Security Blog 
   HOME  |  ARCHIVES  |  CONTACT  |   QADDISIN  |   WIFI SECURITY PROJECT  |   RSS


6.9.2004

The Witty worm
A new chapter in malware. Bruce Schneier makes several excellent points about the unheralded Witty Worm - most of you problem didn't even know about it. But analysis shows this was one of the first "sophisticated" worms released to the Net - which it convered int 45 minutes. Take a look - we'll be seeing more of this in the future.

Witty was wildly successful. Twelve thousand machines was the entire vulnerable and exposed population, and Witty infected them all -- worldwide -- in 45 minutes. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow.

Witty was speedily written. Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild.

Witty was very well written. It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with random destination ports, a trick that made it easier to sneak through firewalls. It was -- and this is a very big deal -- bug-free. This strongly implies that the worm was tested before release.

Witty was released cleverly, through a bot network of about 100 infected machines. This technique has been talked about before, but Witty marks the first time we've seen a worm do it in the wild. This, along with the clever way it spread, helped Witty infect every available host in 45 minutes.


Witty was exceptionally nasty. It was the first widespread worm that destroyed the hosts it infected. And it did so cleverly. Its malicious payload, erasing data on random accessible drives in random 64KB chunks, caused immediate damage without significantly slowing the worm's spread.

posted by mt at 09:10


HOME - ARCHIVES

This page is powered by Blogger. Isn't yours?