Slashdot Mirror
Analysis of the Witty Worm
DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an
analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."
It could also be that whoever wrote this worm found the vulnerability independently and had been writing code to exploit it, when he saw the security advisory go up he released it ASAP before people had a chance to patch their boxes. If the vulnerability hadn't been announced the worm may have been released later with a different payload.
It is the first widely spreading Internet worm to actively damage...
I am on the Internet right now and my platform cannot be infected by this worm. It's not an Internet Worm, it's a Windows Worm. One of many if reports are to be believed.
The article stated that a good number of request came from behind NAT firewalls. Many devices like the linksys allow you to DMZ a host, which would end up being an attack vector behind your firewall. Also many people turn on port forwarding, done incorrectly, is an attack vector.
The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!
If you've read nothing else, check out the conclusion:
I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.
And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.
Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.
Carousel is a lie!
That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.
I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.
Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.
If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
it reaffirms a lot of "common sense" security approaches that were ultimately superior to the naive idea that if you dump yet another piece of software on your machine, you'll be "protected".
1. Don't run ANY software that you aren't very comfortable with and has a long track record of being solid and stable.
2. Turn your computer off when you're not using it.. so simple, yet so many people just leave their machines on. A computer not online when not in use is a secure computer.
Under that conditions, if a similar flaw is found in i.e. iptables, ssh, bind, apache or postfix, it could have a similar impact, be the OS Linux, FreeBSD, MacOSX or whatever you consider "safe" and widely enough used.
Of course, if the same would happened to a really popular software out there (clients are more popular than servers, we know the effect of outlook worms, and even by default installed servers, like IIS, or maybe even the Win XP SP2's bundled firewall) the effect would be much worse, but no OS connected to internet is safe against this. Maybe releasing policies will change putting the "when its ready" release date over the "when the marketing people say" on the light or the widespread of this kind of things.
Ok, I'll bite. . .
/etc/passwd since these are Windows boxen, and don't HAVE an /etc/passwd file.
Yes, there are laws against writing malicious code. They apply if the authors happen to be in a country that respects the USAPatriot Act or whatever other laws may be applied. Your actual chances of catching these folks are slim to none.
Even with 100 "Ground Zero" hosts, you won't get anything from
Personally, I suspect the timing of the "destructive" release of this worm was based on the impending alerts about the 'sploit. I seriously doubt the creation of the worm happened after the public knowledge of the release. It's very likely that folks "in the know" were using the 'sploit for weeks to months before it was publicly acknowledged. The worm was "Spoil our fun, will you? Ha! Chew on this!"
The destructive payload was certainly viscious, but I would worry that there were exploited (with this particular 'sploit) boxen out there LONG before anyone knew there was a hole in RealSecure and BlackICE.
Never attribute to malice what can as easily be the result of incompetence...
A very interesting article, and what some great lines that I quote a few here:
"The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software."
There it is. The users pay good money to be on the internet, but they are not ready to be on the internet in its current unsafe condition. So to help fix the problem we want them to be security experts? The authors are correct, we have a totally failed security model that requies too much expertise out of the average joe blow end users.
These infections were on a small population of the net. It seems to me that we should expect a serious worm across all/most versions of Linux some time in the next couple of years. Probably the same for BSDs and that would include Mac OS X as well. Yep, we shouldn't sleep so well these days or be complacent thinking its just a Microsoft problem.
I'm a long time UNIX/Linux hacker (I first programmed on UNIX on a VAX). I've written a lot of C/C++ code. But long ago I used Pascal and more recently I've been using Java more.
Both Pascal and Java do range checking. That is, they check the bounds of arrays (buffers) when they are accessed. This means that about half of the security exploits (including the one, targeted at BlackIce etc...) would not be exist if our software base was implemented in languages with bounds checking.
The original reason that bounds checking was not implemented in C was that the early compilers were very basic (little in the way of optimization) and bounds checking overhead slows execution. Bounds checking overhead can be reduced through optimization, but Ritchie's original C compiler only did simple optimization.
Another problem is that in C pointers and arrays are more or less interchangable. So bounds checking becomes difficult or impossible in all cases (C provides way too much pointer flexibility when it comes to enforcing bounds checking).
If we were to add up the cost of all of the buffer overflow security attacks it must run in the billions. So the "power" of the C programming model has extracted a pretty high price. This puts an interesting retrospective slant on Brian Kernighan's 1981 article Why Pascal is Not My Favorite Programming Language .
I have to confess that I would not go back to using Pascal. But native compiled Java, with Java's bounds checks, would be far safer than C++. And it would result in software that is more robust against security attacks.
Yes we can all learn to use fgets, strncpy and other safer library routines. But this only makes our code safer. It does not provide the complete protection against buffer overflow attacks. So perhaps it is time to reconsider the programming languages we are using. Perhaps unrestricted pointers and no bounds checking has become too costly.
Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.
How many Linux, BSD, and Mac machines were infected?
who are those slashdot people? they swept over like Mongol-Tartars.
A key point of modern tactical doctrine is to act faster than the opposition can react. Special operations types talk about the "period of vulnerability", which begins when the defender notices an attack and ends when the attacker achieves relative superiority. Most attacks fail during the period of vulnerability. So modern tactical doctrine says that it's worth huge amounts of effort and money to cut that time down. This is why special ops people rehearse and train to a level that seems unreasonable. It's not to make them good, athough it does. It's to make them fast, so they get through those first seconds and minutes at the beginning of an attack before the defenders can react.
That's exactly what we saw with this worm. The attack was launched in a way that rendered the usual strategies of anti-virus companies ineffective. Anti-virus companies, (and Microsoft), have known response and patching cycle times. The creators of this worm got inside that cycle time, by building both a fast-propagating worm and by starting it from multiple points.
Military doctrine gives us some insights on what to expect next. This worm invoved a campaign, a series of battles fought to achieve a goal. One attack acquired machines to be used as bases in a later attack. That's standard doctrine. Other relevant military concepts include mutual support, feints, and diversions. We are starting to see worms and viruses that support each other, so that if one is removed, another attack lets it back in. We may see feints and diversions, where a big noisy attack is launched to divert attention from something more subtle.
Another doctrinal concept is that of combined arms. So far, virus writers generally haven't utilized other hacking techniques, like dumpster diving, social engineering, or wiretapping. That may change.
We may well see an attack that wipes out most of the Internet-connected Windows machines in the world in a single day.
Here are some hypotheticals and not-so hypotheticals.
Are there any products that will ghost my drive onto another drive inaccessible to the OS by ordinary means every day?
How can we teach people and developers the wonders of encryption so their credit card numbers and passwords can't be stolen?
What will it take for hardware and OS makers to find a solution to most/all buffer overflows.
Why are non-servers on the internet 24/7? A 'disconnect me after 1 hour of inactivity' would go a long way.
Should we be encouraging residential ISPs to temporarily block ports during major outbreaks?
Should ISPs be denying access to computers found to be spewing spam, viruses, or trojans?
Why are we storing data locally? A fire or a crashed disk could mean the loss of important data, photos, etc. The internet hasn't seemed to provided users with an easy way to upload/download/synch documents off-site securely and easily.
You are failing to consider the extent to which Windows internal architecture dictates the software running on the platform.
An infinite number of monkeys will eventually come up with the complete works of
Is anyone else sensing the likelyhood that compromised MyDoom machines were the ground zero hosts?
An infinite number of monkeys will eventually come up with the complete works of
1) Internet Information Services's track record has improved dramatically in the last couple of years... the last security patch for it was in May of last year, and then the one before that was in 2002.
2) Why didn't you enable XP's firewall before connecting to the Internet? That's a pretty effective way of preventing your machine from getting infected while collecting the various updates.
Besides the fact that you're repeatedly trolling with the "Teaching Fellow" bit...
/etc/passwd FILE IN WINDOWS!. Assuming there magically was, it wouldn't have any useful information. Yes, they might find a username. Who cares? If you cracked a box to install a worm, would you use a username that might possibly be traced to you? Unless the owner is running some hardcore auditing software, it's highly unlikely that there would be a single clue as to the virus author.
I highly doubt that the hosts who own your 100 so-called "ground-zero" IP addresses would be very helpful in an investigation, besides perhaps a cursory inspection. First, why would they be different from any other infected host, besides the fact that their IPs were hard-coded in the virus? The owners haven't commited any crime, but if the FBI grabs those computers, they won't see their computers for months or years.
First, it's a Windows worm, and THERE ISN'T AN
Second, if the virus author was intelligent at all, these hosts would be chosen to be outside the US, preferably in Libya or China or Russia or somewhere else with a low chance of cooperation with US law enforcement. Why? It's harder to get them taken down.
I'm not denying that they should be brought to justice, but let's not send the FBI to start grabbing random computers every time there's a virus outbreak. How would you feel if the FBI demanded you give them your shiny new $3000 laptop for as long as they want?
Karma: Contrapositive
We need to seriously consider the consequences of the firmware upgradability of modern computers and components. Imagine a worm like this one which instead of just wiping the hard disk, erased the system BIOS. In fact, worse is possible. There are software upgradable EEPROMS on the video card, CD-ROM, even the harddisk, printer, scanner etc. These EEPROMS can only be burned about 100 times. A malicious program could physically destroy all of them. If someone wrote such a worm payload, and released it after a 0-day exploit targeting millons of machines, the result could truly be a societal disaster. There would not be enough EEPROM chips, nor enough skilled workers to replace all of them. It would be worse than the 2003 blackout. I've felt for a long time that we need systems where no amount of malicious programing could destroy the hardware nor essential components of the software. One possibility is a hardware switch which would need to be pressed before any firmware modification could proceeed. A similar idea would provided a hardware write protection to certain portions of the operating system.
there is simply more you CAN do to secure Linux, versus Windows, in which almost all security has to be installed seperately.
You can massively limit the damage done by a worm in Linux simply by running all processes that leave a port open in a chroot jail, or by doing so as a lesser privledeged user. This is one of the many simple solutions avaliable, while in Windows, its not so easy.
It's very easy to to manage security for service processes under Windows. Different users can be created for the services, allowing whatever ACL restriction you'd like. For other processes, the "run as" option can provide the same function.
If you're having problems determining which services (or other process) are opening what ports, check out netstat -o.
This stuff is actually "easy" under Windows - maybe not Aunt Millie easy, but any power user can handle it. No MSCE required. The tools (and documentation) are there. There's even a fancy gee-wiz UI way to do it - no regedit necessary.
If you're a fan of software firewalls (I'm not), then yes, generally you have to buy these separately. But then software firewalls aren't really the answer, are they. Why do I need a separate piece of software to filter inbound connections. I can do that with the IPSECurity, or if I want redundancy, with a dedicated hardware firewall.
Call me over-confident, but I've had a Win 2000 Server on the net for 4 years, with no firewall of any kind, no NAT, no real-time anti-virus, and with open IIS ports. I run Outlook, IE6, VS.NET, SQL Server, and lots of other "notorious" MS software. The only illness this system has suffered was a code-red triggered DOS on my unpatched Cisco 675 router, and some nasty spyware installed with BearShare back before I knew what AdAware was. It's not magic - I just keep up with Windows Update and MBSA, and I try to be careful about what binaries I trust. Also, I back up religously. To be honest, the hardest part has been keeping up with mySQL, PHP, and ActiveState revs.
Seriously, worms like this that damage computers are very un-cool
It doesn't damage computers. It erases data; the computer itself is fine.
Sure, this is destructive... but it's much better than if it were installing BO2K everyplace, so the worm author could collect CCNs. That'd be much more damaging than simple erasures.
Look at the page you linked to. ZoneAlarm isn't listed as compromised product. It's not even made by the same company as the compromised programs.
Proud to be / Smiley-free / Since Nineteen / Ninety-Three
the last part of my comment was really meant to be humor, as marketeers don't have that kind of smarts :) I was trying to point to the start of a market, instead of a company attacking a competetor.
But, if I were serious:
how many lines of code is a person able to write in a day? how many does witty have? Who was the closest competitor to the firewall app that was infiltrated? How many man hours can that company contribute (in a single day) to a bouncing new market that will mean 1.2 billion dollars a year?
I don't think you got the message.
Worms like this could run on your dedicated firewall box (like linksys or draytek).
They don't require Windows or an insecure OS at all, they just require sloppy programming in any program that handles network packets.
You are failing to consider the extent to which Windows internal architecture dictates the software running on the platform.
Most of the time Microsoft bashing is valid, but saying that this is Microsoft's fault in any way is about one step away from stupid.
If this was the fault of Windows, a buffer overflow such as this one could not happen under Linux/MacOS/FreeBSD/Netware etc etc etc. However, a quick search on SecurityFocus tells us that it did infact happen on all the platforms listed above.
So, please explain to me how Microsoft can be blamed for this in any way!
...and saying that they should not allow code-execution on the stack or make it more secure so you dont need a firewall are not valid arguments.
About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.
Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.
But also think.
This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.
Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.
I'm old enough to remember when discussions on Slashdot were well informed.
...anything that is called a "firewall":
1. Should NOT contain any attack analysis. The only attack that any security software not in the hands of security researcher has a legitimate reason to "analyze" is an attack that already succeeded, and the user is recovering from the destruction caused by it. Announcing "prevented" attacks or modifying the host's response to "suspicious" data is at least a useless toy, and at most a target for a real attack (though most often it's in the middle, a nuisance that reduces the reliability). Keep it simple, stupid!
2. Should be separated from the host that it protect by at least a virtual machine and (better) be on a separate device. Then the worst that can happen in the case of a firewall compromise is that the firewall will stop performing its functions. Running a "firewall" on the "firewalled" host is an equivalent of a person hiring himself as a bodyguard.
3. If running on the "protected" host, it should be passive, and merely prevent other software running on that host from receiving packets from the Internet even if that software listens on the ports that the author believes, should not be opened. Still, calling this a "firewall" stretches the definition way too far.
The original meaning of a firewall is a wall in the building that prevents fire from spreading when the building is already on fire, and firewall acts as a barrier for spreading it. It does not make a building non-flammable, and its design expects a building to contain flammable material, yet it prevents damage from spreading. A network firewall does something pretty close to this, it expect vulnerable hosts to be on either of its side, and merely reduces the probability of successful attack from "external" to "internal" network, yet being relatively simple, it is impossible or difficult to attack. Having a "firewall" full of "flammable" bells and whistles, and in the middle of a system that it assumes to be vulnerable is a very, very wrong kind of design.
Contrary to the popular belief, there indeed is no God.
I probably could replace MSOffice with OpenOffice, and there's probably a Java debugger and compiler for *nix systems. MathCAD? No idea where to replace that. Rise of Nations is MS-only (dammit), and there probably is Palm Pilot interfacing software for *nix. Have no idea if my Canon scanner is supported, but it need to use it. Well, if they're making a poor choice, that's too bad, but in the meantime, I have to get work done, so I just try and make do.
:P)
(and on the side, I tinker with Linux...
So you're saying that all of those linux application security flaws on bugtraq are actually linux security flaws? Just because they are on the same platform? I think not.
Jaysyn
There is a war going on for your mind.
From the analysis:
When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.
Folks, we don't need any more infrastructure to prevent worms. We don't need any more infrastructure to control what you can and can't do on the Internet.
It's not the Internet that causes the problems, it's the in-secure machines that are vunerable.
You are being MICROattacked, from various angles, in a SOFT manner.
Possibly they had the worm already written except for the exploit. Maybe they'd tested spreading and destruction parts using another very old and likely to be already patched exploit and have been waiting, template ready, for an appropriate exploit to be found which they could plug into their worm template.
Eat at Joe's.
The thing that *really* worries me about this kind of story is that it provides a ready-made reason for two things - neither of which I want.
1st - A "secure" ie regulated internet where all traffic is traceable and managed
2nd - A hardware security model that prevents unauthorised code running ie. Palladium or whatever marketing fluffy word is now being used...
You know, and I know, that there are "nicer" ways of doing this but just wait until the first worm with a destructive payload hits the general population.
Not Good.
There is no reason on Earth that this worm couldn't have attacked Linux boxen. If this worm had been tailored to attack the the recent openssh vulnerability the day after it came out, many of us would have been owned immediately. How many of us have an open ssh port through our NAT devices and firewalls? The scary thing about this worm is that the authors have demonstrated an ability to attack new vulnerabilities in third-party software very quickly. In the case of the openssh vulnerability (a root exploit) that would have meant that very many of us Linux users would have been affected before we could do anything about it.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey