Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RE: Any dissasemblies of the Witty worm yet?
From: Byron Copeland <nodialtone () comcast net>
Date: 21 Mar 2004 17:14:34 -0500

On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote:
"Hugh Mann" <hughmann () hotmail com> writes:
3. If someone can trace the origin of this worm, it might shed light on
origin of SQL Slammer as well?

Definitely a big NO.

Indeed this does appear to be accurate.  While it looks as though the worm
is technically similar to Slammer, think about the odds.  Both used a
non-broadcast UDP exploit vector.  Why on _earth_ would the programmer
re-write the code for the worm when he could steal half of his code from SQL
slammer?  It doesn't necessarily show that the two worms were written by
people of even similar background, but it does seem to show that the author
of the BlackICE worm used Slammer's techniques -- possibly even to the
extent of simply ripping large portions of Slammer and changing the IAT
offsets used to reflect those of the ISS PAM.  Another possibility is that
Slammer and Witty were generated in source form by some kind of "worm
generator" -- but I don't have any information to suggest that this is the
case.  My conclusion is that the author of Witty simply copied large
portions of Slammer's code, completely wholesale.

I've seen the slammer code as hex dumps, etc, but haven't seen the any
original slammer source code.  Just wondering how anyone could make any
determinations of any comparisons to either when the coding style really
isn't known.  Maybe I am the only one who missed seeing the original


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]