Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: RE: Any dissasemblies of the Witty worm yet?
From: "Disclosure From OSSI" <disclosure () ossecurity ca>
Date: Mon, 22 Mar 2004 23:32:23 -0500

Com'on. This is a worm. SQL Slamme binary is widely available on the net and
its dissembly (or "its source code") is everywhere with "google". For
example, part of it can be found at
http://www.eeye.com/html/Research/Flash/sapphire.txt. With IDAPro
(http://www.datarescue.com/) (you must have heard of it, don't you?), the
SQL Slammer and/or Witty worms can be easily turned into their "original"
source code format (assembly).

Even viruses (or complex Windows system or applications) are reverse-engined
into assembly code to be analyzed, let alone a tiny worm like SQL Slammer or
Witty. Even worse, it becomes a trend that VxWriters release their orginal
C/C++/assembly code for copy-cats like W32.MyDoom.

Google around, you will see tons of shellcode which are most likely
precursor to worms. Technically, they are the same to exploit BOF

A few sites are worthy of your time:

http://www.cnhonker.com/ (in Chinese)

By the way, the offset quoted in my previous post has 0Eh (14 bytes) from
the http://isc.incidents.org/diary.html?date=2004-03-20 because I wanted to
align these function imports (analyzed automatically by a program) with the
dissembly done by Kostya Kortchinsky. After I posted it, I guessed that
14-bytes difference is an Ethernet header (6, 6, 2) used in the dissembly by
Kostya (not shown in Kostya's post).

Visit our website (http://www.ossecurity.ca) frequently for further
annoucement on advanced analysis tools for worms and viruses, and protection
products against them as well. These analysis tools could reduce analysis of
a new worm or virus to minutes or even seconds.

As to the comparison between SQL Slammer and Witty worms, it was my feeling
when I read through the Witty worm dissembly. I guess that you do not read
dissembly code, so you do not have such a feeling.

A worm can be transformed as: Hex Dump -> Binary -> Dissembled -> Analyzed
and commented by experts.
It can go further as: Dissembled -> Assembly Code -> Compiled into binary ->
hex dumped. Copycats can pop up during this transforming cycle.

So, read a few more books on assembly language and google around . . .

Peter Huang
OSsurance blocks simple BOF worms like "Witty" and protects your computer
and/or network from their devastating damages even if your computer is NOT
patched and NOT protected by a firewall.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Byron
Sent: Sunday, March 21, 2004 5:15 PM
To: Full Disclosure
Subject: Re: [Full-disclosure] RE: Any dissasemblies of the Witty worm

On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
"Hugh Mann" <hughmann () hotmail com> writes:
3. If someone can trace the origin of this worm, it might
shed light on
origin of SQL Slammer as well?

Definitely a big NO.

Indeed this does appear to be accurate.  While it looks as
though the worm
is technically similar to Slammer, think about the odds.  Both used a
non-broadcast UDP exploit vector.  Why on _earth_ would the programmer
re-write the code for the worm when he could steal half of his
code from SQL
slammer?  It doesn't necessarily show that the two worms were written by
people of even similar background, but it does seem to show
that the author
of the BlackICE worm used Slammer's techniques -- possibly even to the
extent of simply ripping large portions of Slammer and changing the IAT
offsets used to reflect those of the ISS PAM.  Another
possibility is that
Slammer and Witty were generated in source form by some kind of "worm
generator" -- but I don't have any information to suggest that
this is the
case.  My conclusion is that the author of Witty simply copied large
portions of Slammer's code, completely wholesale.

I've seen the slammer code as hex dumps, etc, but haven't seen the any
original slammer source code.  Just wondering how anyone could make any
determinations of any comparisons to either when the coding style really
isn't known.  Maybe I am the only one who missed seeing the original


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]