mailing list archives
Re: RE: Any dissasemblies of the Witty worm yet?
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sun, 21 Mar 2004 15:18:56 -0600
"Hugh Mann" <hughmann () hotmail com> writes:
3. If someone can trace the origin of this worm, it might shed light on
origin of SQL Slammer as well?
Definitely a big NO.
Indeed this does appear to be accurate. While it looks as though the worm
is technically similar to Slammer, think about the odds. Both used a
non-broadcast UDP exploit vector. Why on _earth_ would the programmer
re-write the code for the worm when he could steal half of his code from SQL
slammer? It doesn't necessarily show that the two worms were written by
people of even similar background, but it does seem to show that the author
of the BlackICE worm used Slammer's techniques -- possibly even to the
extent of simply ripping large portions of Slammer and changing the IAT
offsets used to reflect those of the ISS PAM. Another possibility is that
Slammer and Witty were generated in source form by some kind of "worm
generator" -- but I don't have any information to suggest that this is the
case. My conclusion is that the author of Witty simply copied large
portions of Slammer's code, completely wholesale.
This would be an easy explanation for the common techniques in the code.
The other thing that would seem to suggest against the common link theory is
that the Witty worm was intentionally destructive, and deliberately added to
its own size. Generally, virus writers use many of the same coding habits
when they make multiple viruses. In this case, the non-destructive Slammer
worm bares no resemblance in payload to the highly destructive Witty worm.
Also, Slammer was small, and very well optimized. Witty bloats its own code
with data from the local stack of the attacked IDS. These two flaws make
Witty less likely to spread than Slammer. Typically, authors who base
multiple creations off a single piece of original code *improve* the quality
of this code with each release. Witty took several steps backward.
This seems to go against the assessment of the skill level of Slammer's
author -- namely that the writer had a strong understanding of x86 assembly,
and that the code seemed well-tested, other than a weak randomization
engine. Generally, the writers of intentionally destructive malware are
less-skilled, and more focused on the attention achieved by a destructive
virus than those who write less-destructive viruses. Note that all
malicious code is capable of causing unintentional damage, but less-skilled
authors are typically behind self-destructing code. This class of code
deliberately does so much damage to its host that most code is no longer
able to operate. If you think about it, this link makes sense, because
performing such damaging action *always* reduces the spread of the virus, so
the author is no longer aiming for a successful mass-infection, but media
(or other) attention.
I'll have an analysis of Witty, hopefully by Monday at the latest, that
talks about the internals of the payload, and several other parts of the
virus that are not well documented in current advisories and analyses.
Full-Disclosure - We believe in it.