Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: RE: Any dissasemblies of the Witty worm yet?
From: "Hugh Mann" <hughmann () hotmail com>
Date: Sun, 21 Mar 2004 17:10:08 +0000

From: "Disclosure From OSSI" <disclosure () ossecurity ca>
From the quick analysis of this worm (retrieved from
http://isc.incidents.org/diary.html?date=2004-03-20), it seems that it bears
strange similarity with SQL Slammer for the following points:

1.      It uses the same "push ascii" format as SQL Slammer, for example "push
6B636F73h" in this worm.

I can tell you the names of about 100 different programmers who use push ascii in their expoits. This is common exploit code just like using "i" as the loop variable in C/C++.

2.      It uses hard-coded import addresses (listed below) as SQL Slammer.

I can tell you the names of about 100 different programmers who use hardcoded addresses in their expoits. This is common exploit code just like using "i" as the loop variable in C/C++.

3.      If someone can trace the origin of this worm, it might shed light on the
origin of SQL Slammer as well?

Definitely a big NO.

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE download! http://clk.atdmt.com/AVE/go/onm00200413ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]