Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analysis of the Witty Worm

Posted by CowboyNeal on from the dull-worms-envious dept.

DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."

2 of 415 comments (clear)

  1. Vulnerability discover and worm by Gehenna · · Score: 0, Redundant

    It makes you wonder what this means for future vulnerabilities. If worms are propagating this quickly after vulnerabilities are discovered, it might not be so fun in the future.

  2. for those of you too lazy to follow a link by Anonymous Coward · · Score: 0, Redundant

    The Spread of the Witty Worm

    March 19, 2004

    An analysis by Colleen Shannon (cshannon@caida.org) and David Moore (dmoore@caida.org) of the spread of the Witty Internet Worm in March 2004. The network telescope and associated security efforts are a joint project of the UCSD Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis.

    We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Mike Gannis, Nicholas Weaver, Wendy Garvin, Team Cymru, and Stefan Savage for feedback on this document; and the Cisco PSIRT Team, Wendy Garvin, Team Cymru, Nicholas Weaver, and Vern Paxson for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.

    Introduction

    On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, Proventia, RealSecure Desktop, and BlackICE. The worm takes advantage of a security flaw in these firewall applications that was discovered earlier this month by eEye Digital Security. Once the Witty worm infects a computer, it deletes a randomly chosen section of the hard drive, over time rendering the machine unusable. The worm's payload contained the phrase "(^.^) insert witty message here (^.^)" so it came to be known as the Witty worm.

    While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:

    • Witty was the first widely propagated Internet worm to carry a destructive payload.
    • Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
    • Witty represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.
    • Witty spread through a host population in which every compromised host was doing something proactive to secure their computers and networks.
    • Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.

    • In this document we share a global view of the spread of the Witty worm, with particular attention to these worrisome features.

    Background

    Network Telescope

    The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.

    ISS Vulnerability

    A number of Internet Security Systems firewall products contained a Protocol Analysis Module (PAM) to monitor application traffic. The PAM routine in version 3.6.16 of iss-pam1.dll that analyzes ICQ server traffic assumes that incoming packets on port 4000 are ICQv5 server responses and this code contains a series of buffer overflow vulnerabilities. The vulnerability was discovered by eEye on March 8, 2004 and announced by both