Dasher Analysis and Thoughts

First, I've had a chance to look at all thre variants of the worm and reverse engineer the actual code. A big thank you to some research partners for the binaries. Having looked at the operations the worm is doing, it's obvious that it's been put together in a very haphazard fashion. The main driver of the worm actually writes a batch file that gets executed, the actual exploit code and the actual scanner are not married as code. As such, it has to be coordinated by a process (Sqltob.exe) to launch the scanner process and manage the exploit process (or processes). No one even stripped out Swan's happy little printf() statements in the code! This is a very amatuer effort on the basis of the reverse engineering.

Secondly, the worm is using a central distribution point to send out the worm binaries. The tradeoffs here are mostly obvious. As a benefit, the worm master can update the binaries here and inject new exploits or new capabilities, or just bugfixes, quite handily.
Source: worm blog: Dasher Analysis and Thoughts

Linked by shanmuga Monday, 19th December 2005 6:48AM