Slammer: recognizing a "fist" in exploitcode
It's been a while since I've blogged... and so this will be a lazy entry. I had a chat with a few people at Black Hat in D.C. about some research I had done way back when on analyzing the code of Slammer - the worm that targetted SQL Server 2000 boxes, released on the 25th January 2003. Anyway, this text is from something I wrote up in May 2004... given that we've just passed the 5 year anniversary of Slammer I may as well post this now...
-------
Looking back over the Slammer code I've come to the conclusion that it may have been written by two people - there are two distinctive styles at play.
Let's say we want to set a register to 0x41414141. The most efficient way of doing this is with
MOV REG, 0x41414141
Another, less efficient way to do this is with
XOR REG, REG
XOR REG, 0x41414141
This former is 5 bytes and the latter is 8.
Now here's the interesting thing: the slammer code starts off using the first method and ends up using the last:
MOV EAX, 0x01010101
..
MOV CL, 0x18
..
MOV CX, 0x6C6C
..
MOV CX, 0x7465
..
MOV CX, 0x6F74
..
MOV ESI, 0x42AE1018
..
MOV ESI, 0x42AE1010
..
MOV ESI, 0x42AE101C
But then we start getting
XOR ECX, ECX
XOR ECX, 0x9B040103
..
(X)OR EBX, EBX
XOR EBX, 0xFFD9613C
..
XOR ECX, ECX
XOR CX, 0x178
The reason the second example is written as (X)OR is that the actual instruction is "OR EBX, EBX" but this has no effect and was most likely meant to be XOR instead of OR; this was one of the flaws in the Pseudo Random Number Generator.
We can clearly see two distinct styles that achieve the same result. This can be extended. We see the use in the slammer code of the ESI register to call functions. We have instances of
CALL DWORD PTR[ESI]
And
CALL ESI
Now here's an interesting point: whenever I'm calling a function I tend to use EAX as a habit. Does that slammer author(s) have a habit of using ESI? Whenever someone writes shellcode there definitely seems to be habits that
come through. When I need to use a constant, as a habit I tend to use 0x41414141. The constant in slammer is 0x01010101. Does the author(s) use 0x01010101 as a habit?
All of this leads me to think that there may be some mileage in attempting to recognize a "fist". (For those that don't know, during World War II radio snoopers listening to German comms could recognize a particular radio operator's "fist" - the way the operator actually sent the message like pauses between dots and dashes etc etc)
If an exploit (worm) is released and the author is not silly enough to put a signature in it then their coding style may give them away. If we have known exploits attributable to a specific person and the coding styles match then this may point to them being the author.
------------------------
Anyway, that was that and I've not given it much thought until recently...
Cheers,
David
David on 02.27.08 @ 02:36 PM GMT [link]