Slashdot Mirror
"Witty" Worm Wrecks Computers
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things
It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?
:)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).
//Blessed are they that run around in circles, for they shall be known as wheels.
People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.
No encryption can withstand the power of the Lucky Guess.
Three words: application access privileges.
"FGTRGDI" (Feels good to run gnu/linux doesent it?)
More cryptic acronyms to the people!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
From LURHQ
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."
Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.
It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).
I think this will be with us for a while, particularly when mutations start showing up.
In the free world the media isn't government run; the government is media run.
Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.
luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."
For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.
It's a weekend, why should they care about putting out their timely alerts, eh?
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
You can. I can. 99.9% of Windows users can't.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yeah. Knoppix to the rescue! (Again)
The worm's functionality is as follows:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
(emphasis mine)
Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.
I've been capturing UDP traffic all day and hope to compile some more interesting information later on.