lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1079907274.22365.237.camel@Stargate>
From: nodialtone at comcast.net (Byron Copeland)
Subject: RE: Any dissasemblies of the Witty worm yet?

On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
> "Hugh Mann" <hughmann@...mail.com> writes:
> > >3. If someone can trace the origin of this worm, it might shed light on
> the
> > >origin of SQL Slammer as well?
> >
> > Definitely a big NO.
> 
> Indeed this does appear to be accurate.  While it looks as though the worm
> is technically similar to Slammer, think about the odds.  Both used a
> non-broadcast UDP exploit vector.  Why on _earth_ would the programmer
> re-write the code for the worm when he could steal half of his code from SQL
> slammer?  It doesn't necessarily show that the two worms were written by
> people of even similar background, but it does seem to show that the author
> of the BlackICE worm used Slammer's techniques -- possibly even to the
> extent of simply ripping large portions of Slammer and changing the IAT
> offsets used to reflect those of the ISS PAM.  Another possibility is that
> Slammer and Witty were generated in source form by some kind of "worm
> generator" -- but I don't have any information to suggest that this is the
> case.  My conclusion is that the author of Witty simply copied large
> portions of Slammer's code, completely wholesale.
> 

I've seen the slammer code as hex dumps, etc, but haven't seen the any
original slammer source code.  Just wondering how anyone could make any
determinations of any comparisons to either when the coding style really
isn't known.  Maybe I am the only one who missed seeing the original
code.

-b

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040321/9479e452/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ