Slammer, Other Older Threats Making a Comeback
Researchers at IBM ISS say Slammer is the most common network threat they see today due to 'retired' signatures
August 23, 2007
If you think Slammer is dead and you're immune, think again: The 2003 worm is actually alive and well and more widespread than in its heyday in 2003, researchers say.
Gunter Ollmann, director of security strategy for IBM ISS, says Slammer is the most common network threat he and his fellow researchers find today, and there are likely more hosts infected by it now than when it first hit the Net. But it's not just Slammer that's made a comeback -- Ollmann says other "eradicated" malware is making a comeback as well, including older Web-based threats.
"The problem is getting worse. There are a growing number of operating systems and hosts out there, and a lot of older OSes are still running... Their lifetime is a lot longer than it used to be," says Ollman, who just published a white paper called "Old Threats Never Die."
And other network devices, such as multi-function printers and SOHO routers, for instance, often sit unpatched and vulnerable to the new-old threats. "When was the last time you saw someone getting Windows patching software and applying it to a printer or router?" he says. "Older devices which may been OK when they were originally released are not being updated. So most often, they are falling victim to standing threats and worms."
The bigger problem, Ollmann says, is that many major antivirus and IDS/IPS vendors that rely mainly on signature-based protection typically retire signatures for older threats such as Slammer because they have to pare down their bulging signature load to preserve performance. "After a while, they relegate them as optional signatures," he says. "A lot of vendors have a critical list of vulnerabilities that they are constantly updating... They advise customers to always have those [signatures] enabled and all else becomes optional [or are removed altogether]. Some devices have a policy box that you pick that has the critical ones running always."
And when the next round of critical updates comes, some signatures fall from the list and are "disabled," often unbeknownst to the user.
"There are still thousands of hosts affected around the world by Slammer," says Ollmann, who wouldn't name vendors. "That it's the number one propagating threat we still see is pretty strange."
But Randy Abrams, director of technical education for AV vendor Eset, says Eset does not see this "retro-trend."
"At Eset, we are seeing about 15,000 new threats each day, but on average at least 90 percent are not viruses," Abrams says, noting that Eset's products detect older malware threats.
IBM ISS, meanwhile, also has seen a jump in old Web exploits, according to Ollmann, including MS04-13 and MS06-14 for Internet Explorer, and an older Mozilla bug, MFSA2005-50 -- all of which have patches. But not all hosts have patches for them, Ollmann says. Attackers are always looking for ways to use bugs, even old ones, to do their dirty work, he says.
"People who never update their browsers and don’t apply patches always fall victim to these sites," he says. "And, with every new browser release, there are a bunch of old vulns emerging in those releases."
Meanwhile, AV vendors are starting to add behavioral-based technology to their products, but that still may not find these older threats, he says.
So how do you protect yourself? The obvious: Keep protection up-to-date, including older signature protection if you have the option, and "applying the latest engines" to the mix, he says.
Ollmann warns that security managers will likely spend more time protecting their systems and networks against these older threats than from the latest zero-day: "Finding the old [vulnerable] systems is difficult, and getting hold of patches for them is even more difficult."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like