Slashdot Mirror
Analysis of the Witty Worm
DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an
analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."
The end of the worm seems to have bytes suggesting a flaw in the original worm code.
I'm still getting data points for the infected by analyzing the worms victims who contact my IP.
They state that the most important thing is to force users into a security mindset and this is near impossible. Also, they point out that even security-aware users may be at risk because of the risk of infection before the ability to patch the firewall/AV software is possible.
This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time. Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.
This is one of the most depressing stories about the state of the Internet that I've read in a while.
I have been pwned because my
Interesting. An article at zdnet suggests that the Witty was in fact a prototype, and could be the first example of cyber-terrorism. The combination of
a)The destructive payload
b)Time from disclosure to deploymentc)Large number of Ground Zero hosts
suggests capabilities far beyond that of an autistic 17 year old in his parent's basement. Could this be the start of internet based Al Quaeda action, that anti terrorism experts have so long stated was coming?
the rate of worm creation on this one was almost a little TOO quick. This time to creation would almost suggest that the author of the worm perhaps had inside knowledge. It's not entirely outside the realm of reason that the vulnerability leaked from ISS before the announcement was made.
Man, I am so used to seeing IIS in a security vulnerability I had to give it a second glace. I guess people shouldn't use those letters in software abbreviations anymore. It's becoming bad luck!
Seriously, worms like this that damage computers are very un-cool. As a freelancer I got to see this on only a few machines and by gratuitous use of recovery console, fixmbr, and (alas) one format and reinstall later I was able to fix them all.
While doing this onsite at a realty company I asked what they used as a firewall. Seeing blank stares from them all wasn't the highlight of the day. Not having a hardware firewall handy it was quite fun to race against the vermin as I downloaded patches off of the net on a virgin XP install! I actually thought I heard giggling echoing from the DSL modem as the DL percentage ticked higher slowly but surely....
"This food is problematic."
Another day, another virulent internet worm utilizing an unaccounted-for "buffer overflow" to propagate itself throughout the internet. Users suffer and system administrators grind their teeth to clean out their networks.
By now I am sure it has been noticed that the "buffer overflow" is a very common "exploit" used by these internet worms to infect machine after machine. One simple way to address this problem would be to replace these vulnerable "buffers" with something that will not overflow, perhaps something spongy and highly absorbent. Isn't anyone working on a solution along these lines? You never seem to hear about any progress being made. Honestly, sometimes it seems like no one in the technology industry has any common sense.
Network Telescope
The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.
They have 1/256th of all the IPv4 space?!?
Thats alot of IPs that could be freed up for other purposes.
Its great that they are doing this. And it is an interesting project. But I've been hearing about the lack of IPs for the last 5 years, and this one group has 1/256th of them.
------------
www.ComicSmash.com
Might be time to make a security model that stops a firewall application from writing to the Harddisk or deleting files. Why should it after all? Or a limiting just how many emails a user can send, how many times do you send thousands in a minute?
Perhaps even a delete mechanism that doesn't allow destruction of data without a password.
Paranoid? 12.000 machines just went Poof in half an hour with this virus if the story tells it right. Doesn't exactly cheer me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Since I deal more with our internal software/services (opposed to dealing with the customers) I don't do really have to fix anything other than wipe a machine or two. However, for me, the worse part of this is the kneejerking that occurs right afterward.
:)
Now that this worm hit, management is crying for more security without really thinking it through. Now all staff machines need to be behind hardware firewalls. ALL machines. Linux, Solaris (95% of our boxes), Windows. Not such a big deal except they bought us cheapo netgear cable/dsl firewalls that I'm convinced will do nothing more than ipf/iptables to stop a determined cracker. These netgear firewalls stop me from mounting NFS of anything, they have no trusted hosts options. In fact, I can only port forward from everywhere, so in a sense it is lowering my security.
Does anyone else experience reactionary steps like this from the PHBs?
(THanks for reading my rant
"when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
This is what appears when the worm wipes you hard drive.
Rather than "Why did you let this happen, Billy boy?" or something it just says that.
Just because you don't understand it doesn't mean it's off topic.
As Witty Worm sends packets to random generated IP address, because of the relatively small and quite dense IPv4 space, it can quite easily hit a venerable host. I am not sure if using IPv6 will render this kind of attack impossible? Can anyone clear this for me?
Interesting: one could have had the feeling that it was 'stupid' for these worms to destroy their hosts so rapidly. Why not wait for a few hours or days and then do it in a synchronized manner?
In fact, the overall number of host that could be infested was low (~12,000): there was no need for waiting.
It seems that those who launched it had a very good knowledge of what they where doing.
Definitely interesting.
We tend to think of the M$ monopoly, and the subsequent homogenous pool of hosts, as being the reason for the rapid spread of worms. Actually, the monopoly means that most virus will be targeted for that platform because it is obvious, but a virus well targeted even for a niche platform like ISS can take off because there internet itself is now almost completely transparent.
What this suggests is that the combination of 1) bandwidth commonly available and 2) CPU speed are now more than sufficient for a virus to find almost all of the hosts it needs to anywhere these are on the internet. When a few early, fast hosts can spew 11,000,000 pps to random IP addresses then it doesn't take long to find what one is looking for.
No doubt this is part of the reason for the observation that when 2% of Windows sysadmins fail to patch for a known vuln, then the next worm to come along and exploit that vuln has a field day. 2% of a really big number is in turn a lot of hosts, millions of Windows hosts for example.
And a million of anything, be it Mac OSX or NetScreen or Checkpoint or BeOS or OS/2 or Amiga or anything, is fair game when a smartly written virus can get them all.
I guess I'll have to go back and review my Mac for system updates.
=^..^= all your rodent are belong to us
What's most disturbing to me is that this worm appeared on about 200+ distinct hosts at such a rate of speed that it could not have done so that fast using it's main random-checking method. There clearly was some plan to pre-seed the worm into at least that many places before the worm started to spread on its own.
I doubt whomever programmed this worm had legit access to that many well-destributed computers... so it appears that some carrier hack occured before this worm was released, which effectively took about 12 hours off of the reaction time clock before the white hats even realized what was hitting them. Are we about to see a rash of compound attacks where one worm has a second worm baked in?
HAHA!
/etc/passwd from one of the hackers.
/etc/passwd from one of the hackers. == GIBBERISH.
/etc/passwd?
You posted anon because you are a fool. Thats the sadly obvious reason.
There are laws against hacking: The Patriot Act and other laws generated by the Deparment of Homeland Security are examples. This worm has intentionally terrorized computer networks across the world, and we can prosecute these bastards.
I am glad you go to Harvard Law School, and are a TF...but sadly I must point out a nice little flaw in your arguement (how did you pass the LSAT without knowing fallacies?)
The Patriot Act and other laws generated by the Deparment of Homeland Security are examples. == AMERICAN
This worm has intentionally terrorized computer networks across the world, and we can prosecute these bastards. == THE WORLD.
Your American laws are only good in America. What makes you think that the worm was began by an American or that you could prosecute that individual?
There are 100 ground-zero IP addresses recorded in the telescope: these ground-zero hosts are likely to be useful for forensics, and search warrants should be issued for their recovery. Without too much trouble, we could probably find a username in
Explain to me who is doing this forensics, and how the search warrants will be issued for these "100 ground-zero IP addresses". Yet again, are these all American IPs? Are the people investigating American?
Without too much trouble, we could probably find a username in
What exactly do you mean here. You are going to find the hacker's username in
I dont really understand why/how/what you mean here. If a hacker is smart enough to start this large scale worm, do you not think he is smart enough to not leave any logs on the computers he first infected? And if they are, they would definately be proxies, which yet again are you going to investigate them? Even if they are not American?
And finally....
With a bit of work, I believe that the hackers can be brought to justice. The question is, what happens next week when the next bored teenager releases the next worm?
You are going to bring the hackers to justice where? Are they American? Do you have the right to prosecute anyone in the world?
And it is hardly the work of a bored teenager. First, its unlikely its a teenager...it is rather convenient to blame teenagers though. You are missing the real question, which is what can we do to prevent worms of massive scale from occurring.
I really hope that you use what you learn at Harvard inside America, and do not try to impose your laws anywhere else in the world. Especially considering your lack of knowledge on the subject yet your intentions to bring some hackers to justice.
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
"Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows."
... Engineering? Business? What?
Why?
UV has good people. Why do they let you (require you to (??)) use Windows? Are you in CS, Math or Applied Math?
Based on the IPs of computers spreading virus, worms, etc. in the past, my impression is the engineering departments (& "institutes") are among the most common academic sources of this garbage. (Earlier today, unl.edu was a problem.)
I think we all have to come to terms with the fact that our current state of Computer Science is not up to the task of dealing with the Internet as it is becoming.
Linux/BSD has a somewhat better security record than MSFT, but even after all the auditing effort put out by the guys over at BSD/OpenSSH, there have *still* been a number of security vulnerabilities of recent!
The problem is not being viewed in the proper light. Something like a buffer overflow should not result in a compromisable host! Something like a misquoted SQL statement should not result in an SQL injection vulnerability!
Applications and programming environments need to be structured and developed with the understanding that people make mistakes and there needs to be allowance for that.
You can't expect a group of programmers to maintain 50,000, 500,000, or 5,000,000 lines of code without there being mistakes in there.
It just cannot be done.
So languages, programming techniques, and infrastructure needs to be developed that truly prevents the "bug==severe security risk" situation.
Really, as much as we all laud their security record, Microsoft is in a good position to trounce the OSS crowd if they can come up with a software language and security system that allows for programming mistakes.
The answer is NOT to make sure you input validate *everything* - although input validation is always a good thing.
The answer is to develop a system where common programming mistakes do not result in a security issue.
Get used to it. People are people. They make mistakes. We either cease being human, or develop a system that makes allowances for our humanity.
Can we do it?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well... the OS does not offer any kind of protection in this case, so it is the fault of Windows.
Yes, firewall software was the one that was compromised, I think. I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.
As for the issue of the underlying OS providing security features, it's not entirely a moot point. Linux provides some stack/heap protection and other binary runtime security through the grsecurity patches; OpenBSD has W^X and other security features built into the kernel. Still, expecting the OS to protect binaries at runtime is a completely ass-backwards way of approaching security. Ultimately, application developers have to bear most of the burden for writing secure code.
In light of this worm, I wonder if Microsoft is going to make any changes to the new Windows XP SP2 firewall? (i.e., a self-monitoring 'heurtistic' process that watches for 'exploited-process-like-behavior.')
The classic example is Eben-Emael. Seventy men took out one of the strongest forts in the world, manned by a thousand troops, in ten minutes. This allowed Hitler's armies to advance into Belgium and conquer France. Six months of preparation, ten minutes of vulnerability.
The lesson for virus/worm writers is that an attacker needs the capability to rehearse and optimize attacks. This requires two things - general intel about target machines (what percent of targets are vulnerable to each available attack, for example), and a farm of machines on which to test and tune attacks. Many worms/viruses have failed because propagation was too slow, or all the attacks targeted the same machines, or some similar tactical failure in the early part of propagation. The original Morris worm failed for just such a reason. The serious attacker will have a farm of machines on which to repeatedly test the attack plan, without arousing attention until the actual attack.
Good form. Breezy and fluffy, but original enough to provide a convincing imitation of insight.
Don't fall into the common trap of judging historical patterns by what you know today. Virus/worm attacks, beyond the coordinated DDoS Stacheldraht/Trinoo/TFN a few years back have been the work of one or a few individuals just releasing to see what happens. There are a lot of indicators that worms are being released with schedules and goals.
If MDCP-1 "revolutionized" the MC, maybe that says more about the Marines...
Once again, exercise caution in generalizing. Sun Tzu, von Clausewitz, Napoleon, Guderian may have had and propagated fantastic ideas about warfare, but the reason the latter were so successful was because nobody else thought of implementing those ideas. What seems painfully obvious to you/me today was not always so.
No it doesn't. If you have any predictions about what'll come next, state them.
Once again, I disagree. If what we're seeing with Netsky/MyDoom is a pattern of testing viruses with escalating degrees of sophistication and effectiveness, it's possible to create some (quite possibly mistaken) conclusions about future attack patterns, the identities and goals of the people writing them, and maybe, if you're really lucky, general avenues of attack.
The whole concept of virus-scanning is flawed.
Flawed, yes. Unnecessary, no. The reason we have any security at all is as a combined response to past incidents and exploits and theoretical future weaknesses. If you see virus scanning as a be-all end-all solution, you've got a problem. As you do if you decry individual security components out of hand because they don't do things they're simply not designed to do (i.e. be psychic about what's next.)
Nothing significantly better about it's spread rate.
No, but just looking at the spread rate is to use a flawed metric. What's interesting is the initial population, although I'll agree with you that distributed attack networks are nothing new, and the fairly novel target selection. That's what worries me.
Yes, it's a bit far-fetched to apply military analogies to worms; the goals are different, as are the means, the motivation, etc etc etc. However, considering that concepts like 'planning', 'strategy' and 'dynamic adaptation' _are_ fairly novel concepts in the worm world (see my first points) it might not be such a stretch after all.
Cole's Law: Thinly sliced cabbage
The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants.
Who the he** suggested this? This is a frankly ridiculous idea. What about the responsibility of the programmers (or the firm they work for) who introduced the exploitable bug into the software in the first place? Why should the end user bear sole responsibility, simply because he failed to apply a patch? An interesting concept indeed ...
I hear there's rumors on the Slashdots
Given, many hosts run the same OS (Linux, Windows, whatever) and the same binaries. Even if you compile the source from scratch the resulting binary is likely to be identical to other binaries on other machines.
This leads to a situation where malicious code can rely on things like stack position and such, enabling it to insert its code into it.
Idea:
Is it possible to modify the compiler or binary-format to gather some unique information from the host it is running on and modify the binary in a way that it behaves in a unique way on this machine?
For example in a way so that malicious code can not predict the position where it can insert itself, resulting in a crash rather than a compromise of the machine.
Pros:
- All malicious code would be obsolete if it doesnt know the "secret" of the machine and the method it uses to "scramble" its binaries and/or its memory.
- All remote/local exploits in any form would be converted to a DoS, which I think is not as dangerous as a compromise.
Cons:
- Would presumably make debugging of programs even worse than it is now.
- Insert "You stupid *%@&, you dont understand" here.
Please reply, as I feel that I may have missed something important.
--
LuckyStarr
Meme of the day: I browse "Disable Sigs: Checked". So should you.
I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.
ZoneAlarm is the only thing that can tell you this attempt to connect to port 80 on http://12.34.56.78 is not coming from your browser, but from a process called __Leet_IM__CLient!!!111__ . You get the picture...
Because you allow port 80 outbound in your hardware firewall, don't you?
if you use a good enough junk-filter, slashdot.org will display a single, *blank*, page
I spent most of yesterday rebuilding my Windows 2000 system at work. I did a raw copy of my windows partitions to a second drive using dd under Linux before I started the rebuild so I was able to preserve much of my data, but far from all of it. My outlook .pst file is the most painful loss so far, and who knows what else I'll find damaged beyond repair before I'm done.
Once upon a time I would be furious about this. Nowadays I've come to expect it. It seems we live in a world where sociopaths are given free reign to harm others without penalty or consequence. Worms like this are concrete proof of the existence of genuine evil. What kind of a person would write create something for the sole purpose of ruining other people's computers? Other people who they don't know and who have never done anything to hurt them? I'll tell you what kind, the kind I'd kill in a cold second. I hope and pray that they find the people behind this, and that they are in a place where our law enforcement can get at them. The best thing would be just to take them out someplace and shoot them, but short of that a nice long prison sentence will suit me just fine.
This worm has convinced me of the need to increase the steps we take in fighting people like this. The model where we work to protect our systems just doesn't work. Locking your door and windows and pulling the shades may keep an intruder out of your house most of the time, but it doesn't eliminate that intruder. It is far better to trap and kill a rabid animal than it is to simply put up barbed wire around your house. It is time that the would-be victims of these crackers went on the offensive. You wouldn't just stand there if someone was trying to beat you up. You'd fight back and if possible make sure your attacker hurt badly enough that they wouldn't be attacking anyone else anytime soon.
Crackers are a not a computer problem, they are a people problem. If computers didn't exist they would find some other way to be destructive and malicious. Crackers are no more a computer problem than carjackers are a problem with your car. The only difference is that carjackers run the risk of getting shot by their would-be victims and/or being sent to prison. Crackers essentially operate with impunity. The only way the cracker problem is going to be effectively handled is to make that change.
If I ever find out who is behind this worm and I'm in a position to do something about it... heaven help them because it will take an act of God to save them from me.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Yes, yes it is a large leap to any conclusion of that kind. To follow the car analogy, if someone were to steal my car and ram it into a crowded restaurant, I would not be held responsible even had I left the door open and the engine running. That is exactly what is happening with trojaned computers. It is the attackers that should be held responsible, not the poor sap who's computer got hijacked.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey