Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-Disclosure] RE: Any dissasemblies of the Witty worm yet?
From: Disclosure From OSSI (disclosureossecurity.ca)
Date: Mon Mar 22 2004 - 22:32:23 CST
Com'on. This is a worm. SQL Slamme binary is widely available on the net and
its dissembly (or "its source code") is everywhere with "google". For
example, part of it can be found at
http://www.eeye.com/html/Research/Flash/sapphire.txt. With IDAPro
(http://www.datarescue.com/) (you must have heard of it, don't you?), the
SQL Slammer and/or Witty worms can be easily turned into their "original"
source code format (assembly).
Even viruses (or complex Windows system or applications) are reverse-engined
into assembly code to be analyzed, let alone a tiny worm like SQL Slammer or
Witty. Even worse, it becomes a trend that VxWriters release their orginal
C/C++/assembly code for copy-cats like W32.MyDoom.
Google around, you will see tons of shellcode which are most likely
precursor to worms. Technically, they are the same to exploit BOF
A few sites are worthy of your time:
http://www.cnhonker.com/ (in Chinese)
By the way, the offset quoted in my previous post has 0Eh (14 bytes) from
the http://isc.incidents.org/diary.html?date=2004-03-20 because I wanted to
align these function imports (analyzed automatically by a program) with the
dissembly done by Kostya Kortchinsky. After I posted it, I guessed that
14-bytes difference is an Ethernet header (6, 6, 2) used in the dissembly by
Kostya (not shown in Kostya's post).
Visit our website (http://www.ossecurity.ca) frequently for further
annoucement on advanced analysis tools for worms and viruses, and protection
products against them as well. These analysis tools could reduce analysis of
a new worm or virus to minutes or even seconds.
As to the comparison between SQL Slammer and Witty worms, it was my feeling
when I read through the Witty worm dissembly. I guess that you do not read
dissembly code, so you do not have such a feeling.
A worm can be transformed as: Hex Dump -> Binary -> Dissembled -> Analyzed
and commented by experts.
It can go further as: Dissembled -> Assembly Code -> Compiled into binary ->
hex dumped. Copycats can pop up during this transforming cycle.
So, read a few more books on assembly language and google around . . .
OSsurance blocks simple BOF worms like "Witty" and protects your computer
and/or network from their devastating damages even if your computer is NOT
patched and NOT protected by a firewall.
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com]On Behalf Of Byron
> Sent: Sunday, March 21, 2004 5:15 PM
> To: Full Disclosure
> Subject: Re: [Full-Disclosure] RE: Any dissasemblies of the Witty worm
> On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
> > "Hugh Mann" <hughmannhotmail.com> writes:
> > > >3. If someone can trace the origin of this worm, it might
> shed light on
> > the
> > > >origin of SQL Slammer as well?
> > >
> > > Definitely a big NO.
> > Indeed this does appear to be accurate. While it looks as
> though the worm
> > is technically similar to Slammer, think about the odds. Both used a
> > non-broadcast UDP exploit vector. Why on _earth_ would the programmer
> > re-write the code for the worm when he could steal half of his
> code from SQL
> > slammer? It doesn't necessarily show that the two worms were written by
> > people of even similar background, but it does seem to show
> that the author
> > of the BlackICE worm used Slammer's techniques -- possibly even to the
> > extent of simply ripping large portions of Slammer and changing the IAT
> > offsets used to reflect those of the ISS PAM. Another
> possibility is that
> > Slammer and Witty were generated in source form by some kind of "worm
> > generator" -- but I don't have any information to suggest that
> this is the
> > case. My conclusion is that the author of Witty simply copied large
> > portions of Slammer's code, completely wholesale.
> I've seen the slammer code as hex dumps, etc, but haven't seen the any
> original slammer source code. Just wondering how anyone could make any
> determinations of any comparisons to either when the coding style really
> isn't known. Maybe I am the only one who missed seeing the original
Full-Disclosure - We believe in it.