[Dshield] SQLSlammer & Netsky.E

Andy Stevko andy.stevko at usa.net
Wed Mar 17 17:00:59 GMT 2004


I totally agree with your agenda. Although the operations folks hate 
this, I am a big proponent of conducting war games on our production 
mirrored sites. This kind of exercise will tell much of the maturity of 
the systems and staff. Of course you must take proper measures to 
contain the scenario. The only way to know it is truly bulletproof is to 
risk firing bullets at it


Benjamin M.A. Robson wrote:

>I know this is going to be controversial but...
>
>The desire for Netsky.E could (and was) served by Eicar.  But I want
>SQLSlammer as the intention of this test is to actually perform a
>destructive test with the objective of causing systems to fail.
>
>The target environment is a very well controlled test setup that is a
>mirror for the production environment, and the virus transport mechanism
>is a file upload through CGI rather than email.
>
>The objective of this test is to attempt to seed their backend with
>SQLSlammer through the upload, which would go in to a 'semi-private'
>area and may be executed.  As such it could then propogate through their
>(in this case test) SQLServer farm and hence achieve the objective of
>the audit.
>
>Some are likey to be sitting reading this shaking their head going 'no
>no no no no'.  But the customer has been fully briefed on the possible
>ramifications of this test, and I have taken steps to avoid subsequent
>propogation so I feel that it is a legitimate test to be performed.
>
>BenR
>
>
>On Mon, 2004-03-15 at 23:20, jayjwa wrote:
>  
>
>>On Mon, 15 Mar 2004, Benjamin M.A. Robson wrote:
>>
>>    
>>
>>>I have a security audit gig on at the moment and need to test a clients
>>>handling of CGI submitted files with viruses attached.
>>>      
>>>
>>Wouldn't Eicar work for that? It's a test file for Av's that appears like
>>a virus to them, accept it's not in any way harmful.
>>You can find out more at :
>>
>> http://www.eicar.com
>>
>>
>>    
>>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>.
>
>  
>

-- 
------------------------------------------------------------------------
"CrackMonkey has more google juice than KPMG".
 From the Jargon File 
<http://catb.org/%7Eesr/jargon/html/G/google-juice.html>




More information about the list mailing list