Full Disclosure mailing list archives
Re: RE: Any dissasemblies of the Witty worm yet?
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sun, 21 Mar 2004 15:18:56 -0600
"Hugh Mann" <hughmann () hotmail com> writes:
3. If someone can trace the origin of this worm, it might shed light on
the
origin of SQL Slammer as well?Definitely a big NO.
Indeed this does appear to be accurate. While it looks as though the worm is technically similar to Slammer, think about the odds. Both used a non-broadcast UDP exploit vector. Why on _earth_ would the programmer re-write the code for the worm when he could steal half of his code from SQL slammer? It doesn't necessarily show that the two worms were written by people of even similar background, but it does seem to show that the author of the BlackICE worm used Slammer's techniques -- possibly even to the extent of simply ripping large portions of Slammer and changing the IAT offsets used to reflect those of the ISS PAM. Another possibility is that Slammer and Witty were generated in source form by some kind of "worm generator" -- but I don't have any information to suggest that this is the case. My conclusion is that the author of Witty simply copied large portions of Slammer's code, completely wholesale. This would be an easy explanation for the common techniques in the code. The other thing that would seem to suggest against the common link theory is that the Witty worm was intentionally destructive, and deliberately added to its own size. Generally, virus writers use many of the same coding habits when they make multiple viruses. In this case, the non-destructive Slammer worm bares no resemblance in payload to the highly destructive Witty worm. Also, Slammer was small, and very well optimized. Witty bloats its own code with data from the local stack of the attacked IDS. These two flaws make Witty less likely to spread than Slammer. Typically, authors who base multiple creations off a single piece of original code *improve* the quality of this code with each release. Witty took several steps backward. This seems to go against the assessment of the skill level of Slammer's author -- namely that the writer had a strong understanding of x86 assembly, and that the code seemed well-tested, other than a weak randomization engine. Generally, the writers of intentionally destructive malware are less-skilled, and more focused on the attention achieved by a destructive virus than those who write less-destructive viruses. Note that all malicious code is capable of causing unintentional damage, but less-skilled authors are typically behind self-destructing code. This class of code deliberately does so much damage to its host that most code is no longer able to operate. If you think about it, this link makes sense, because performing such damaging action *always* reduces the spread of the virus, so the author is no longer aiming for a successful mass-infection, but media (or other) attention. I'll have an analysis of Witty, hopefully by Monday at the latest, that talks about the internals of the payload, and several other parts of the virus that are not well documented in current advisories and analyses. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Any dissasemblies of the Witty worm yet? Disclosure From OSSI (Mar 20)
- <Possible follow-ups>
- RE: RE: Any dissasemblies of the Witty worm yet? Hugh Mann (Mar 21)
- Re: RE: Any dissasemblies of the Witty worm yet? Matthew Murphy (Mar 21)
- Re: RE: Any dissasemblies of the Witty worm yet? Byron Copeland (Mar 21)
- RE: RE: Any dissasemblies of the Witty worm yet? Disclosure From OSSI (Mar 22)
- RE: RE: Any dissasemblies of the Witty worm yet? Byron Copeland (Mar 23)
- Re: RE: Any dissasemblies of the Witty worm yet? Matthew Murphy (Mar 21)