<<<
Tuesday, May 4, 2004
>>>
 
The Netsky-Sasser Connection Posted by Ero @ 17:12 GMT

In a previous entry, it was mentioned the claim by the NetSky.AC authors that they had also created Sasser. As a proof it was mentioned the similarity of some common code, specifically of the FTP function, between NetSky.V and Sasser.D.

We took a look into it, and came up with the following visual example. The following graphs represent the code of functions (Control Flow Graphs) in the worms' code. The text within the graph's nodes represent calls to other functions and references to text strings.

The following image shows the Install function in both Sasser.D and Netsky.V.

install_function (42k image)
Install functions

PDF versions of both graphs are available here for NetSky.V Install function and here for Sasser.D Install function


The following image shows the FTP function in both Sasser.D and Netsky.V. The main difference is that in NetSky.V, this function is called once and in Sasser.D is a thread. Therefore it is invoked differently and the initialisation is not the same. However, after this code, most of the function is basically identical. (It can be seen clearer in the PDF files, Sasser.D FTP function and NetSky.V FTP function.

ftp_function (45k image)
FTP functions






<<< Sasser.D tool and workaround
|
Patching, patching and patching >>>