|
UK security specialist says his code was used in Slammer worm |
|
|
Following the chaos created
by the worm over the last weekend, Litchfield said he was now questioning
the benefits of publishing proof of concept code. "Some will argue that full
disclosure is a good thing. Others will abhor it. There is no one correct answer
- it must be a personal decision and for the moment I am undecided."
In a posting to the Bugtraq mailing list, Litchfield, managing director of
Next Generation Security Software, said, "On analysis of the code of the Slammer
worm it is apparent that my code was used as its template."
He said: "It also becomes apparent that whoever authored the worm knew how to
write buffer overflow exploits and would have been capable of doing this without
using my shellcode as a template. Having access to my code probably saved them
around 20 or so minutes - but they still would have been able to do it without
mine."
Litchfield said this also cast doubt on the origins of the worm. "Some have
suggested that the worm used (a person known as) lion's code as a template - in
fact lion's code is an exact cut and paste of my code - so any suggestions that
lion or the Chinese group he belongs to are responsible are probably erroneous.
Also the suggestion that because there were 8 NOPs in the worm code this
"proved" it was a hacker known as nop (of the same Chinese group) and this was
his/her signature is also very wide of the mark - the presence of the NOPs is
simply as a result of my code."
Litchfield said some people would question why he ever released sample
exploit code. "The main reason is an educational one. I presented a paper and
talk on this particular problem at the Blackhat Security Briefings in August of
2002. People who attend such conferences go with the expectation that they will
get "up to the minute" and pertinent lectures. I feel that, as one of the
regular speakers at Blackhat, I should deliver the best speech I can with as
much information, to ensure that both the attendees and the organisers get what
they want. As part of my talk I published my shellcode that demonstrated that
this was a critical issue and should be patched at all costs," he said.
"Now with that said, and in the light that someone has taken my code and put
portions of it to nefarious purposes, I have to question the benefit of
publishing sample code. How much 'good' was acheived by publishing the code and
how much 'bad' came out of it. Normally the good, by far, outweighs the bad -
but there are infrequent cases like we have all just experienced, where perhaps
the bad outweighs the good," he said.
"Looking for the silver lining in the dark cloud of Slammer, though, we know
now that there are considerably more patched SQL Servers than there were before
the weekend - and this is a good thing.
"But then what about the future? We often forget that our actions online can
have very real consequences in real life - the next big worm could take out
enough critical machines that people are killed. A massive failure of the
emergency services computers such as 911/999 could result in someone's death -
and I don't want to feel that I've contributed to that.
Article source and further details:  Sydney Morning Herald
|
|
|
 |
| "UK security specialist says his code was used in Slammer worm" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
