[Dshield] SQLSlammer & Netsky.E

Benjamin M.A. Robson ben at robson.ph
Wed Mar 17 06:11:34 GMT 2004


I know this is going to be controversial but...

The desire for Netsky.E could (and was) served by Eicar.  But I want
SQLSlammer as the intention of this test is to actually perform a
destructive test with the objective of causing systems to fail.

The target environment is a very well controlled test setup that is a
mirror for the production environment, and the virus transport mechanism
is a file upload through CGI rather than email.

The objective of this test is to attempt to seed their backend with
SQLSlammer through the upload, which would go in to a 'semi-private'
area and may be executed.  As such it could then propogate through their
(in this case test) SQLServer farm and hence achieve the objective of
the audit.

Some are likey to be sitting reading this shaking their head going 'no
no no no no'.  But the customer has been fully briefed on the possible
ramifications of this test, and I have taken steps to avoid subsequent
propogation so I feel that it is a legitimate test to be performed.

BenR


On Mon, 2004-03-15 at 23:20, jayjwa wrote:
> On Mon, 15 Mar 2004, Benjamin M.A. Robson wrote:
> 
> > I have a security audit gig on at the moment and need to test a clients
> > handling of CGI submitted files with viruses attached.
> 
> Wouldn't Eicar work for that? It's a test file for Av's that appears like
> a virus to them, accept it's not in any way harmful.
> You can find out more at :
> 
>  http://www.eicar.com
> 
> 




More information about the list mailing list