Symantec detected Slammer worm "hours" before

Jack Bates jbates at brightok.net
Thu Feb 13 19:39:10 UTC 2003


From: "Mike Lloyd"

> You added comment on a fiber cut in that time period - can you offer
> more detail?  Barry mentioned another roughly simultaneous attack in
> Korea.  One other theory, of course, would be trial runs of the worm,
> perhaps with restricted PRNG to localize attack.  I've seen no direct
> evidence that this happened, though.
>

It wouldn't be the first time that someone kicked off some code, found that
it was running too slowly, removed the sleep timers and tried again.
However, if this were the case, trying to find and localize the initial
"slow worm" compared to the later release would be difficult to say the
least.

Jack Bates
BrightNet Oklahoma




More information about the NANOG mailing list