"Witty" Worm Wrecks Computers

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

where are all the virus's that do real damage?

glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things

Nasty flaw

[BlueLightning]

It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(

Re:Stick to hardware routers and firewalls...

[U.I.D+754625]

Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).

Re:Thats what you get

I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.

Three words: application access privileges.

Re:Stick to hardware routers and firewalls...

[hendridm]

Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.

luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."

For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.

Re:how do you lose the data?

[John+Hasler]

You can. I can. 99.9% of Windows users can't.

Recovery Tool

[soloport]

Yeah. Knoppix to the rescue! (Again)

points for speed and damage

[neoThoth]

Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.

I've been capturing UDP traffic all day and hope to compile some more interesting information later on.