"Witty" Worm Wrecks Computers

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

Stick to hardware routers and firewalls...

[berniecase]

Although they ain't perfect, at least they're not running on your computer. Yikes.

Re:Stick to hardware routers and firewalls...

[U.I.D+754625]

Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).

Re:Stick to hardware routers and firewalls...

[Frambooz]

"Although they ain't perfect, at least they're not running on your computer. Yikes."

People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.

Re:Stick to hardware routers and firewalls...

[hendridm]

Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.

luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."

For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.

Re:Stick to hardware routers and firewalls...

[Nogami_Saeko]

Well, blackice should probably default to logging, but not alerting about the most common scans and such, but it's certainly useful for detecting a large number of attacks coming from specific addresses or blocks.

I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to :)

I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.

N.

Re:Stick to hardware routers and firewalls...

[SmackCrackandPot]

I cannot begin to imagine the pleasure and joy of having to program/burn/flash/install the latest versions of the Internet Explorer/Outlook Express BIOS ROMS every time a new security update came out. Having my mortal flesh torn apart by hooks would be less painful. Although, having PC's go back to the days of ROM cartridges wouldn't be too bad. Maybe this could happen when 1 Gigabyte ROM's become commoditized.

One question

[slash-tard]

How can we blame M$ for this?

Re:One question

[dicepackage]

Or better yet blame SCO.

where are all the virus's that do real damage?

glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things

Re:where are all the virus's that do real damage?

[aenea]

And more pressure on users to keep their systems patched up. It's a rare virus/worm that comes in through an unknown exploit.

If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.

Re:where are all the virus's that do real damage?

[JPriest]

Why is this modded troll, it is a good point. If they wipe the disk clean they force the USER to police their own system, rather than forcing admins to try an police the mess of traffic caused by users that don't give a shit.

Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.

Re:where are all the virus's that do real damage?

[Mesaeus]

Don't forget there are actually lusers out there who know their windows box is infected but refuse to do something about it because they aren't hindered by the virusses and doing something would cost money/time/energy (take your pick). I've encountered some of these and I wish their computer a slow, painful death.

Nasty flaw

[BlueLightning]

It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(

Back in my day...

Worms and Viruses caused DATA LOSS!

It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.

Come on....

[karlm]

Do you really expect us to believe more than ten people worldwide run Windows on their firewalls? ;-)

Re:Liability?

[wo1verin3]

I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?

Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one? :)

Now that's powerful

[CGP314]

Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones

I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /


-Colin

Re:Thats what you get

I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.

Three words: application access privileges.

This is a perfect time to promote the expression

[Eudial]

"FGTRGDI" (Feels good to run gnu/linux doesent it?)

More cryptic acronyms to the people!

Avoiding Viruses and Trojans

[RGautier]

Now that you've got yourself a computer system at home, you'll want to protect it from the evils of the Internet. Because Operating Systems are chock full of holes just waiting to be exploited, you should, at a minimum, take the following steps... Step 1. Go out and buy a firewall product for your machine. Also pick up some virus protection software. Step 2. Ok, now install the firewall software... Oh......Damn It!

two striking things...

[psycho_tinman]

First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(

By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not to find a login. Click here

how do you lose the data?

[Sivaram_Velauthapill]

How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?

Sivaram Velauthapillai

Re:how do you lose the data?

[John+Hasler]

You can. I can. 99.9% of Windows users can't.

Re:how do you lose the data?

[Stinking+Pig]

If it's a FAT16 or FAT32 partition, the primary FAT table will be wiped. While there is a second copy at the end of the partition, finding and restoring it will not be trivial.

Very sad.

[lazy_arabica]

Now, every windows user aware of this will believe a firewall is a great danger for his computer.

Oh... After all, what will it change ?

This is an interesting one, almost biological

[myowntrueself]

From LURHQ

"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

I think this will be with us for a while, particularly when mutations start showing up.

Worthless govt agency

[EvilStein]

It's a weekend, why should they care about putting out their timely alerts, eh?

"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."

Re:Oh no

[delta407]

Blaster disabled a system, but it was fixable. This one can make a total mess.

Oh, whatever.

Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.

If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".

Or if you prefer...

[Big+Sean+O]

Newspapers, magazines, letters, and stamps.

How 1980s. Yikes.

First Hand Experience

[tuckericj]

This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.

Recovery Tool

[soloport]

Yeah. Knoppix to the rescue! (Again)

Re:Recovery Tool

[soloport]

Yeah. Knoppix to the rescue! (Again)

Wow. How is this 'offtopic'?

Am I the only one who, nearly every week, recovers a client's "valuable data" using Knoppix when something has eaten Windows alive? (And sometimes Windows eats itself alive, unfortunately.)

IT WAS YOU!!!

[gbrayut]

from washington post article:

The Witty worm gets its moniker from a message buried within its code that says: "insert witty message here." That comes just before the code that overwrites the infected hard drives.

Knoppix

[amembleton]

The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data.

Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix.

Re:How...

[Detritus]

Code running with Administrator privileges is assumed to be trustworthy and know what it is doing. The problem is that there is way too much code running as Administrator.

Be realistic

[nurb432]

The average joe isnt going to be monitoring any lists.. they will just ( hopefully ) plug in whatever box that came with their pc.. or at worst, accept defaults on software, which normally is useless..

Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )

Re:fp

Worms? *rubs ass on carpet*

Ahhhh~

Re:One question, and one answer.

[iansmith]

Actually, pretty easy.

If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.

My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.

In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.

The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something. :-)

Re:Imprecise!

[Xugumad]

Try running Testdisk: http://www.cgsecurity.org/index.html?testdisk.html

It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.

Incorrect analysis?

[James_G]

According to this analysys, it does a lot more than corrupt the first few sectors of the drive:

The worm's functionality is as follows:

1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1

(emphasis mine)

points for speed and damage

[neoThoth]

Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.

I've been capturing UDP traffic all day and hope to compile some more interesting information later on.

As a Linux user..

[msimm]

I'd like to apologise for the poster your responding to and I'd like to point that the 99.9% of OTHER Linux users are not starry eyed PFB's trying to cram their particular religion down everyone's throats.

We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.

I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).

So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.

Re:Hardware FireWalls

[pe1chl]

>buy some sort of hardware firewall.

>I reccomend Linksys

I hate to disappoint you, but your linksys box is not a hardware firewall.
It is a dedicated microcomputer that runs a SOFTWARE firewall.

The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.

All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
Calling it "hardware" isn't going to do that either.