Re: [ISN] Slammer Source Code Provides Clues

From: InfoSec News (isnat_private)
Date: Thu Jan 30 2003 - 00:51:26 PST

  • Next message: InfoSec News: "[ISN] Symantec's "Submit a Deal" Flawed"

    Forwarded from: security curmudgeon <jerichoat_private>
    
    > http://www.eweek.com/article2/0,3959,848302,00.asp
    >
    > By Dennis Fisher
    > January 27, 2003
    
    > Signatures within the worm's source code indicate that a group known
    > as the Honker Union of China - also known as the Hacker Union of
    > China - may be responsible for writing the code, according to
    > security experts who have analyzed the code. However, experts
    > caution that although they are certain of the code's origins,
    > someone else may have actually loosed the worm on the Internet.
    >
    > "We're 100 percent certain this was based on the CNHonker code,"
    > said Chris Rouland, director of the X-Force research team at
    > Internet Security Systems Inc., in Atlanta. "But that doesn't mean
    > they released it."
    
    Forwarded from the Full Disclosure mailing list:
    
    On Wed, 29 Jan 2003, David Litchfield wrote:
    
    : [Some have suggested that the worm used (a person known as) lion's
    : code as a template - in fact lion's code is an exact cut and paste of
    : my code - so any suggestions that lion or the Chinese group he belongs
    : to are responsible are probably erroneous. Also the suggestion that
    : because there were 8 NOPs in the worm code this "proved" it was a
    : hacker known as nop (of the same Chiense group) and this was his/her
    : signature is also very wide of the mark - the presence of the NOPs is
    : simply as a result of my code.]
    
    Wonder if Rouland would like to respond to that and his 100% certainty
    or if this was factored into the 'research' that lead to this
    statement.
    
    And while we're on the topic of ISS and their "brief" (notice the
    legalise is longer than the content posted [1]) of the Slammer worm, I
    wonder why ISS then recommends using ISS Realsecure and ISS Scanner to
    help mitigate the worm. Checking SQLSecurityForum, we see that both
    products include SQL Server/MSDE that is vulnerable to same thing they
    are trying to protect against. Hope we see some advisories on these
    products soon.
    
    
    [1] http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0038.html
    [2] http://www.sqlsecurity.com/forum/applicationslistgridall.aspx
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:55:31 PST