Slashdot Mirror
"Witty" Worm Wrecks Computers
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?
:)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not to find a login. Click here
How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
If the only thing this does is wipe out the hard drive, how does it spread to other systems? Is there a dormant version of this, or does it postpone doing the damage for a certain number of hours? The articles didn't explain.
How about: by generating the need to create a patchwork of protections on your OS...
;-)
For crying out loud - it's supposed to _protect_ your computer - not be a target for an attack... And an ISS product of all... yikes.
I think I'm going to stick to my debian / iptables. Never had a problem (3 years same install and still counting), and it does not thrash my HD
It's a weekend, why should they care about putting out their timely alerts, eh?
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Installed a snort rule this morning using:
7 76974747920 6d6573736167652068657265|";re\v:1;)
2 0.
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
but this is inherently why the idea of a firewall LOCAL to the system it is protecting is a ... shall I say "retarded" idea.
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I have a clue about security.
Yet it is still not worth my time to monitor both white and blackhat security sites daily.
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Never overestimate the end user. -jeramy b. smith
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix.
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environment to make big remote damages because many programs and servers run at administrator rights ; which is the case of this firewall software. In linux, all the firewalling stuff is based on netfilter/iptables, netfilter in kernel space, and iptables as the super-user interface. The benefit of having firewalling facilities in kernel space, integrated with the TCP/IP stuff, are that the size of the potentially unsecure code is quite small, when in windows all the security stuff is a user space developers responsability.
I know this may look like a troll. But windows security design is a disaster ; and I don't think this will really change soon.
"People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes."
Like this?
Actually, pretty easy.
:-)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
IMHO, there's a GOOD reason why the hardware router guys are pushing you to the "professional $200+ lineup" for these needs. They're "professional level" uses of the firewall product.
If you're so cheap, you can't see spending $200-250 or so for a hardware firewall/router product to protect your developmental web/database server - then the product you're developing must not be of much value to you?
Honestly, if money is really too tight and $200 is too much to spend on security, I'd look at Linux-based solutions running on an older, dedicated PC. I've seen several really nice firewall products you can download free ISO images of and burn to a CDR install disc, for non-commercial use. I'd feel much safer having my firewall on a seperate, dedicated box than running as a service on my desktop (where it's impacting my CPU and RAM usage, too).
From looking at the disassembly it looks more like it sends 20000 copies of itself to random destinations, then tries to open one of HD0-7, if the open fails it goes back to sending, if it succeeds it overwrites a random 64kB-aligned 64kB chunk of the first 2 GiB with some data, reseeds the prng and goes back to sending, if the open fails it simply loops back to sending another 20k copies.
I'd hardly call 2GiB a few sectors...
They wrote the infectable software... they provide windows as a kill-all solution but don't package a real firewall... How can we not blame them?
Don't forget there are actually lusers out there who know their windows box is infected but refuse to do something about it because they aren't hindered by the virusses and doing something would cost money/time/energy (take your pick). I've encountered some of these and I wish their computer a slow, painful death.
I ran blackice for a while until I bought a hardware firewall. Instead of uninstalling it I just stopped it from loading at boat, but it still works as a fire wall.
Why do I know this??? because my roommates win XP laptop got infected while he was updating to prevent infections off of my network. we started noticing massive slow downs of the network. When I started blackice back up I notice it had been running the entire time and log every attempt his machine did to try and infect my windows desktop.
Of course the Linux box never gave a shit, she just kept humming along.(read that any way you want)
i thought once I was found, but it was only a dream.
You can't remote root a system with no open ports unless the firewall code itself is compromised.
And _that_ I've never heard of (except in the case of BlackICE and ZoneAlarm)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I cannot begin to imagine the pleasure and joy of having to program/burn/flash/install the latest versions of the Internet Explorer/Outlook Express BIOS ROMS every time a new security update came out. Having my mortal flesh torn apart by hooks would be less painful. Although, having PC's go back to the days of ROM cartridges wouldn't be too bad. Maybe this could happen when 1 Gigabyte ROM's become commoditized.
Well to be honest I run blackice on some of my windows laptops *plus* the hw firewall at my perimeter. One can never be too careful. For laptops that travel and connect to random networks (borders wifi, client networks, etc) I like having the extra layer of protection. Plus if someone finds a 0day on my hw firewall I'd rather have at least some form of protection on each of the machines. Granted I'm thinking about finding some other sw fw to run on those machines now.
JUST maybe wake people up enough to get their geek friends and family to install norton antivirus for them and set up automatic updates and scans.
Doesn't seem to help. In theory you are correct, a person who runs a virus scanner with an automatic update autoscan should be pretty damn secure. This only works in enviroments where the end user either keeps their PC on 24/7, or doesn't shut off the damn scanner evertime they turn on their PC to use it.
From what I've observed, the people who are not familar with PCs who own them see a scanner popup just close it down as it slowes down their computer when they want to use it... and never take the time to reschedual the scan. Worse they yell at you if they catch a virus / worm / spy ware without taking into account that they are the ones who told their computer to stop scanning for viruses.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Actually, the speed isn't all that suprising. If I were a worm developer, I'd spend a few weeks working on a good payload and then, at the last minute, strap an exploit onto the front of it and put it into the wild before anyone gets their boxes fixed. It makes a lot more sense than figuring out the exploit & then trying to craft the rest of the worm around it, which would give sytems time to patch themselves and the effectiveness of your worm would suffer.
my sig's at the bottom of the page.
I wasn't aware that a worm could do that. I know a virus could, but a worm? Nope.
Worms flood, use up resources, crash computer systems, etc. They don't overwrite files. So I believe "Witty" is just another script-kiddie virus. After all... it doesn't take that much knowledge to make Windows unbootable. Just Deltree it with a batch file... =/
"Instant gratification takes too long." - Carrie Fisher
Yeah. Knoppix to the rescue! (Again)
Wow. How is this 'offtopic'?
Am I the only one who, nearly every week, recovers a client's "valuable data" using Knoppix when something has eaten Windows alive? (And sometimes Windows eats itself alive, unfortunately.)
I feel dirty for agreeing, but I do hope that t he next one that spreads like fricking wildfire delete's the hell out of xls,ppt and doc files as well as send flaming profanity to every email in the outlook global addressbook.
CTO's CIO's and IT management need to have their asses bitten really fricking hard so they will tell accounting to screw themselves and actually start running corperate IT like it is supposed to be. the last 2 that ran rampant in the company were because of the morons have everyone set as administrator in the domain security policies, they also refuse to block yahoo.com hotmail.com and other we email sites at the proxy or use any common sense or other real solutions to keep us running secure and smoothly.
on the other hand, it will take only one guy who just finished the Cure For MS or Cancer to lose all his reasearch because of it for me to feel really sick for even thinking or suggesting it.
Damned two edged swords... cant we just get a good mace and start smashing?
Do not look at laser with remaining good eye.
Technically what you are asking, yes it could be written. But it couldn't really do anything usefull.
You could write an x86 asm routine that did not make an OS call. So it would not care what OS it is running on. I used to write my own string copy routines that would work on any OS.
But, if you take out all access to OS related functions you don't have much you can do. No reading or writing files. Unless you want to try and write a file system into it that would interface with the hardware to read any file system. No access to network interfaces, unless you wrote and added drivers for any hardware the machine might have. And so on.
So basicly you can write an OS that did not talk to a host OS, that is what Linux, Windows, BeOS, and all of those do. But it would not be a very small thing if you wanted to read the users files and send them somewhere.
...customized Linux firewall distro...Much more customizable than a Linksys box.
Well, this site seems to disagree that your old pentium II box is more flexible than at least some linksys routers.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I pretty much agree with you.
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.
I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.
Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?
The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.
You point and click types can whine, but vi
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Hey, there's an idea. Built in hardware firewalls on laptops. Start it up from the BIOS, configure it via a browser.
Jaysyn
There is a war going on for your mind.
Then run an *bsd/linux firewall in a vmware and use it to dial up :).
Even if your firewall gets rooted, you can just click "revert" and it'll be back to normal. Or you can pause it and make a copy for forensic analysis, and switch to a different firewall vm.
Of course you'd need to buy more RAM, and make sure you have enough HDD space. Still a firewall vm doesn't need very much RAM or disk, 32-64MB RAM, 1GB space should be more than enough if you stick to text configs and basic stuff.
It's probably loading as a hidden kernel driver. I'm running Norton Personal Firewall, and it loads several kernel drivers. Download sc (Service Controller) from Microsoft to see which services are loading at boot time. Use this command to find BlackIce's:
Disable any you find with this command: Believe it or not, MS's GUI service tools don't show all of the services. Take a look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\ServiUmmmm... dialup users are screwed because PPP filtering is a completely different beast?
I'm not a kernel hacker but I would like to try and keep things straight in my head. In PCI ethernet networks, the ethernet card gets attached to kernel mem locations and a firewall attaches itself between kernel mem locations and the userspace programs that they serve. PPP, from my limited knowledge, gets attached to completely different kernel mem locations and dialup networking userspace programs are allowed to pass PPP mem locations to IP mem locations such that most userspace programs have no trouble getting the info they need from the TCP/IP environment.
So this brings up the interesting question: are there bugs in the PPP components of modern kernels which can be exploited before any commonly available firewalls can filter the packets from the IP stack?
I don't know. Feel free to correct me on the diagram.
+++ATHZ 99:5:80
As biologists know, a worm or virus can't spread to nearly as many machines if it destroys its host. Take the common cold virus for instance - look at its prevalence, and it kills very few of the hosts it infects. However, a truly effective yet destructive virus would spread as much as possible, and then destroy all its hosts.