[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Blended threats
The CodeRed worm is a good example of a blended threat because it performs multiple attacks on different components. It exploits a buffer overflow vulnerability, defaces the website of the exploited machine, attempts to spread to other machines, and causes system instability. It is more than a buffer overflow as someone mentioned in the call and can fit into more than one category. However, blended threats usually have an entry point. In this case, the buffer overflow provided CodeRed the necessary privileges to perform the latter attacks. In scenarios like this, we can try to classify the threat in multiple categories or simply focus on the entry attack. I imagine an assessment checking to see if a system is affected by CodeRed would perform an HTTP request and analyze the response. In this case, the assessment would check if the buffer overflow problem is present so this easily fits in the overflow category. Maybe we can work backwards and start from the assessment because whatever the assessment is checking for is the category. If we want to discuss CodeRed, we should probably look at what Microsoft and eEye(they discovered the problem) had to say about it. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-033.asp http://www.eeye.com/html/Research/Advisories/AL20010717.html Symantec also has some good whitepapers about blended threats: http://securityresponse.symantec.com/avcenter/whitepapers.html Finally, I am still trying to understand the goals of WAS and how things will fit together. Someone mentioned playing with the XML format early to try to encode our thoughts. I think this would be a good idea to help us visualize our goal and make sure we are all on the same page. Thanks, Nasseam Elkarra nelkarra@opensec.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]