"Witty" Worm Wrecks Computers

← Back to Stories (view on slashdot.org)

"Witty" Worm Wrecks Computers

Posted by timothy on Saturday March 20, 2004 @12:57PM from the your-ruse-your-clever-trick dept.

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

21 of 587 comments (clear)

Min score:

Reason:

Sort:

Stick to hardware routers and firewalls... by berniecase · 2004-03-20 12:58 · Score: 4, Insightful

Although they ain't perfect, at least they're not running on your computer. Yikes.
1. Re:Stick to hardware routers and firewalls... by U.I.D+754625 · 2004-03-20 13:03 · Score: 5, Insightful
  
  Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).
  
  --
  
  //Blessed are they that run around in circles, for they shall be known as wheels.
2. Re:Stick to hardware routers and firewalls... by JPriest · 2004-03-20 13:08 · Score: 3, Insightful
  
  They call it security software and have services in listening state? Nobody seems to get it.
  
  --
  Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
3. Re:Stick to hardware routers and firewalls... by hendridm · 2004-03-20 13:12 · Score: 5, Insightful
  
  Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.
  
  luser: "It says someone might be trying to break into my computer! How can I stop them?"
  Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
  luser: "But BlackICE says it might be an attack!"
  Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."
  
  For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.
4. Re:Stick to hardware routers and firewalls... by Zocalo · 2004-03-20 13:15 · Score: 3, Insightful
  
  Stick to hardware routers and firewalls
  And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then? All of your boxes are potentially vulnerable instead, that's what. Trusting your security to a single product, hardware or software, is a disaster waiting to happen, and for some of ISS's customers its probably happening right now.
  Pretty much all SOHO routers have a firewall capabilty these days, and there are free "personal" firewall systems for all majors OSs. If you are connected to the net and have a clue about security, you'll be using both and monitoring both white and blackhat security sites daily. That all patches are applied as soon as prudent goes without saying of course...
  
  --
  UNIX? They're not even circumcised! Savages!
5. Re:Stick to hardware routers and firewalls... by Nogami_Saeko · 2004-03-20 13:20 · Score: 4, Insightful
  
  Well, blackice should probably default to logging, but not alerting about the most common scans and such, but it's certainly useful for detecting a large number of attacks coming from specific addresses or blocks.
  
  I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to :)
  
  I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.
  
  N.
  
  --
  "Nothing strengthens authority so much as silence." - Charles de Gaulle
6. Re:Stick to hardware routers and firewalls... by Imperator · 2004-03-20 15:13 · Score: 3, Insightful
  
  Well, blackice should probably default to logging, but not alerting about the most common scans and such
  
  The problem with someone that claims to protect you from something is that they will make a lot of noise about all the things they're supposedly protecting you from, so that you think they're making you safe. Those crappy Windows firewalls do that, as well as AV software. For a non-software example, look at how US prosecutors love to bring cases for "terrorism" and make lots of noise about it, even if those cases all get thrown out of court.
  
  --
  
  Gates' Law: Every 18 months, the speed of software halves.
where are all the virus's that do real damage? by Anonymous Coward · 2004-03-20 12:59 · Score: 5, Insightful

glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things
1. Re:where are all the virus's that do real damage? by aenea · 2004-03-20 13:10 · Score: 4, Insightful
  
  And more pressure on users to keep their systems patched up. It's a rare virus/worm that comes in through an unknown exploit.
  
  If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.
Nasty flaw by BlueLightning · 2004-03-20 13:00 · Score: 5, Insightful

It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(
Thats what you get by MajorDick · 2004-03-20 13:01 · Score: 3, Insightful

I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router. I have never understood why you would want to run the firewall on the actual connected system. Guess they cant say its better than running nothing anymore.
1. Re:Thats what you get by Anonymous Coward · 2004-03-20 13:05 · Score: 5, Insightful
  
  I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.
  
  Three words: application access privileges.
Very sad. by lazy_arabica · 2004-03-20 13:07 · Score: 4, Insightful

Now, every windows user aware of this will believe a firewall is a great danger for his computer.

Oh... After all, what will it change ?
Re:how do you lose the data? by John+Hasler · 2004-03-20 13:16 · Score: 5, Insightful

You can. I can. 99.9% of Windows users can't.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Recovery Tool by soloport · 2004-03-20 13:19 · Score: 5, Insightful

Yeah. Knoppix to the rescue! (Again)
points for speed and damage by neoThoth · 2004-03-20 14:26 · Score: 5, Insightful

Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.

I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
Re:One question by Blackbrain · 2004-03-20 14:34 · Score: 3, Insightful

To be fair if the system softs allow a firewall app to write to the boot block of the disk, I would blame the system softs.

--
Where would we be if Wheel had hid her round rock in a cave instead of showing everyone how it rolls?
One wonders what else got in this way by Animats · 2004-03-20 14:54 · Score: 3, Insightful

Every time there's some high-profile attack that exploits a huge hole like this, there are probably other attacks using the same hole. Ones that quietly break in, look for interesting data like credit card numbers, transmit to a remote system, and exit.
This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.
As a Linux user.. by msimm · 2004-03-20 15:14 · Score: 4, Insightful

I'd like to apologise for the poster your responding to and I'd like to point that the 99.9% of OTHER Linux users are not starry eyed PFB's trying to cram their particular religion down everyone's throats.

We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.

I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).

So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.

--
Quack, quack.
Re:Sucks to be a Windows user by Microlith · 2004-03-20 17:33 · Score: 3, Insightful

Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)

You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.

Oh god shut up, shut up, shut the FUCK UP.

*cough*

Excuse me, but you can shove that condescending know-it-all attitude straight up your ass.

I use Windows because the overall experience, at least for Desktop use, has been better. Stuff actually works the way I expect it to. I plug in a firewire hard disk, it installs and loads drivers, and the partitions, if any, appear. Instantly. No going to linux1394.org, downloading a shell script, and hoping it works. I click a torrent in mozilla, or Explorer, or whatever, and it loads my Bittorrent client automatically. More recent distros are better, but you won't win anyone over with that attitude.

Last time I had reliability problems with windows, the hard disk was failing. But since I fixed that problem (which not even Linux is immune to) I've had ZERO problems booting. And to be honest, I haven't had any security problems.

Whoa, you think I'm lying, right?

No, I'm not. In the time I've been running 2K and XP, not once have I had:

A Trojan
A Worm
Spyware
Malware

of any sort have any sort of presence on my machine.

Granted, I run Mozilla, Apache (with a secured user-account of its own,) instead of the usual windows implements. Sometimes the opensource community does create stuff that truly JUST WORKS. At least they're smart enough to not get arrogant about it.

But for kicks I run without a firewall and as an administrator 100% of the time. Still waiting for all the problems you describe.

So, kindly, pull that stick out of your ass. Thank you.
Re:Hardware FireWalls by pe1chl · 2004-03-20 22:05 · Score: 4, Insightful

>buy some sort of hardware firewall.

>I reccomend Linksys

I hate to disappoint you, but your linksys box is not a hardware firewall.
It is a dedicated microcomputer that runs a SOFTWARE firewall.

The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.

All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
Calling it "hardware" isn't going to do that either.