Slashdot Mirror
Analysis of the Witty Worm
DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an
analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."
The end of the worm seems to have bytes suggesting a flaw in the original worm code.
I'm still getting data points for the infected by analyzing the worms victims who contact my IP.
Conclusion:
The Witty worm incorporates a number of dangerous characteristics. It is the first widely spreading Internet worm to actively damage infected machines. It was started from a large set of machines simultaneously, indicating the use of a hit list or a large number of compromised machines. Witty demonstrated that any minimally deployed piece of software with a remotely exploitable bug can be a vector for wide-scale compromise of host machines without any action on the part of a victim. The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts.
While many of these Witty features are novel in a high-profile worm, the same virulence combined with greater potential for host damage has been a feature of bot networks (botnets) for years. Any vulnerability or backdoor that can be exploited by a worm can also be exploited by a vastly stealthier botnet. While all of the worms seen thus far have carried a single payload, bot functionality can be easily changed over time. Thus while worms are a serious threat to Internet users, the capabilities and stealth of botnets make them a more sinister menace. The line separating worms from bot software is already blurry; over time we can expect to see increasing stealth and flexibility in Internet worms.
Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable.
It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.
The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.
In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software.
This makes me feel a bit safer, since we used to run Windows-based boxen directly on the Internet but now they all hide behind a Linksys NAT Router and firewall.
From what I've learned, the general rule is NEVER to put a Windows machine directly on an unsecure network. Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows. I turned on the Internet Connection Firewall...but this kind of worm vulnerability makes me nervous. Today, someone attacks the eEye security software; tomorrow, someone takes out Microsoft's ICF.
Similarly, end users may also be unaware that perceived slowness of their computer or Internet connection is caused by a worm, and they may reboot their computers in the hope that that will fix the problem.
I find this problem with spyware and adware too. I recently cleaned out the computer of a family friend that was very slow and would no longer connect to the Internet. Removed a huge gob of spyware with Ad-Aware and Bazooka, and BAM! we were back online.
Goes to show you. I'm thinking that Microsoft's security model in Windows may need to be revised, considering in XP Home at least, all users run as Administrator (root) and system services have way too many privileges.
Makes me glad I replaced my aging NT file server with Linux/Samba.
They state that the most important thing is to force users into a security mindset and this is near impossible. Also, they point out that even security-aware users may be at risk because of the risk of infection before the ability to patch the firewall/AV software is possible.
This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time. Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.
This is one of the most depressing stories about the state of the Internet that I've read in a while.
I have been pwned because my
the rate of worm creation on this one was almost a little TOO quick. This time to creation would almost suggest that the author of the worm perhaps had inside knowledge. It's not entirely outside the realm of reason that the vulnerability leaked from ISS before the announcement was made.
A ground zero host/vector is a host that wasn't infected by another machine, but by an individual who wished the machine to infect other machines. A ground zero host does not necessarily need to have the same exact code as the code it sends out, for example, in this case, it would be unproductive for the ground zero host to have the original code since it erodes the filesystem of the host.
Man, I am so used to seeing IIS in a security vulnerability I had to give it a second glace. I guess people shouldn't use those letters in software abbreviations anymore. It's becoming bad luck!
Seriously, worms like this that damage computers are very un-cool. As a freelancer I got to see this on only a few machines and by gratuitous use of recovery console, fixmbr, and (alas) one format and reinstall later I was able to fix them all.
While doing this onsite at a realty company I asked what they used as a firewall. Seeing blank stares from them all wasn't the highlight of the day. Not having a hardware firewall handy it was quite fun to race against the vermin as I downloaded patches off of the net on a virgin XP install! I actually thought I heard giggling echoing from the DSL modem as the DL percentage ticked higher slowly but surely....
"This food is problematic."
The concept would be at least as workable, in the courts, as any liability legislation is currently.
The Ezine Directory
Might be time to make a security model that stops a firewall application from writing to the Harddisk or deleting files. Why should it after all? Or a limiting just how many emails a user can send, how many times do you send thousands in a minute?
Perhaps even a delete mechanism that doesn't allow destruction of data without a password.
Paranoid? 12.000 machines just went Poof in half an hour with this virus if the story tells it right. Doesn't exactly cheer me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!
If you've read nothing else, check out the conclusion:
I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.
And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.
Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.
Carousel is a lie!
Before it gets slashdotted even.
C|N>K
Since I deal more with our internal software/services (opposed to dealing with the customers) I don't do really have to fix anything other than wipe a machine or two. However, for me, the worse part of this is the kneejerking that occurs right afterward.
:)
Now that this worm hit, management is crying for more security without really thinking it through. Now all staff machines need to be behind hardware firewalls. ALL machines. Linux, Solaris (95% of our boxes), Windows. Not such a big deal except they bought us cheapo netgear cable/dsl firewalls that I'm convinced will do nothing more than ipf/iptables to stop a determined cracker. These netgear firewalls stop me from mounting NFS of anything, they have no trusted hosts options. In fact, I can only port forward from everywhere, so in a sense it is lowering my security.
Does anyone else experience reactionary steps like this from the PHBs?
(THanks for reading my rant
"when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
analysis of the witty worm has revealed that it is wittier than most posts on slashdot
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.
I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.
Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.
If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
Interesting: one could have had the feeling that it was 'stupid' for these worms to destroy their hosts so rapidly. Why not wait for a few hours or days and then do it in a synchronized manner?
In fact, the overall number of host that could be infested was low (~12,000): there was no need for waiting.
It seems that those who launched it had a very good knowledge of what they where doing.
Definitely interesting.
Under that conditions, if a similar flaw is found in i.e. iptables, ssh, bind, apache or postfix, it could have a similar impact, be the OS Linux, FreeBSD, MacOSX or whatever you consider "safe" and widely enough used.
Of course, if the same would happened to a really popular software out there (clients are more popular than servers, we know the effect of outlook worms, and even by default installed servers, like IIS, or maybe even the Win XP SP2's bundled firewall) the effect would be much worse, but no OS connected to internet is safe against this. Maybe releasing policies will change putting the "when its ready" release date over the "when the marketing people say" on the light or the widespread of this kind of things.
Ok, I'll bite. . .
/etc/passwd since these are Windows boxen, and don't HAVE an /etc/passwd file.
Yes, there are laws against writing malicious code. They apply if the authors happen to be in a country that respects the USAPatriot Act or whatever other laws may be applied. Your actual chances of catching these folks are slim to none.
Even with 100 "Ground Zero" hosts, you won't get anything from
Personally, I suspect the timing of the "destructive" release of this worm was based on the impending alerts about the 'sploit. I seriously doubt the creation of the worm happened after the public knowledge of the release. It's very likely that folks "in the know" were using the 'sploit for weeks to months before it was publicly acknowledged. The worm was "Spoil our fun, will you? Ha! Chew on this!"
The destructive payload was certainly viscious, but I would worry that there were exploited (with this particular 'sploit) boxen out there LONG before anyone knew there was a hole in RealSecure and BlackICE.
Never attribute to malice what can as easily be the result of incompetence...
I'm a long time UNIX/Linux hacker (I first programmed on UNIX on a VAX). I've written a lot of C/C++ code. But long ago I used Pascal and more recently I've been using Java more.
Both Pascal and Java do range checking. That is, they check the bounds of arrays (buffers) when they are accessed. This means that about half of the security exploits (including the one, targeted at BlackIce etc...) would not be exist if our software base was implemented in languages with bounds checking.
The original reason that bounds checking was not implemented in C was that the early compilers were very basic (little in the way of optimization) and bounds checking overhead slows execution. Bounds checking overhead can be reduced through optimization, but Ritchie's original C compiler only did simple optimization.
Another problem is that in C pointers and arrays are more or less interchangable. So bounds checking becomes difficult or impossible in all cases (C provides way too much pointer flexibility when it comes to enforcing bounds checking).
If we were to add up the cost of all of the buffer overflow security attacks it must run in the billions. So the "power" of the C programming model has extracted a pretty high price. This puts an interesting retrospective slant on Brian Kernighan's 1981 article Why Pascal is Not My Favorite Programming Language .
I have to confess that I would not go back to using Pascal. But native compiled Java, with Java's bounds checks, would be far safer than C++. And it would result in software that is more robust against security attacks.
Yes we can all learn to use fgets, strncpy and other safer library routines. But this only makes our code safer. It does not provide the complete protection against buffer overflow attacks. So perhaps it is time to reconsider the programming languages we are using. Perhaps unrestricted pointers and no bounds checking has become too costly.
A key point of modern tactical doctrine is to act faster than the opposition can react. Special operations types talk about the "period of vulnerability", which begins when the defender notices an attack and ends when the attacker achieves relative superiority. Most attacks fail during the period of vulnerability. So modern tactical doctrine says that it's worth huge amounts of effort and money to cut that time down. This is why special ops people rehearse and train to a level that seems unreasonable. It's not to make them good, athough it does. It's to make them fast, so they get through those first seconds and minutes at the beginning of an attack before the defenders can react.
That's exactly what we saw with this worm. The attack was launched in a way that rendered the usual strategies of anti-virus companies ineffective. Anti-virus companies, (and Microsoft), have known response and patching cycle times. The creators of this worm got inside that cycle time, by building both a fast-propagating worm and by starting it from multiple points.
Military doctrine gives us some insights on what to expect next. This worm invoved a campaign, a series of battles fought to achieve a goal. One attack acquired machines to be used as bases in a later attack. That's standard doctrine. Other relevant military concepts include mutual support, feints, and diversions. We are starting to see worms and viruses that support each other, so that if one is removed, another attack lets it back in. We may see feints and diversions, where a big noisy attack is launched to divert attention from something more subtle.
Another doctrinal concept is that of combined arms. So far, virus writers generally haven't utilized other hacking techniques, like dumpster diving, social engineering, or wiretapping. That may change.
We may well see an attack that wipes out most of the Internet-connected Windows machines in the world in a single day.
I think we all have to come to terms with the fact that our current state of Computer Science is not up to the task of dealing with the Internet as it is becoming.
Linux/BSD has a somewhat better security record than MSFT, but even after all the auditing effort put out by the guys over at BSD/OpenSSH, there have *still* been a number of security vulnerabilities of recent!
The problem is not being viewed in the proper light. Something like a buffer overflow should not result in a compromisable host! Something like a misquoted SQL statement should not result in an SQL injection vulnerability!
Applications and programming environments need to be structured and developed with the understanding that people make mistakes and there needs to be allowance for that.
You can't expect a group of programmers to maintain 50,000, 500,000, or 5,000,000 lines of code without there being mistakes in there.
It just cannot be done.
So languages, programming techniques, and infrastructure needs to be developed that truly prevents the "bug==severe security risk" situation.
Really, as much as we all laud their security record, Microsoft is in a good position to trounce the OSS crowd if they can come up with a software language and security system that allows for programming mistakes.
The answer is NOT to make sure you input validate *everything* - although input validation is always a good thing.
The answer is to develop a system where common programming mistakes do not result in a security issue.
Get used to it. People are people. They make mistakes. We either cease being human, or develop a system that makes allowances for our humanity.
Can we do it?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
From the article text:
"The worm payload of 637 bytes is padded with data from system memory to fill this random size..."
So you are seeing some random grabage that was in memory on the victim's machine while the worm was being sent out. That helps to avoid detection as it is harder to profile the worm.
It was an honest mistake. I was thinking of BlackIce and put the wrong firewalling program. Blame my lack of sleep for the error. The rest of the argument remains true, however. Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.
Another poster in the thread cited that worms affecting Outlook are Windows worms and Outlook is software that runs on Windows. The difference is that Outlook is bundled with IE, and is integrated into Windows and it is very difficult to seperate it. Surely I don't need to educate Slashbots on this. Since it is so tightly wrapped with Windows, and Microsoft claims it's an integral part of Windows (they told the DOJ that), then it's part of Windows. If the problem involves Windows, a component of Windows (such as a DLL shipped with it), or a program integrated into Windows or installed with Windows, then it's a Windows vulnerability. When BlackIce is installed with Windows by the Windows installer, then a BlackIce vulnerability would be considered a Windows vulnerability.
In terms of Linux, a particular distro would be said to have a vulnerability if it involves the actual operating system or a package that the distro releases along with the OS. If I go install some buggy unsupported software on my Linux box, and then there's a worm for it, should that worm be considered an exploit of that distro since I was running that distro and was infected by the worm? That's absurd.
I don't think you got the message.
Worms like this could run on your dedicated firewall box (like linksys or draytek).
They don't require Windows or an insecure OS at all, they just require sloppy programming in any program that handles network packets.
About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.
Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.
But also think.
This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.
Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.
I'm old enough to remember when discussions on Slashdot were well informed.
...anything that is called a "firewall":
1. Should NOT contain any attack analysis. The only attack that any security software not in the hands of security researcher has a legitimate reason to "analyze" is an attack that already succeeded, and the user is recovering from the destruction caused by it. Announcing "prevented" attacks or modifying the host's response to "suspicious" data is at least a useless toy, and at most a target for a real attack (though most often it's in the middle, a nuisance that reduces the reliability). Keep it simple, stupid!
2. Should be separated from the host that it protect by at least a virtual machine and (better) be on a separate device. Then the worst that can happen in the case of a firewall compromise is that the firewall will stop performing its functions. Running a "firewall" on the "firewalled" host is an equivalent of a person hiring himself as a bodyguard.
3. If running on the "protected" host, it should be passive, and merely prevent other software running on that host from receiving packets from the Internet even if that software listens on the ports that the author believes, should not be opened. Still, calling this a "firewall" stretches the definition way too far.
The original meaning of a firewall is a wall in the building that prevents fire from spreading when the building is already on fire, and firewall acts as a barrier for spreading it. It does not make a building non-flammable, and its design expects a building to contain flammable material, yet it prevents damage from spreading. A network firewall does something pretty close to this, it expect vulnerable hosts to be on either of its side, and merely reduces the probability of successful attack from "external" to "internal" network, yet being relatively simple, it is impossible or difficult to attack. Having a "firewall" full of "flammable" bells and whistles, and in the middle of a system that it assumes to be vulnerable is a very, very wrong kind of design.
Contrary to the popular belief, there indeed is no God.