Re: David Litchfield talks about the SQL Worm in the Washington Post

[auto68182 () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

> On analysis of the code of the Slammer worm it is apparent that my code was
> used as its template.
>
> It uses the same addresses as my code in terms of the import address entries
> for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the same
> address in the .data section of sqlsort.dll and uses the same address with
> which to overwrite the saved return address on the stack. Further the worm
> code uses the same short jump and has 8 NOPs in the same place as my code.
> That's where the similarity ends, though. My code spawns a remote shell -
> the worm contains none of this.
>
> It also becomes apparent that whoever authored the worm knew how to write
> buffer overflow exploits and would have been capable of doing this without
> using my shellcode as a template. Having access to my code probably saved
> them around 20 or so minutes - but they still would have been able to do it
> without mine.

[snip]


> Now with that said, and in the light that someone has taken my code and put
> portions of it to nefarious purposes, I have to question the benefit of
> publishing sample code. How much "good" was acheived by publishing the code

Given that you've just pointed out that your sample code probably only 'saved
them around 20 or so minutes' then there's no real need for public breast-
beating around this - as you've pointed out, your sample code was  by and
large irrelevant.

> But then what about the future? We often forget that our actions online can
> have very real consequences in real life - the next big worm could take out
> enough critical machines that people are killed. A massive failure of the
> emergency services computers such as 911/999 could result in someone's
> death - and I don't want to feel that I've contributed to that.

Don't worry David, I'm sure youre shellcode isn't about to endanger life
as we know it - worm authours who can't be bothered to spend the 20 minutes
will just go to the next hit on google for windows shellcode :)

> With this in mind I am questioning the benefits of publishing proof of
> concept code. I am due to present a paper on the remotely exploitable buffer
> overrun in the Microsoft Locator service at Blackhat this February but
> should I then also publish the code used to demonstrate the problem? Should
> I even be discussing the problem in a public arena?
No - because then our exploits will work longer in the wild and we can
break into more boxes.  Long live closed-source commercial operating
systems and security through obscurity.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl4EARECAB4FAj45QgQXHGF1dG82ODE4MkBodXNobWFpbC5jb20ACgkQBZyBylmlHvnE
VQCfZydqWug0HixRyCdP55sdv/+K5toAoKSqUVg9XQ4bLGu8CVm5B/WvdFjr
=uCPN
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html