![isn logo](/images/isn-logo.png)
Information Security News mailing list archives
Re: Slammer Source Code Provides Clues
From: InfoSec News <isn () c4i org>
Date: Thu, 30 Jan 2003 02:51:26 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>
http://www.eweek.com/article2/0,3959,848302,00.asp By Dennis Fisher January 27, 2003
Signatures within the worm's source code indicate that a group known as the Honker Union of China - also known as the Hacker Union of China - may be responsible for writing the code, according to security experts who have analyzed the code. However, experts caution that although they are certain of the code's origins, someone else may have actually loosed the worm on the Internet. "We're 100 percent certain this was based on the CNHonker code," said Chris Rouland, director of the X-Force research team at Internet Security Systems Inc., in Atlanta. "But that doesn't mean they released it."
Forwarded from the Full Disclosure mailing list: On Wed, 29 Jan 2003, David Litchfield wrote: : [Some have suggested that the worm used (a person known as) lion's : code as a template - in fact lion's code is an exact cut and paste of : my code - so any suggestions that lion or the Chinese group he belongs : to are responsible are probably erroneous. Also the suggestion that : because there were 8 NOPs in the worm code this "proved" it was a : hacker known as nop (of the same Chiense group) and this was his/her : signature is also very wide of the mark - the presence of the NOPs is : simply as a result of my code.] Wonder if Rouland would like to respond to that and his 100% certainty or if this was factored into the 'research' that lead to this statement. And while we're on the topic of ISS and their "brief" (notice the legalise is longer than the content posted [1]) of the Slammer worm, I wonder why ISS then recommends using ISS Realsecure and ISS Scanner to help mitigate the worm. Checking SQLSecurityForum, we see that both products include SQL Server/MSDE that is vulnerable to same thing they are trying to protect against. Hope we see some advisories on these products soon. [1] http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0038.html [2] http://www.sqlsecurity.com/forum/applicationslistgridall.aspx - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Slammer Source Code Provides Clues InfoSec News (Jan 28)
- <Possible follow-ups>
- Re: Slammer Source Code Provides Clues InfoSec News (Jan 30)