lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: disclosure at ossecurity.ca (Disclosure From OSSI)
Subject: RE: Any dissasemblies of the Witty worm yet?

Com'on. This is a worm. SQL Slamme binary is widely available on the net and
its dissembly (or "its source code") is everywhere with "google". For
example, part of it can be found at
http://www.eeye.com/html/Research/Flash/sapphire.txt. With IDAPro
(http://www.datarescue.com/) (you must have heard of it, don't you?), the
SQL Slammer and/or Witty worms can be easily turned into their "original"
source code format (assembly).

Even viruses (or complex Windows system or applications) are reverse-engined
into assembly code to be analyzed, let alone a tiny worm like SQL Slammer or
Witty. Even worse, it becomes a trend that VxWriters release their orginal
C/C++/assembly code for copy-cats like W32.MyDoom.

Google around, you will see tons of shellcode which are most likely
precursor to worms. Technically, they are the same to exploit BOF
vulnerabilities.

A few sites are worthy of your time:

http://www.metasploit.com/
http://www.cnhonker.com/ (in Chinese)
http://www.xfocus.org
etc...

By the way, the offset quoted in my previous post has 0Eh (14 bytes) from
the http://isc.incidents.org/diary.html?date=2004-03-20 because I wanted to
align these function imports (analyzed automatically by a program) with the
dissembly done by Kostya Kortchinsky. After I posted it, I guessed that
14-bytes difference is an Ethernet header (6, 6, 2) used in the dissembly by
Kostya (not shown in Kostya's post).

Visit our website (http://www.ossecurity.ca) frequently for further
annoucement on advanced analysis tools for worms and viruses, and protection
products against them as well. These analysis tools could reduce analysis of
a new worm or virus to minutes or even seconds.

As to the comparison between SQL Slammer and Witty worms, it was my feeling
when I read through the Witty worm dissembly. I guess that you do not read
dissembly code, so you do not have such a feeling.

A worm can be transformed as: Hex Dump -> Binary -> Dissembled -> Analyzed
and commented by experts.
It can go further as: Dissembled -> Assembly Code -> Compiled into binary ->
hex dumped. Copycats can pop up during this transforming cycle.

So, read a few more books on assembly language and google around . . .

Peter Huang
OSsurance blocks simple BOF worms like "Witty" and protects your computer
and/or network from their devastating damages even if your computer is NOT
patched and NOT protected by a firewall.
http://www.ossecurity.ca/


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Byron
> Copeland
> Sent: Sunday, March 21, 2004 5:15 PM
> To: Full Disclosure
> Subject: Re: [Full-Disclosure] RE: Any dissasemblies of the Witty worm
> yet?
>
>
> On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
> > "Hugh Mann" <hughmann@...mail.com> writes:
> > > >3. If someone can trace the origin of this worm, it might
> shed light on
> > the
> > > >origin of SQL Slammer as well?
> > >
> > > Definitely a big NO.
> >
> > Indeed this does appear to be accurate.  While it looks as
> though the worm
> > is technically similar to Slammer, think about the odds.  Both used a
> > non-broadcast UDP exploit vector.  Why on _earth_ would the programmer
> > re-write the code for the worm when he could steal half of his
> code from SQL
> > slammer?  It doesn't necessarily show that the two worms were written by
> > people of even similar background, but it does seem to show
> that the author
> > of the BlackICE worm used Slammer's techniques -- possibly even to the
> > extent of simply ripping large portions of Slammer and changing the IAT
> > offsets used to reflect those of the ISS PAM.  Another
> possibility is that
> > Slammer and Witty were generated in source form by some kind of "worm
> > generator" -- but I don't have any information to suggest that
> this is the
> > case.  My conclusion is that the author of Witty simply copied large
> > portions of Slammer's code, completely wholesale.
> >
>
> I've seen the slammer code as hex dumps, etc, but haven't seen the any
> original slammer source code.  Just wondering how anyone could make any
> determinations of any comparisons to either when the coding style really
> isn't known.  Maybe I am the only one who missed seeing the original
> code.
>
> -b
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ