| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <005b01c362dd$108e46c0$b100a8c0@penetrator> Date: Fri, 15 Aug 2003 05:26:48 +0200 From: "Dennis" <Dennis@...ktrace.de> To: "'Tim van Erven'" <tve@...mig.net> Subject: AW: Analysis/decompilation of main() of the msblast worm Thanks, Someone pointed this out already and I updated the paper. You can grab it here: http://www.backtrace.de/msblast_analysis.txt greetings, Dennis -----Ursprüngliche Nachricht----- Von: Tim van Erven [mailto:tve@...mig.net] Gesendet: Donnerstag, 14. August 2003 18:18 An: bugtraq@...urityfocus.com Betreff: Re: Analysis/decompilation of main() of the msblast worm On Thu, 14/08/2003 22:44 +0200, Dennis wrote: > Here's a little analysis of the msblast worm. [snip] > Every year starting on August the 16th to December the 31st the payload() routine will be started. Judging from the disassembly quoted below this is not correct. > get_date: ; CODE XREF: main+26E.j > push 3 ; cchDate > lea eax, [ebp+day_of_month] > push eax ; lpDateStr > push offset dateformat_d ; Day of month as digits with no leading zero for single-digit days > push 0 ; lpDate > push 0 ; dwFlags > push 409h ; Locale > call GetDateFormatA ; get day of month > push 3 ; cchDate > lea eax, [ebp+month] > push eax ; lpDateStr > push offset dateformat_M ; Month as digits with no leading zero for single-digit months. > push 0 ; lpDate > push 0 ; dwFlags > push 409h ; Locale > call GetDateFormatA > lea eax, [ebp+day_of_month] > push eax > call atoi ; convert daystring to integer > pop ecx > cmp eax, 15 > jg short payload ; if it is the 16th day of a month > ; or above, start payload > lea edi, [ebp+month] > push edi > call atoi ; convert monthstring to integer > pop ecx > cmp eax, 8 ; else if month = September, October, November, December, > ; start payload > jle short loc_401562 > > payload: ; CODE XREF: main+2EB.j > lea eax, [ebp+ThreadId] > push eax ; lpThreadId > push 0 ; dwCreationFlags > push 0 ; lpParameter > push offset payload? ; lpStartAddress > push 0 ; dwStackSize > push 0 ; lpThreadAttributes > call CreateThread > > loc_401562: ; CODE XREF: main+2FA.j main+317.j If I read this correctly, the payload code will run either if the * current system day of the month > 15 OR * the current system month is one of September, October, November, December So it will also run in the last half of each month from Januari through August. > // get date > GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3); > GetDateFormatA(0x409, 0, 0, &"M", &month, 3); > > // start payload on 16th august until 31st december > if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) ) > CreateThread(0, 0, payload, 0, 0, &ThreadId); > > // start spreading the worm all over the windoze-world > while (1) spreadworm(); There is also a minor error in the translation to C quoted above: if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) ) should be if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) ) (>= should be >.) Regards, -- Tim van Erven <tve@...mig.net> Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
Powered by blists - more mailing lists