Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/23/2007
04:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Slammer, Other Older Threats Making a Comeback

Researchers at IBM ISS say Slammer is the most common network threat they see today due to 'retired' signatures

If you think Slammer is dead and you're immune, think again: The 2003 worm is actually alive and well and more widespread than in its heyday in 2003, researchers say.

Gunter Ollmann, director of security strategy for IBM ISS, says Slammer is the most common network threat he and his fellow researchers find today, and there are likely more hosts infected by it now than when it first hit the Net. But it's not just Slammer that's made a comeback -- Ollmann says other "eradicated" malware is making a comeback as well, including older Web-based threats.

"The problem is getting worse. There are a growing number of operating systems and hosts out there, and a lot of older OSes are still running... Their lifetime is a lot longer than it used to be," says Ollman, who just published a white paper called "Old Threats Never Die."

And other network devices, such as multi-function printers and SOHO routers, for instance, often sit unpatched and vulnerable to the new-old threats. "When was the last time you saw someone getting Windows patching software and applying it to a printer or router?" he says. "Older devices which may been OK when they were originally released are not being updated. So most often, they are falling victim to standing threats and worms."

The bigger problem, Ollmann says, is that many major antivirus and IDS/IPS vendors that rely mainly on signature-based protection typically retire signatures for older threats such as Slammer because they have to pare down their bulging signature load to preserve performance. "After a while, they relegate them as optional signatures," he says. "A lot of vendors have a critical list of vulnerabilities that they are constantly updating... They advise customers to always have those [signatures] enabled and all else becomes optional [or are removed altogether]. Some devices have a policy box that you pick that has the critical ones running always."

And when the next round of critical updates comes, some signatures fall from the list and are "disabled," often unbeknownst to the user.

"There are still thousands of hosts affected around the world by Slammer," says Ollmann, who wouldn't name vendors. "That it's the number one propagating threat we still see is pretty strange."

But Randy Abrams, director of technical education for AV vendor Eset, says Eset does not see this "retro-trend."

"At Eset, we are seeing about 15,000 new threats each day, but on average at least 90 percent are not viruses," Abrams says, noting that Eset's products detect older malware threats.

IBM ISS, meanwhile, also has seen a jump in old Web exploits, according to Ollmann, including MS04-13 and MS06-14 for Internet Explorer, and an older Mozilla bug, MFSA2005-50 -- all of which have patches. But not all hosts have patches for them, Ollmann says. Attackers are always looking for ways to use bugs, even old ones, to do their dirty work, he says.

"People who never update their browsers and don’t apply patches always fall victim to these sites," he says. "And, with every new browser release, there are a bunch of old vulns emerging in those releases."

Meanwhile, AV vendors are starting to add behavioral-based technology to their products, but that still may not find these older threats, he says.

So how do you protect yourself? The obvious: Keep protection up-to-date, including older signature protection if you have the option, and "applying the latest engines" to the mix, he says.

Ollmann warns that security managers will likely spend more time protecting their systems and networks against these older threats than from the latest zero-day: "Finding the old [vulnerable] systems is difficult, and getting hold of patches for them is even more difficult."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IBM Internet Security Systems Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31755
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31756
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
    CVE-2021-31757
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31758
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31458
    PUBLISHED: 2021-05-07
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...