Wired To Publish Slammer Source Code

Juan Carlos writes "Wired Magazine is going to publish the source code to the SQL Slammer worm in its next issue, due Tuesday, along with some kind of play-by-play of the worm's rapid spread. I actually think this is a neat idea for an article. But the fact is, the disassembly of Slammer (aka Sapphire) has been available on the Net since late January -- just hours after the worm started to spread."

But the fact is..?

[Phroggy]

But the fact is, the disassembly of Slammer (aka Sapphire) has been available on the Net since late January -- just hours after the worm started to spread.

Ummm...

So?

Of course people started looking at the code as soon as it was unleashed, and of course they wrote their own descriptions of how it worked. Maybe Wired could do a better job of explaining it to their readers? Besides, I'd bet most of the people who read the magazine didn't read that disassembly you referenced.

Wired thinks they have a story that will interest people. They're probably right. If you're suggesting that Wired must have stolen it, I think you're being silly, and if not, then what's the issue here?

Re:But the fact is..?

[monkey_tennis]

But that's the point. Eeye analysed the code for one audience, but that won't be accessible to most people. Wired generally does a good job of introducing complex subjects clearly for the layman.

Good idea

[powerline22]

While the code has been available for a while on the internet, Wired is probably doing this to make an example of what Windows users are facing, and are probably going to explain as much as they can with the code.

Re:Good idea

[monkey_tennis]

Exactly right. As the link above shows the code is in assembley langauge, which most people would need some help with.

Re:Good idea

[jj_johny]

More to the point, most of the press and incident reports talk about the infection from the single machine point of view and then jump up to the total numbers of infected machines without mapping out what happens in between the two. I hope they talk about percent of machines left vulnerable (idiots that have their SQL on the internet), how the jump from one host to another works, how effective the jump is... In other words, I would like to see the epidemiology of a computer virus.

You can picture it now....

[MosesJones]

Reader : "I wonder if they've patched the internal servers here at work...."

Types in the slammer code, compiles it and runs it up...

Reader : "Nothing seems to be happening"

Meanwhile in another part of the building

Manager: "What do you mean the whole UAT environment has gone down?"

Re:You can picture it now....

[archen]

If the users on the network I admin actually started compiling their own code, I'd shoot myself. It's bad enough not getting them to click on every attachment. God knows what they would compile on their own.

But that doesn't mean...

[Advocadus+Diaboli]

...that SQL-Slammer is going to be Open Source, does it?

Re:But that doesn't mean...

[ecalkin]

the original code was (is) copyrighted, assuming it was written in a country that has copyright laws.

somehow i don't think that the owner of this copyright is gonna be knocking on the door to complain.

Bring down the internet without complicated worms

[Rosco+P.+Coltrane]

June 5, 2003 -- Think of it as a how-to guide to bringing down the Internet.

Here's my guide :

1 - unplug the network cable

Very effective DoS : nobody will be able to see your server from outside and your network connection will become very slow.

So,

[imadork]

Wired can publish the code to a computer virus, but not to DeCSS? That seems backwards to me. It seems like every day has been Opposite Day in the Tech industry lately...

Re:So,

[Paul+Boutin]

Wired published the compete DeCSS Perl script, with an explanation of how it worked, under the headline "DVD Hacking for Dummies," three years ago. No one noticed.

SCO to sue ?

... they had better pray that SCO code isn't used in it.

Good publicity

[kinnell]

But the fact is, the disassembly of Slammer (aka Sapphire) has been available on the Net since late January -- just hours after the worm started to spread

That may be the case, but it's still a good way to obtain publicity, and thereby sell more copies. They've just managed to get a free advertisment on slashdot, after all.

in other news

[lingqi]

Ashcroft wants a tougher Patriot Act .

wonderful world, isn't it? How many years before we can't publish this kind of stuff on magzines?

Source code

[spakka]

No, they will publish the assembly code. Not the same thing.

Re:Source code

[BlackHawk-666]

Ahem, since this virus was clearly written in assemlber then they are actually publishing the source code. It may have different labels for the JMP instructions, but aside from that (and working out where your data locations are) it should be exactly the same code that the cracker used. Each assembly instruction has a 1 to 1 mapping with machine code instructions.

Still, if they publish the code shown ay eEye then I suspect it won't work since it needs data segment and code segment hints and stuff to make an exe, although it could be incorporated into another project faily easily.

Re:Wired

[curtisk]

....Which is probably why they are writing an story on it, tech-savvy or not, these things have the potential to screw-up your workplace, so any knowledge the reader can get on it is better than none. It may be dumbed down, but thats fine as long as the point gets across. I don't suspect they'll do a line by line assembler overview :)

As far as the code itself,(I was one of the "geeks" who read it right after it was made public), I never get tired of the drive that people who just want to cause havoc have. When you look thru the code and realize that all that damage can be done with a few meer Kb's and be completely memory resident(no tracks), you just have to chuckle in spite of yourself, all the CPU power in the world can be smacked hard by a wee bit of code. Ain't that life? :D

Symantec isn't impartial here

[Rosco+P.+Coltrane]

Vincent Weafer, senior director of security response at computer security company Symantec Corp. (nasdaq: SYMC - news - people), said that while detailed articles could be important in raising computer security awareness, they also needed to be handled with care.

"It's something you need to be cautious of, particularly in a broad-based magazine," Weafer said.

"You need to be aware of your audience and what you're saying to them," Weafer said.

In other words Vincent, Symantec is worried that divulging the underlying techniques of a typical worm will demystify viruses somewhat, degrade the "magic bullet against all computer threats" image that antivirus makers enjoy in the general public, and help reduce the fear and panic that compels many computer users to rush to their local software shop to buy the newest and greatest antivirus software when a new virus strikes. After all, a lot of viruses/worms can be avoided if users had sane computer habits, such as never opening executables from an email, but your average computer user doesn't know and Symantec doesn't want him/her to know.

Remember : Symantec, McAfee and the others have no more interest in taking the myth out of viruses than they want Microsoft to release secure products.

Re:Symantec isn't impartial here

[Surak]

After all, a lot of viruses/worms can be avoided if users had sane computer habits, such as never opening executables from an email, but your average computer user doesn't know and Symantec doesn't want him/her to know.

Nor are they likely ever to know, honestly. My aunt, whom I characterize as a typical computer user, ran Windows 95 on her box for a long time. One day she was cleaning out her hard drive (because she's insane about organization) and saw two folders named 'Windows' and 'Program Files' on her C: drive, decided she didn't need any folders called 'Windows' or 'Program Files' and proceeded to delete them both.

Needless to say she called me and said <whine>"my computer doesn't work"</whine;> and when she explained what she did I had a very hard time keeping myself from ROFLMAOing. ;)

Anyways, my point is that the average computer user is REALLY *that* dumb and that's the thing that's going to keep worms and viruses around for quite sometime to come, regardless of how well operating systems are built, regardless of what Symantec or McAfee do, etc.

Mainstream press

[barnaclebarnes]

I think the reason it may be be big deal is that this is in the mainstream press. And this could show people how to write a virus...Of course anyone with half a brain already knows where to find this informaiton anyway but now it will be exposed to the general population.

Re:Mainstream press

[BlackHawk-666]

There have been virus writing kits available for years now with little or no coding required. If this stuff is in assembler then even many experienced programmers wouldn't be able to deal with it. This is *not* going to teach anyone who can't already do it how to write a virus.

For reference: I can write both assembler and viruses (though I don't do the second) so I have a reasonable idea of what I am talking about. I am the only programmer out of 16 in our shop that can even write in assembler.

Warning!

A new vulnerability has been found in IE that exploits the feature of automatically executing machine code viewed in a text file.

Source Code Hieroglyphics

[The+Future+Sound+of]

Wired appeals more to digital enthusiasts than to actual software developers anyway. The publication of the source code is equivalent to the National Geographic showing pictures of hieroglyphics in an article about the pyramids. Most of the readership will just look at the indecypherable code as a form of abstract art than anything else.

Like in the good old days...

[MavEtJu]

It will be like in the good old days, when you bought a magazine and had to type in all the programs they published in there.

And boy, what a fun we had with debugging the stuff when after two days of typing (my neck! my neck!) the program didn't work.

Legal Issue?

[nurb432]

Isn't publishing things like this now considered illegal under the Patriot act ( and related laws )?

The 'reverse-engineer' issue aside, ( from the DMCA ) this would be considered a product for cyber terrorism, and last I heard we cant discuss details on anything related to terrorism.. be it cyber or 'real' ( such as bomb making )

Not that I agree that information or knowledge should be squelched just because the people in power don't approve, ( remember the 1st amendment still exists, for now ) but wired might be opening themselves up for a legal battle they CANT win..

from the author

[Paul+Boutin]

What Juan Carlos probably meant was: Why is it supposedly controversial to publish something that's already all over the Net? I wrote the story, and I would agree with him. Yes, I've explained how Slammer works in a way non-programmers can hopefully understand. Just as important, we have new data that show how fast it really spread. Is that going to turn teenagers into evil crackers, or is it going to get the kind of people who read Wired - executives, Congress, other journalists - to look at network security more seriously? We think the latter, and we also think it's just a good story that hasn't been told from this angle before.

I plead guilty to the "wannabe" charge, though. Those who can, do. Those who can't, write magazine articles.

Follow the money

[mobileskimo]

Wired is obviously publishing this to sell magazines. That's what they do. Did you think they needed any other ulterior motive? The question is who is their audience?

This benefits none of the hackers. Those that are savvy enough to make use of the code, have no need for the code being published in the magazine. They've already seen it, they may have even toyed with it, might have done so back in January. More than likely, they may read it at their magshop or borrow it from someone for amusement purposes. Perhaps they may purchase it. Certainly the creater of the worm will. Clipped and saved in some album.

This benefits none of the lay technology folks, the larger band of their customers. They don't have enough background on assembly and how it works, and they haven't the tools. The motivation is there though. If they could get it to work, they could call their friends up and brag about how much a hacker s/he is.

Completely lay person as someone pointed out will look at it like hieroglyphics. Raise an eyebrow and move on.

Corporations in the industry. Here's a mixed bag. Raising awareness and de-mystifying can work in both ways. AV companies may benefit, they may not. Raising awareness may result in more sales of AV products by confirming in the public's eye that such things do exist, and with higher frequency, with more substantial impacts. It may lower the sales if the information is provided in a certain manner (for example, you don't run SQL, therefore you don't need AV for this).

IMHO, I think it will increase business in the industry as a whole. That's what advertising is all about, isn't it? Raising awareness for products? I mean, how could you know you needed a spring-loaded-nose-picker, if you didn't see the commercial warning you about the possible dangers of snot-clog-respiratory syndrome?