based eEye to create a scanner that could identify systems on a network that were vulnerable to the Slammer worm. The company's scanner "once again [illustrates] that details are needed to help the good guys," Maiffret wrote.
Litchfield was clearly shaken by the role his code played in Slammer's spread and is aware of the potential consequences of a destructive worm. "We often forget that our actions online can have very real consequences in real life -- the next big worm could take out enough critical machines that people are killed ... and I don't want to feel that I've contributed to that," Litchfield wrote.
"Some will argue that full disclosure is a good thing. Others will abhor it. There is no one correct answer -- it must be a personal decision and for the moment I am undecided," he wrote.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts