OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Blended threats

The CodeRed worm is a good example of a blended threat because it
performs multiple attacks on different components.

It exploits a buffer overflow vulnerability, defaces the website of the
exploited machine, attempts to spread to other machines, and causes
system instability.

It is more than a buffer overflow as someone mentioned in the call and
can fit into more than one category. However, blended threats usually
have an entry point. In this case, the buffer overflow provided CodeRed
the necessary privileges to perform the latter attacks. In scenarios
like this, we can try to classify the threat in multiple categories or
simply focus on the entry attack.

I imagine an assessment checking to see if a system is affected by
CodeRed would perform an HTTP request and analyze the response. In this
case, the assessment would check if the buffer overflow problem is
present so this easily fits in the overflow category. Maybe we can work
backwards and start from the assessment because whatever the assessment
is checking for is the category.  

If we want to discuss CodeRed, we should probably look at what Microsoft
and eEye(they discovered the problem) had to say about it.


Symantec also has some good whitepapers about blended threats:

Finally, I am still trying to understand the goals of WAS and how things
will fit together. Someone mentioned playing with the XML format early
to try to encode our thoughts. I think this would be a good idea to help
us visualize our goal and make sure we are all on the same page.

Nasseam Elkarra

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]