Exactly five years after the Slammer worm wreaked havoc on the Internet, database security guru David Litchfield has come up with an idea that might help pinpoint the author of the worm code.
Litchfield (right), who was credited with discovering the MS02-039 vulnerability that was exploited by Slammer, says there are already clues in the worm code that suggests it may have been written by two people.
“There are two distinctive styles at play,” Litchfield wrote on his blog, pointing to examples in the worm code where both styles (one efficient, one not-so efficient) were used.
Now, Litchfield believes that someone with the time and energy might be able to look around the Internet for signs of the culprit.
“All of this leads me to think that there may be some mileage in attempting to recognize a “fist.” (For those that don’t know, during World War II radio snoopers listening to German comms could recognize a particular radio operator’s “fist”–the way the operator actually sent the message, like pauses between dots and dashes.)If an exploit (worm) is released and the author is not silly enough to put a signature in it then their coding style may give them away. If we have known exploits attributable to a specific person and the coding styles match then this may point to them being the author.“
Who wants to start rummaging through Milw0rm.com?