Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slammer Source Code Provides Clues

From: InfoSec News <isn () c4i org>
Date: Thu, 30 Jan 2003 02:51:26 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>


http://www.eweek.com/article2/0,3959,848302,00.asp

By Dennis Fisher
January 27, 2003



Signatures within the worm's source code indicate that a group known
as the Honker Union of China - also known as the Hacker Union of
China - may be responsible for writing the code, according to
security experts who have analyzed the code. However, experts
caution that although they are certain of the code's origins,
someone else may have actually loosed the worm on the Internet.

"We're 100 percent certain this was based on the CNHonker code,"
said Chris Rouland, director of the X-Force research team at
Internet Security Systems Inc., in Atlanta. "But that doesn't mean
they released it."


Forwarded from the Full Disclosure mailing list:

On Wed, 29 Jan 2003, David Litchfield wrote:

: [Some have suggested that the worm used (a person known as) lion's
: code as a template - in fact lion's code is an exact cut and paste of
: my code - so any suggestions that lion or the Chinese group he belongs
: to are responsible are probably erroneous. Also the suggestion that
: because there were 8 NOPs in the worm code this "proved" it was a
: hacker known as nop (of the same Chiense group) and this was his/her
: signature is also very wide of the mark - the presence of the NOPs is
: simply as a result of my code.]

Wonder if Rouland would like to respond to that and his 100% certainty
or if this was factored into the 'research' that lead to this
statement.

And while we're on the topic of ISS and their "brief" (notice the
legalise is longer than the content posted [1]) of the Slammer worm, I
wonder why ISS then recommends using ISS Realsecure and ISS Scanner to
help mitigate the worm. Checking SQLSecurityForum, we see that both
products include SQL Server/MSDE that is vulnerable to same thing they
are trying to protect against. Hope we see some advisories on these
products soon.


[1] http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0038.html
[2] http://www.sqlsecurity.com/forum/applicationslistgridall.aspx



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: