Slashdot Mirror
"Witty" Worm Wrecks Computers
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?
:)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not to find a login. Click here
How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
It's a weekend, why should they care about putting out their timely alerts, eh?
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Installed a snort rule this morning using:
7 76974747920 6d6573736167652068657265|";re\v:1;)
2 0.
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
but this is inherently why the idea of a firewall LOCAL to the system it is protecting is a ... shall I say "retarded" idea.
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Never overestimate the end user. -jeramy b. smith
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix.
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environment to make big remote damages because many programs and servers run at administrator rights ; which is the case of this firewall software. In linux, all the firewalling stuff is based on netfilter/iptables, netfilter in kernel space, and iptables as the super-user interface. The benefit of having firewalling facilities in kernel space, integrated with the TCP/IP stuff, are that the size of the potentially unsecure code is quite small, when in windows all the security stuff is a user space developers responsability.
I know this may look like a troll. But windows security design is a disaster ; and I don't think this will really change soon.
Actually, pretty easy.
:-)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
From looking at the disassembly it looks more like it sends 20000 copies of itself to random destinations, then tries to open one of HD0-7, if the open fails it goes back to sending, if it succeeds it overwrites a random 64kB-aligned 64kB chunk of the first 2 GiB with some data, reseeds the prng and goes back to sending, if the open fails it simply loops back to sending another 20k copies.
I'd hardly call 2GiB a few sectors...
Don't forget there are actually lusers out there who know their windows box is infected but refuse to do something about it because they aren't hindered by the virusses and doing something would cost money/time/energy (take your pick). I've encountered some of these and I wish their computer a slow, painful death.
I cannot begin to imagine the pleasure and joy of having to program/burn/flash/install the latest versions of the Internet Explorer/Outlook Express BIOS ROMS every time a new security update came out. Having my mortal flesh torn apart by hooks would be less painful. Although, having PC's go back to the days of ROM cartridges wouldn't be too bad. Maybe this could happen when 1 Gigabyte ROM's become commoditized.
JUST maybe wake people up enough to get their geek friends and family to install norton antivirus for them and set up automatic updates and scans.
Doesn't seem to help. In theory you are correct, a person who runs a virus scanner with an automatic update autoscan should be pretty damn secure. This only works in enviroments where the end user either keeps their PC on 24/7, or doesn't shut off the damn scanner evertime they turn on their PC to use it.
From what I've observed, the people who are not familar with PCs who own them see a scanner popup just close it down as it slowes down their computer when they want to use it... and never take the time to reschedual the scan. Worse they yell at you if they catch a virus / worm / spy ware without taking into account that they are the ones who told their computer to stop scanning for viruses.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Yeah. Knoppix to the rescue! (Again)
Wow. How is this 'offtopic'?
Am I the only one who, nearly every week, recovers a client's "valuable data" using Knoppix when something has eaten Windows alive? (And sometimes Windows eats itself alive, unfortunately.)