Expert weighs code release after Slammer

Saturday's Slammer worm was based on sample code published to help explain the threat posed by the security vulnerability that Slammer exploited, according to David Litchfield, the security expert who discovered the vulnerability.

The stunning success of the worm in spreading itself across the Internet had Litchfield questioning whether he will publish proof-of-concept (or "exploit") code in the future. Litchfield expressed his opinion that the Slammer worm was based on his proof-of-concept code in an e-mail message to the widely read bugtraq mailing list. (See: http://online.securityfocus.com)

"On analysis of the code of the Slammer worm it is apparent that my code was used as its template," Litchfield wrote.

Many parts of the worm's code were identical to the published proof of concept code, but the worm was not simply a copy of the published example, Litchfield said.

"It (is) apparent that whoever authored the worm knew how to write buffer overflow exploits and would have been capable of doing this without using my shellcode as a template," Litchfield wrote.

The code taken from Litchfield's published exploit saved the worm's real writer "about 20 or so minutes," Litchfield wrote.

The e-mail message from Litchfield was a response to questions raised on the bugtraq list after an article was published Wednesday in the Washington Post. In that article, Litchfield suggested that, after seeing the damage wrought by Slammer, he would probably no longer publish exploit code.

Writing later Wednesday, Litchfield backtracked on his statement to the Post.

Exploit code serves an educational role in forums of computer security experts like the Blackhat Security Briefings, where Litchfield presented the SQL Server exploit and sample code in August, 2002, he said.

"People who attend such conferences go with the expectation that they will get 'up to the minute' and pertinent lectures."

Providing as much information as possible about new vulnerabilities ensures that "both attendees and organizers get what they want," Litchfield wrote.

More often than not, the benefits of publishing proof-of-concept code outweighs any "bad" that comes out of it, according to Litchfield.

That position seemed to be supported by other security experts.

Writing to bugtraq Saturday, when Slammer was still spreading rapidly, Marc Maiffret, chief hacking officer of eEye Digital Security Inc. thanked Litchfield's company, Next Generation Security Software Ltd. (NGSS) for discovering the worm and publishing a detailed technical write up of it.

The details provided by NGSS, based in Sutton, England, enabled Maiffret's company to create a scanner that could identify systems on a network that were vulnerable to the Slammer worm.

The company's scanner "once again illustrat(es) that details ARE needed to help the good guys," Maiffret wrote.

While continuing to support the release of exploit code in theory, however, Litchfield was clearly shaken by the role his code played in Slammer's spread and is aware of the potential consequences of a destructive worm.

"But then what about the future? We often forget that our actions online can have very real consequences in real life -- the next big worm could take out enough critical machines that people are killed ... and I don't want to feel that I've contributed to that," Litchfield wrote.

While not ruling out the publication of proof-of-concept code in the future, Litchfield was "questioning the benefits" of releasing such code.

"Some will argue that full disclosure is a good thing. Others will abhor it. There is no one correct answer -- it must be a personal decision and for the moment I am undecided," Litchfield wrote.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?