Security expert questions code release in wake of Slammer attack

Slammer was based on sample code published to help explain the threat posed by the security vulnerability that the worm...

Slammer was based on sample code published to help explain the threat posed by the security vulnerability that the worm exploited, according to the security expert who discovered the vulnerability.

The stunning success of the worm in spreading itself across the Internet had Next Generation Software's David Litchfield questioning whether he would publish proof-of-concept (or "exploit") code in the future.

Litchfield expressed his opinion that Slammer was based on his proof-of-concept code in an e-mail message to the bugtraq mailing list.

Many parts of the worm's code were identical to the published proof-of-concept code, but the worm was not simply a copy of the published example, Litchfield said.

"Whoever authored the worm knew how to write buffer overflow exploits and would have been capable of doing this without using my shellcode as a template."

Litchfield believed the worm's creator saved "about 20 or so minutes", by using the code taken from Litchfield's published exploit.

Litchfield's e-mail message was in response to questions raised on the bugtraq list after an article appeared in a US newspaper in which Litchfield suggested he would probably no longer publish exploit code.

However, later on he backtracked on his statement, saying that exploit code serves an educational role in forums for computer security experts, such as the Blackhat Security Briefings, where Litchfield presented the SQL Server exploit and sample code in August, 2002.

More often than not, the benefits of publishing proof-of-concept code outweighs any "bad" that comes out of it, said Litchfield.

That position seemed to be supported by other security experts.

Writing to bugtraq on Saturday, when Slammer was still spreading rapidly, Marc Maiffret, chief hacking officer of eEye Digital Security, thanked Next Generation Security Software for discovering the worm and publishing a detailed technical write-up of it.

The details enabled Maiffret's company to create a scanner that could identify systems on a network that were vulnerable to Slammer.

Litchfield was clearly shaken by the role his code played in Slammer's spread and is aware of the potential consequences of a destructive worm.

"But then what about the future? We often forget that our actions online can have very real consequences in real life - the next big worm could take out enough critical machines that people are killed - and I don't want to feel that I've contributed to that," he wrote.

While not ruling out the publication of proof-of-concept code in the future, Litchfield was "questioning the benefits" of releasing such code.

"Some will argue that full disclosure is a good thing. Others will abhor it. There is no one correct answer - it must be a personal decision and for the moment I am undecided," Litchfield wrote.

Read more on IT risk management