Symantec detected Slammer worm "hours" before
Jack Bates
jbates at brightok.net
Thu Feb 13 19:39:10 UTC 2003
From: "Mike Lloyd"
> You added comment on a fiber cut in that time period - can you offer
> more detail? Barry mentioned another roughly simultaneous attack in
> Korea. One other theory, of course, would be trial runs of the worm,
> perhaps with restricted PRNG to localize attack. I've seen no direct
> evidence that this happened, though.
>
It wouldn't be the first time that someone kicked off some code, found that
it was running too slowly, removed the sleep timers and tried again.
However, if this were the case, trying to find and localize the initial
"slow worm" compared to the later release would be difficult to say the
least.
Jack Bates
BrightNet Oklahoma
More information about the NANOG
mailing list