[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1079907274.22365.237.camel@Stargate>
From: nodialtone at comcast.net (Byron Copeland)
Subject: RE: Any dissasemblies of the Witty worm yet?
On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
> "Hugh Mann" <hughmann@...mail.com> writes:
> > >3. If someone can trace the origin of this worm, it might shed light on
> the
> > >origin of SQL Slammer as well?
> >
> > Definitely a big NO.
>
> Indeed this does appear to be accurate. While it looks as though the worm
> is technically similar to Slammer, think about the odds. Both used a
> non-broadcast UDP exploit vector. Why on _earth_ would the programmer
> re-write the code for the worm when he could steal half of his code from SQL
> slammer? It doesn't necessarily show that the two worms were written by
> people of even similar background, but it does seem to show that the author
> of the BlackICE worm used Slammer's techniques -- possibly even to the
> extent of simply ripping large portions of Slammer and changing the IAT
> offsets used to reflect those of the ISS PAM. Another possibility is that
> Slammer and Witty were generated in source form by some kind of "worm
> generator" -- but I don't have any information to suggest that this is the
> case. My conclusion is that the author of Witty simply copied large
> portions of Slammer's code, completely wholesale.
>
I've seen the slammer code as hex dumps, etc, but haven't seen the any
original slammer source code. Just wondering how anyone could make any
determinations of any comparisons to either when the coding style really
isn't known. Maybe I am the only one who missed seeing the original
code.
-b
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040321/9479e452/attachment.bin
Powered by blists - more mailing lists