who know what language does Worm.blaster maked.
Posted on 2003-09-04 23:28:38 by tomorrow
Spanish.
Posted on 2003-09-04 23:35:08 by donkey
:grin: :grin: :grin:
Posted on 2003-09-05 17:29:58 by Mikky
no hablas espanol:(
Posted on 2003-09-05 18:56:09 by Guy on ASM
Worm.blaster?
Posted on 2003-09-06 06:44:20 by Vortex
Sorry, worm.blaster hasn't made any languages lately ;).
Posted on 2003-09-06 16:51:20 by iblis
the lame buffer overflow exploit with lame shellcode was written (or rather, glued together from borrowed snippets) in assembly.

The lame worm with lame and (thankfully) defunct code was lamely pieced together in C, afaik compiled with lcc-win32.

Good thing that the first RPC worm was done so lamely, or we could have had some serious trouble.
Posted on 2003-09-07 06:20:42 by f0dder
Oh, all of the worms appearing lately have been like that. I guess we don't have much to fear from these "professional computer criminals".

This is real code from a recent worm. The code is just so LOL!


push ebp
mov ebp,esp
push ecx
and dword ptr [ebp-04],00
push ebx
mov ebx,[ebp+0c]
push esi
push edi
00409a3b:
mov eax,[ebp+08]
mov ecx,[ebp-04]
xor esi,esi
mov dword ptr [ebp+0c],00000007
lea edi,[eax+ecx]
00409a4d:
movzx eax,byte [edi]
mov cl,[ebp+0c]
push 02
shr eax,cl
pop ecx
cdq
idiv ecx
cmp edx,01
jnz 00409a65
mov [esi+ebx],dl
jmp 00409a69
00409a65:
and byte ptr [esi+ebx],00
00409a69:
inc esi
dec dword ptr [ebp+0c]
cmp esi,08
jl 00409a4d
inc dword ptr [ebp-04]
add ebx,08
cmp dword ptr [ebp-04],08
jl 00409a3b
pop edi
pop esi
pop ebx
leave
ret

It is a routine that converts a number to binary, of all things.
This is what you get from using the Microsoft "optimizing" C compiler.
Posted on 2003-09-07 07:39:31 by Sephiroth3
The PE header will tell what software was used(C++ C VB). Unless they were smart enough to remove it(usually not)


I saw a quote from one the the anit-virus companines. They were asked if they hire virus writers to write thier anti virus software. The guy said they did not because most virus writers dont have the programming skill. Basically he likened virus writers to newbie programmers.
Posted on 2003-09-07 08:01:45 by ThoughtCriminal

The PE header will tell what software was used(C++ C VB). Unless they were smart enough to remove it(usually not)

Like, how? The only PE-header stuff I know of, is that you can identify borland products - they mess up rawsize/vsize, and iirc also FirstThunk - or was it OriginalFirstThunk? - Other than that, you'd have to look at the code and see whether well-known C (or delphi or...) runtime code was used by the image.

The disassembled piece of code above looks very poor - if it is the result of a recent microsoft C compiler, either the input source has been extremely poor, or the compiler has been run without optimization enabled.

While most viral writers today are pretty talentless, it's a lie that AV and security companies don't hire people from "the dark side" - for they _DO_. I know of more than a few examples of this.
Posted on 2003-09-07 08:08:16 by f0dder
I was looking at PE stuff, and the is a version field that the compiler(linker?) can put its info.



About the not hiring. You are right. He probably just said that to keep people from writing viruses to get jobs.
Posted on 2003-09-07 10:30:06 by ThoughtCriminal
Linker version doesn't really say much. Ok, so perhaps v7 linker was used - but which product? ;). Not many of those weirdo PE fields are usually filled.
Posted on 2003-09-07 10:38:51 by f0dder
The disassembled piece of code above looks very poor - if it is the result of a recent microsoft C compiler, either the input source has been extremely poor, or the compiler has been run without optimization enabled.

I think optimization was not enabled. :) This could be seen that is actually useless and could be easily be replaced by ecx. Furthermore I see a push ecx, but no pop ecx to preserve the value of ecx.:stupid:
Posted on 2003-09-07 11:18:59 by roticv
Optimization was enabled. :grin:

I just did a test and managed to produce the exact same code using Microsoft Visual C++ 5.0 with the option /O1.



void Test(unsigned char*num,unsigned char*res)
{
int i,j,k;
for(i=0;i<8;i++)
for(j=0,k=7;j<8;j++,k--)
if((num[i]>>k)%2==1) res[i*8+j]=1; else res[i*8+j]=0;
}
Posted on 2003-09-07 12:22:49 by Sephiroth3
retarded source code, very old compiler version.
Posted on 2003-09-07 12:25:02 by f0dder
Yep. No wonder they encrypted the program (using a program they downloaded off the internet of course). Imagine the embarassment if everyone could just open it up in their disassembler and get their laughs!

The program we're looking at is W32.Sobig.F@mm, by the way.
Posted on 2003-09-07 12:45:22 by Sephiroth3
The guy is lame, I'm not surprised that his source is crap. It is alot easy to break something than to make something, these virii writers spend their time breaking things because they are not competant enough to make something worthwhile. They are useless as coders, and a waste of dna. I hear people saying that it is a shame that he mis-used his talents - what talent ?

The guy probably used an older version of C becasue he couldn't steal a newer version, he's a criminal and will be some-ones anal toy in prison very soon.
Posted on 2003-09-07 13:35:41 by donkey
the guy who did blaster has no talent - he ripped it all.

It does require _some_ talent to find the buffer overflows, though... and it's a skill that's useful to have for us "good" programmers, too. To know which methods are being used to attack our software, so we can avoid the common mistakes.
Posted on 2003-09-07 13:40:48 by f0dder