Com'on. This is a worm. SQL Slamme binary is widely available on the net and its dissembly (or "its source code") is everywhere with "google". For example, part of it can be found at http://www.eeye.com/html/Research/Flash/sapphire.txt. With IDAPro (http://www.datarescue.com/) (you must have heard of it, don't you?), the SQL Slammer and/or Witty worms can be easily turned into their "original" source code format (assembly).
Even viruses (or complex Windows system or applications) are reverse-engined into assembly code to be analyzed, let alone a tiny worm like SQL Slammer or Witty. Even worse, it becomes a trend that VxWriters release their orginal C/C++/assembly code for copy-cats like W32.MyDoom. Google around, you will see tons of shellcode which are most likely precursor to worms. Technically, they are the same to exploit BOF vulnerabilities. A few sites are worthy of your time: http://www.metasploit.com/ http://www.cnhonker.com/ (in Chinese) http://www.xfocus.org etc... By the way, the offset quoted in my previous post has 0Eh (14 bytes) from the http://isc.incidents.org/diary.html?date=2004-03-20 because I wanted to align these function imports (analyzed automatically by a program) with the dissembly done by Kostya Kortchinsky. After I posted it, I guessed that 14-bytes difference is an Ethernet header (6, 6, 2) used in the dissembly by Kostya (not shown in Kostya's post). Visit our website (http://www.ossecurity.ca) frequently for further annoucement on advanced analysis tools for worms and viruses, and protection products against them as well. These analysis tools could reduce analysis of a new worm or virus to minutes or even seconds. As to the comparison between SQL Slammer and Witty worms, it was my feeling when I read through the Witty worm dissembly. I guess that you do not read dissembly code, so you do not have such a feeling. A worm can be transformed as: Hex Dump -> Binary -> Dissembled -> Analyzed and commented by experts. It can go further as: Dissembled -> Assembly Code -> Compiled into binary -> hex dumped. Copycats can pop up during this transforming cycle. So, read a few more books on assembly language and google around . . . Peter Huang OSsurance blocks simple BOF worms like "Witty" and protects your computer and/or network from their devastating damages even if your computer is NOT patched and NOT protected by a firewall. http://www.ossecurity.ca/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Byron > Copeland > Sent: Sunday, March 21, 2004 5:15 PM > To: Full Disclosure > Subject: Re: [Full-Disclosure] RE: Any dissasemblies of the Witty worm > yet? > > > On Sun, 2004-03-21 at 16:18, Matthew Murphy wrote: > > "Hugh Mann" <[EMAIL PROTECTED]> writes: > > > >3. If someone can trace the origin of this worm, it might > shed light on > > the > > > >origin of SQL Slammer as well? > > > > > > Definitely a big NO. > > > > Indeed this does appear to be accurate. While it looks as > though the worm > > is technically similar to Slammer, think about the odds. Both used a > > non-broadcast UDP exploit vector. Why on _earth_ would the programmer > > re-write the code for the worm when he could steal half of his > code from SQL > > slammer? It doesn't necessarily show that the two worms were written by > > people of even similar background, but it does seem to show > that the author > > of the BlackICE worm used Slammer's techniques -- possibly even to the > > extent of simply ripping large portions of Slammer and changing the IAT > > offsets used to reflect those of the ISS PAM. Another > possibility is that > > Slammer and Witty were generated in source form by some kind of "worm > > generator" -- but I don't have any information to suggest that > this is the > > case. My conclusion is that the author of Witty simply copied large > > portions of Slammer's code, completely wholesale. > > > > I've seen the slammer code as hex dumps, etc, but haven't seen the any > original slammer source code. Just wondering how anyone could make any > determinations of any comparisons to either when the coding style really > isn't known. Maybe I am the only one who missed seeing the original > code. > > -b > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
