Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Witty" Worm Wrecks Computers

Posted by timothy on from the your-ruse-your-clever-trick dept.

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

14 of 587 comments (clear)

  1. Stick to hardware routers and firewalls... by berniecase · · Score: 4, Insightful

    Although they ain't perfect, at least they're not running on your computer. Yikes.

    1. Re:Stick to hardware routers and firewalls... by U.I.D+754625 · · Score: 5, Insightful

      Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).

      --


      //Blessed are they that run around in circles, for they shall be known as wheels.
    2. Re:Stick to hardware routers and firewalls... by hendridm · · Score: 5, Insightful

      Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.

      luser: "It says someone might be trying to break into my computer! How can I stop them?"
      Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
      luser: "But BlackICE says it might be an attack!"
      Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."

      For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.

    3. Re:Stick to hardware routers and firewalls... by Nogami_Saeko · · Score: 4, Insightful

      Well, blackice should probably default to logging, but not alerting about the most common scans and such, but it's certainly useful for detecting a large number of attacks coming from specific addresses or blocks.

      I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to :)

      I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.

      N.

      --
      "Nothing strengthens authority so much as silence." - Charles de Gaulle
  2. where are all the virus's that do real damage? by Anonymous Coward · · Score: 5, Insightful

    glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things

    1. Re:where are all the virus's that do real damage? by aenea · · Score: 4, Insightful

      And more pressure on users to keep their systems patched up. It's a rare virus/worm that comes in through an unknown exploit.

      If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.

  3. Nasty flaw by BlueLightning · · Score: 5, Insightful

    It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(

  4. Re:Thats what you get by Anonymous Coward · · Score: 5, Insightful
    I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.

    Three words: application access privileges.
  5. Very sad. by lazy_arabica · · Score: 4, Insightful

    Now, every windows user aware of this will believe a firewall is a great danger for his computer.

    Oh... After all, what will it change ?

  6. Re:how do you lose the data? by John+Hasler · · Score: 5, Insightful

    You can. I can. 99.9% of Windows users can't.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. Recovery Tool by soloport · · Score: 5, Insightful

    Yeah. Knoppix to the rescue! (Again)

  8. points for speed and damage by neoThoth · · Score: 5, Insightful

    Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
    I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
    Listed on the above blog are the following links:
    eEye advisory
    ISS advisory
    lurhq analysis
    SANS diary report
    F-Secure writeup
    Symantec writeup
    Witty Worm Capture 1 and 2 (from dslreports.com)
    and the text from SANS capture of the worm.

    I've been capturing UDP traffic all day and hope to compile some more interesting information later on.

  9. As a Linux user.. by msimm · · Score: 4, Insightful

    I'd like to apologise for the poster your responding to and I'd like to point that the 99.9% of OTHER Linux users are not starry eyed PFB's trying to cram their particular religion down everyone's throats.

    We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.

    I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).

    So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.

    --
    Quack, quack.
  10. Re:Hardware FireWalls by pe1chl · · Score: 4, Insightful

    >buy some sort of hardware firewall.

    >I reccomend Linksys

    I hate to disappoint you, but your linksys box is not a hardware firewall.
    It is a dedicated microcomputer that runs a SOFTWARE firewall.

    The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.

    All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
    Calling it "hardware" isn't going to do that either.