WormRadar Node Volunteers Help Graph Attacks

zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."

Other platforms

[BWJones]

Currently it looks like only a Windows client is available, though."

Might it make more sense to have the client available on platforms which are not necessarily vulnerable to most of these infections? After all, many of the systems which are connected to the Internet full time (servers/workstations etc...) are not Windows machines.

Re:Other platforms

[dicepackage]

If the site gets Slashdotted then there are in fact a lot of people on Slashdot using Windows. Of course the Linux people could allways try running the program in WINE.

Re:Other platforms

[Raunch]

From The Jargon File

honey pot: n.
1. A box designed to attract crackers so that they can be observed in action. It is usually well isolated from the rest of the network, but has extensive logging (usually network layer, on a different machine). Different from an iron box in that its purpose is to attract, not merely observe. Sometimes, it is also a defensive network security tactic -- you set up an easy-to-crack box so that your real servers don't get messed with. The concept was presented in Cheswick & Bellovin's book Firewalls and Internet Security.
2. A mail server that acts as an open relay when a single message is attempted to send through it, but discards or diverts for examination messages that are detected to be part of a spam run.

With emphasis on the attract part. How are you going to monitor worms that propigate using windows with a linux box? You may be able to say, for instance, how many times a certain port was probed. You can't get a linux box to respond in the same way as a windows box without seriously getting into the kernel though.

Re:Other platforms

[bruthasj]

It didn't work in WINE (CodeWeavers Wine):

0x65f00000-65fc0800 (PE) C:\WINDOWS\SYSTEM\OLE32.DLL
0x70bd0000-70c34600 (PE) C:\WINDOWS\SYSTEM\SHLWAPI.DLL
0x78000000-78040000 (PE) C:\WINDOWS\SYSTEM\MSVCRT.DLL
Threads:
process tid prio
0000000a (D) Y:\updates\WormRadar.exe
0000000b 0 <==
WineDbg terminated on pid a

Re:Other platforms

Sorry, the important stuff is:
Unhandled exception: 0eedfade in vm86 code (ffffffff:550e3ec0).
In vm86 mode.
Register dump:
CS:ffff SS:3ec0 DS:0000 ES:0000 FS:0000 GS:0018
IP:3ec0 SP:9258 BP:e255 FLAGS:d954( -N01O T Z-A-P- )
AX:2ff4 BX:a25c CX:e231 DX:2ff4 SI:9380 DI:3ec0
Stack dump:
0x3ec0:0x9258: 0000 0000 0000 0000 0000 0000 0000 0000
0x3ec0:0x9268: 0000 0000 0000 0000 0000 0000 0000 0000
0x3ec0:0x9278: 0000 0000 0000 0000 0000 0000 0000 0000
0x3ec0:0x9288:

Re:Other platforms

[schwaang]

How are you going to monitor worms that propigate using windows with a linux box?

The perl script I used to monitor incoming Code Red attacks on port 80 runs just as well on linux as windows. A scanner evaluating the idiosyncracies of the TCP/IP stack would not have been fooled, but the real worm certainly was.

Re:Other platforms

[0racle]

Better tell the people at honeyd. They seem to think you can emulate the TCP/IP stack of other OS's, and use scripts to fool the app or person on the other end to run an entire honeynet of composed of several different "OS's" on one system.On top of that, you do not need a vulnerable system, nor allow your box to become compromised in order to attract a worm that will attempt to propagate. If you wanna see how it tries to locally, you analyze the actual code, if you want to see how it affects the network, or detect that something odd is occurring, thats what the honeypot is for.

Re:Other platforms

[minas-beede]

"You can't get a linux box to respond in the same way as a windows box without seriously getting into the kernel though."

It's a blasted worm. Only if very sophisticated would a worm look for an authentic Windows environment. Why would they bother?

I'm far more familiar with honey pot definition 2 - and I know how incredibly stupid spammers have long been when it comes to open relay honeypots. They are doing bulk abuse, not pinpoint abuse. Whatever the details they are looking for a vulnerability - and then exploit that vulnerability when they find it. They look for hundreds or thousands of vulnerable systems. They do that "quick and dirty" - that's all they've had to do (almost no complex countermeasures are employed against them.) That has worked for them. Why should they make it more complicated?

It's not guaranteed that the woms are so primitive that they don't verify that a system is a Windows system - but it's not guaranteed the worms do. Wouldn't it be better to set up the Linux systems and see if they succeed or are discovered as fakes? That has some chance of success. Arm's-length philosophical discussions won't stop any abuse.

My experience with open relay honeypots suggests that all the spammers do to check for those is attempt to relay. I can see reason for the abusers to be more careful and more clever - but rather than assume they are the better idea is to force them into being more careful and more clever. Burn up more of their time, confuse them about the rest of the internet (the part they abuse, as opposed to their own part.) There are many goals in fighting abuse - don't fixate on just one. If the abusers can be made thoroughly confused about the rest of the internet (i.e., can't tell what is and what isn't vulnerable to abuse) then they pretty much have to give up. That will never happen if all that is done is engage in discussions.

OK, do fixate - it's you time - who am I to tell you what to do? But give some thought to how much better it is to make a broader attack, if you will, please.

P.S. Open relay honeypots still work today, April 23, 2004. Open proxy honeypots may be even more powerful.

Re:Other platforms

[liquidsin]

nevermind servers and workstations, I think it'd make a hell of a lot more sense to run this thing on a router. I have no intention of leaving anything other than that fully exposed to the public internet, but I wouldn't think it would be too hard to rig up snort to work similar to this worm detector and report back to the server with anything suspicious. And since my firewall (ipcop) is already running snort...

Re:Other platforms

Windows _is_ a honey pot...no additional software needed....

Re:Other platforms

Is this a joke?

Is the WormRadar client really a 16bit windowns application running in vm86 mode?

I'm a little skeptical that WINE is so broken that it'll go into vm86 mode for a non-thunking win32 app. On the other hand, the stack dump strongly implies that WINE is fucking up.

so go

[jacquesm]

and sign up ! these people are doing good things.

distributed attacks against hackers doing distributed attacks :)

Re:so go

[Rosco+P.+Coltrane]

Do you really want to fight Microsoft's war for them for free? they won't give you any money to plug their security holes you know...

Besides, the way I see it, the more viruses and worms floating around the better: it helps people realize how shitty Windows is as a platform, and how Microsoft just treats their customer like crap by selling them mediocre products at outrageous prices. I certainly don't to help Microsoft look better.

Re:so go

Go sign up yourself, French fry. If you're dumb enough to run software that might do who-knows-what on your windows box and do other people's work for zilch...

he looks a little too creepy...

by the looks of him, do you want to run his software? http://www.wormradar.com/sitebuildercontent/sitebu ilderpictures/thompson.jpg

Re:he looks a little too creepy...

your previous link had a space in it.. the new link should work...

AHHHH!!!!!!!!!!!!! =)

http://www.wormradar.com/sitebuildercontent/site bu ilderpictures/thompson.jpg

Re:he looks a little too creepy...

OK.. for some reason, the space came back..

this should work.. ignore my previous post

http://tinyurl.com/35cju

AH!!!!!!!!!!!!!!!!!! =)

Re:he looks a little too creepy...

Esh, learn HTML. It's not too hard. Here's a link for those who don't want to copy and paste.

Re:he looks a little too creepy...

Man, he looks like the father of the hot terrorist chick from 24 series two.

only a windows client?

imagine that...

Obvious joke

[Chris_Jefferson]

Let me be the first to get the obvious joke out of the way.

Why is there only a windows client? Because all the worms only effect windows machines, what would be the point of a client on anything else? :)

Although of course, the more serious answer is "A client on something other than windows would be sensible, because if a new worm comes out and hits a 0-day windows hole then your machine could be infected and dead before it gets the chance to report that it is being attacked. (Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there. It's almost a shame, because one good formating worm might finally make people take them more seriously.. it's only a matter of time)

Re:Obvious joke

[Ironica]

Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

Why is smallpox darn near extinct, but the common cold thrives?

If a worm formats your hard disk, it can't keep scanning for and infecting new machines. For one thing, now you know something is wrong, and are more inclined to fix it.

It's almost a shame, because one good formating worm might finally make people take them more seriously.

And there, you answer your own query. If worms did "real" damage (i.e. obviously interfered with the working of the computer), people would be much more cautious about contracting and spreading them. But how many of you freak out and quarantine yourself if you come in contact with a carrier of the common cold? Same thing...

Re:Obvious joke

[tunabomber]

Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

It's evolution. A pathogen that kills its host too fast is a failure unless it can spread extremely fast to compensate. While the old viruses and worms were the equivalent of ebola, wreaking as much havoc to the host as possible, the new ones are more the software equivalent of lampreys or tapeworms- slowly but surely stealing a host's resources.
Virus writers just discovered that it was far more logical, efficient (and not to mention profitable) to install a spam proxy that would run silently in the background for as long as possible than to torch the contents of the victim's hard drive and display a splash that says "j00 R 50 0w|\|3d!". ...And they know that the less noise their worms make, the more complacent users will grow, which will increase the amount of potential future hosts.

Re:Obvious joke

[demaria]

Morris would disagree with that.

Re:Obvious joke

[DoraLives]

Why is smallpox darn near extinct, but the common cold thrives?

'Cause we KILLED smallpox! (well...excepting what's so far noncontagiously tucked away in cryo storage here and there)

It has nothing to do with the virulence of smallpox as opposed to the common cold. Hell, as far as that goes, the great sweaty mass of humanity is a fat ripe target just waiting for something that will sweep through and slay the many, but I drift OT.

Worms that can do "real" damage may well yet spring up from out of the ground and simply wipe out half the computing power on this planet.

There's nothing at all preventing this from happening. They whistled as the o-rings showed evidence of blow by and burn. They whistled as TPS material that was never designed for foam strikes took hit after hit. But all the whistling in the world didn't prevent what came next, BOTH TIMES. Ditto your (and mine, and everybody else's) computer.

That which is not prohibited is MANDATORY.

Re:Obvious joke

[autopr0n]

Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

So they can use the infected machines as spam zombies. Or at least as DDoS networks in their IRC wars...

Re:Obvious joke

[drinkypoo]

It was a point, son, you missed it.

Smallpox was more dangerous, so we killed it.

The common cold does kill people, but mostly just old people.

Admittedly it doesn't seem possible to cure the common cold because you'd have to cure it everywhere all at once which is presumably impossible, and we don't even really necessarily know where they come from in the first place.

Re:Obvious joke

[Ironica]

It was a point, son, you missed it.

Good catch. Thank you. ;-) [signed: original poster]

Admittedly it doesn't seem possible to cure the common cold because you'd have to cure it everywhere all at once which is presumably impossible, and we don't even really necessarily know where they come from in the first place.

Well, if the common cold were thought to be a major threat, the first thing we'd do is start being less casual about spreading it around. We'd quarantine people who come down with the sniffles, and burn their bedsheets afterward. That would be a good start at getting it under control.

But we're getting closer to knowing where it comes from, so look out viruses!

Re:Obvious joke

"If a worm formats your hard disk, it can't keep scanning for and infecting new machines."

Bullshit. If a worm plays russian roulette (1 in 6 is an alright random chance) with your hard drive (triple overwriting with random numbers on My Documents files that aren't open, and then the rest) every 5 minutes it won't slow down the spread much. Put a counter in your first 5 initating hosts to count down from 5- every infection of a computer that next infects another counts it down. When it gets to 0, the revolver play starts. An hour after the first infection the first hosts kill themselves automagically.

As for a proper bootsector worm that wipes on startup, causing a major PITA, even to those forewarned...

Re:Obvious joke

[CmdrGravy]

Do you think we will ever reach the stage where worms are actually good for the host computer.

After all if they are using that machines resources it would make sense for the worm to make any modifications to the set up to enable it to run more efficiently and defend it's self against other worms taking over it's host and kicking it out.

Open Source or Trojan Horse?

[Comatose51]

Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm. Considering the only people who would download this would be techies with big pipes, this could get interesting. Just a theory and a reminder to the author that people usually feel safer downloading something they can examine.

Re:Open Source or Trojan Horse?

Same question as this

Re:Open Source or Trojan Horse?

[jacquesm]

Looks genuine enough though, unless this is false information:

Roger Thompson
Roger Thompson
1650 Emerald Ridge
Marietta, GA 30062
US
Phone: 6785608027
Fax..: 6785609109
Email: rogert@mindspring.com

If not that would be the first time that a trojan writer puts his real world address out for all to see.

In the windows world people don't even expect to be able to see the source code.

Re:Open Source or Trojan Horse?

[tunabomber]

Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm.

This could be said about any small, proprietary software utility that you see on download.com or tucows. Only time will tell if it's a trojan or not, but if it is, the techies who make up its target audience will find out fast. And they'll spread the word fast. And after receiving the word, they will take it seriously. Techies have other traits besides access to lots of bandwidth.
Also, it's not likely that this program will be installed on anything more mission-critical than an average office workstation, which could just as easily be infected with Kazaa or some other crapware by its PHB or marketroid user.
If you want to spread a trojan, might as well write a porn-based video game or MP3 player to use as the vector. Since your target market will be Joe Luser, you'll go much longer before being caught.

Re:Open Source or Trojan Horse?

[minus_273]

whta gives you the impression that name is the name of the author?

Re:Open Source or Trojan Horse?

Want to know who the guy is?
Cybersecurity & Consumer Data: What's at Risk for the Consumer?
Oh.. and the lameness filter is annoying...

Lol. Understatement.

[SatanicPuppy]

Why would you need a worm activity detecting program on a Windows box? If there's a lot of worm activity that is close enough that the windows box could monitor it, you'll know.

It's like the canary in the mineshaft...Works fine for detecting hazards, but a little rough on the bird.

Re:Lol. Understatement.

[laugau]

The REASON there is only a windows client is because the windows client does this:

while (not_infected) {
send ("Woo Hoo! I'm alive still") ;
}

And the server does this:

listen (client_port) {
while (get_alive_messages) {
writeGraph (noWorm);
}
ohShit(clientMachineGotWorm);
}

Not a very good solution if the clients never die now, is it?

Re:Lol. Understatement.

Wow, you're so funny. But I'd laugh harder if an onion fell on your head at an awkward moment...

Re:Lol. Understatement.

[deathazre]

need to post something relevant to make up for my offtopic further down the page.

If the sole purpose of the bird is to get the crap kicked out of it anyways, why not take it into the mine anyways? I'm looking for a suitable piece of junk hardware that I can throw questionable programs on and try to make them phone home... might as well toss this on while I'm at it.

Re:Lol. Understatement.

[SatanicPuppy]

Hehe. Anyone else find the Windows Nazi's more strident and foaming than the Linux Zealots?

They remind me of Southern Baptists.

"Download WormRadar.exe now"

[eddy]

Yeah, that's going to happen.

Someone run it through IDA? :-P

Re:"Download WormRadar.exe now"

It's Aspacked. Looks like they have something to hide.

Re:"Download WormRadar.exe now"

[equex]

i tested it and i have a few complaints:
it connects to some time sync server and sets the system clock very accurately to some foreign local time :D

the GUI for the app really sucks and is severly broken in its behaviour. (buttons disappear, etc)

dont bother using this software, the underlying worm detection code is probably as broken as the rest.

Seems like a good idea implemented poorly

The website is scarce on details, but from the looks of it, it would appear to not be very sophisticated. It detects very few actual worms and exploits, and would seem to be just like http://isc.incidents.org/ (Internet Storm Centre), except without nearly so much data.

Leusent _AT_ Link-net.org

Re:Seems like a good idea implemented poorly

[Gadi+Evron]

Wrong, this is an honey-pot, easy to use in your system tray and without the hassle. You can use it in the DMZ, in VMware or in any other way. You can also chose not to use it.

It's great software, and it proved itself.

The distributed option of sharing data is a plus.

IINAL

[z0ink]

I thought honeypotting is being considerd as not-so-legal. Hopefully this could be something positive in the case for using hoeypots affectively.

Re:IINAL

I thought honeypotting is being considerd as not-so-legal.

Why would you say that? It certainly isn't entrapment. If you leave your house windows open, it doesn't give thieves permission to steal.

And a burglar can't complain that you have video cameras all over the house recording them while you call the cops.

In Texas & many other states, you could blow them away with a shotgun and get cheers in the local paper.

Re:IINAL

[tomstdenis]

Um whoever modded that as interesting is a fucking moron.

A honeypot is just a pseudo-server meant to trap, delay and/or observe a client. Useful for wasting spammers time/bandwidth, looking for spiders or in this case looking for active worm traffic.

You have to connect to the honeypot for it to be active so in absolutely no way can this be "illegal".

Tom

Re:IINAL

[chadjg]

Think unlawful interception of communications, not entrapment. I know, it's stupid, but that's the legal theory. IANAL and all that...

Re:IINAL

why they connected to me?

they connected to my machine, not the other way around, just because they expected the conversation to be different, doesnt mean i initiated the illegal act.

therefore its legal for me to record it.

and obviously its not entrapment, im not a law enforcement officer.

Re:IINAL

Um whoever modded that as interesting is a fucking moron.

So I guess the creators of both honeyd and labrea besides creating Open Source honeypot software, are "fucking morons", too.
honeyd: http://www.citi.umich.edu/u/provos/honeyd/

Due to a new Michigan law (Super DMCA), the legality of my research or these web pages is currently unclear. Felten provides additional information about the resulting restrictions on technology and research. Potentially offending web content has been moved to the Netherlands. Please, support the EFF.

labrea: http://www.hackbusters.net/#software

Why software is no longer available from this site... LaBrea both disrupts communication and conceals the true origin of communication in an attempt to protect a network from attack. If you are currently running LaBrea, I would suggest that you look into the legality of having an operating network tarpit in your state.

Its the Super-DMCAs that states are passing and the un-tested legal phrasing that the RIAA/MPAA are having the states use.

Now everyone can be fucking morons...

If I was cool, I would say that the Illinois legislature have already passed their Super-DMCA.

Re:IINAL

Mods: So that would mean grandparent - not so insightful, just wrong...
So I guess whoever modded that as insightful was duped into thinking he was insightful by his forceful conviction that he was right and by his know-it-all style of demeaning the poster who was questioning the legality of honeypots.

Re:IINAL

[0racle]

Its not interception, the worm was randomly scanning for vulnerable systems, one was provided.

If this thing was used a man in the middle approach, that would be interception, but a writer of a worm is going to have a hard time defending it.

Re:IINAL

Funny, I typed "honeypots legal" into the Oracle and all I got was this lousy set of search results with many questions about the legality of honeypots and not many clear, legally binding answers.
Care to retract, backpeddle, change your story or maybe be a fucking man and apologize to the OP?

Fucking moron is right...

Re:IINAL

[mark-t]

While it doesn't give thieves permission to steal, your home owners theft insurance can be rendered void if you do not take adequate measures to secure your home when you are not there.

Of course, you'd have to be mad to admit that you left the windows wide open when the insurance guy asks if you secured your home before leaving as part of their claim handling process.

Re:IINAL

Aren't you the arrogant prick who posts on sci.crypt?

Re:IINAL

[cheekyboy]

I know some 'goodie too shoes' might see it as bad and as unfortunate, but why cant it be legal to blow away a burgler to bits and drag his body down the street and parade em around like the Taliban used to? Its a winwin situation, the crud of society get 'rm -rf'ed and the good people get to enjoy life.

If your so 'twisted' as to steel and be a bad ass, they bad luck, ur out of the loop, and into the bin, if you had any brains you would seek proper help from churches and charities and really be a better person.

If the poor sods want to claim 'oh my child hood was bad' then look at all the good people that had bad child hoods who now are rich. If you are a trully nice and good person, you wont be in the ditch eating rats for long, you'll find a trade or skill thats worth something, and if you want, well why are you hear for? Go blow some gays in a gloryhole and earn you $5/hr there.

We can't be too sympathetic to total scum and crud. If you wont help your self, why should anyone else. Would any one miss you? no. So bugger off, and dispear , or if you want help, put some effort into it.

I am all for helping people that 'need' help, but if your gona beat up old ladies and grandmas for $20 for some crack, then no ones gona miss you if your 6ft under.

Re:IINAL

[tomstdenis]

Um, whatever. I don't see how DMCA applies... let's see...

I setup a fake SMTP server to trap spammers by wasting gobs of time and gathering information about them.

How is that a copyright violation?

How is that a crime at all?

Me thinks the "honeyd" are either doing something outside of that scope or the develoeprs are just overreacting as many people do. Mostly to get attention to themselves...

Oh, sorry guys, I would provide you with that for loop but they may lock me up and throw away the key... LOOK AT ME!

Bah. Honeypots are not illegal and really can't ever be [without being seriously challenged and overturned].

Tom

Worm Watching Clients for Windows Only?

[PetoskeyGuy]

Pass, Too Easy.

Graph shows u137unk exploit

[Dark+Lord+Seth]

And, as it says in the article, u137unk is aimed at port 137 using UDP. NetBIOS request en masse. Over the internet? Why does this not make sense? Maybe all those exploits are Messenger spams? However, iirc, Messenger spam uses a different port and TCP. So if this is not Messenger spam... Then what?

Re:Graph shows u137unk exploit

Err.... perhaps a buffer overflow in the messenger service? I dunno...

Re:Graph shows u137unk exploit

For what it's worth, I have seen very similar results on my firewall logs - the vast majority of attempts are on netbios (port 137). I always assumed that it was some worm, and just left it at that.

A little creepy ... calling home?

[digitalgimpus]

Each time I launched the app, norton fires up because an email is being sent.

no mention of what anywhere.

Sorry, perhaps I'm paranoid... but that's not very cool with me.

Re:A little creepy ... calling home?

[Gadi+Evron]

As explained by Roger, the author of WR, WormRadar calls home using SMTP and UDP for real-time, so that the data-sharing between all the nodes can exist.

This data-sharing/graphing of Internet attacks graphs.. etc.. comes as a second to the actual use for the program - a good and decent honey pot.

The program doesn't hide the fact that it "calls home" and it is all explained in another comment.

Re:A little creepy ... calling home?

[Ancient+Devices+King]

They say explicitly that it communicates with them via email and UDP.

"Events are reported by both email and udp... email because it makes it convenient to attach a capture if it is something new, and udp because while unreliable, it is fast."

Exactly how do you expect it to function if it doesn't talk to the people who are using it to track things?

Re:A little creepy ... calling home?

[MavEtJu]

and udp because while unreliable

It's not more or less unreliable than the IP layer on which it is transported.

Re:A little creepy ... calling home?

[Ancient+Devices+King]

I'm just quoting his letter. No comment on the technical veracity one way or another.

What a headline

[alefbet]

Wow, I think this is a serious contender for hardest headline ever to parse.

WormRadar Node Volunteers Help Graph Attacks

Did a node spontaneously provide some "help graph" attacks? Did node volunteers assist in attacking a graph or several graphs? Did the help given by volunteers end up graphing an attack? Or did it perform a little known "graph attack" on something?

Re:What a headline

[BuishMeister]

No, it is poor WormRadar node volunteers, who need some help. Because the insidous Graph is attacking them. We were attacked by the graph couple of months ago, it was horrible....

Re:What a headline

[back_pages]

I second that. Took me a good 10 seconds to derive any meaning out of that grammatical traffic accident. Of the six words in the headline, 4 of them could be verbs in a different context. If there's anything I hate more than dry, subtle humor, it's got to be repetitive use of certain types of words. I'm infuriated! It's time to get on up out of here.

Re:What a headline

Graph Attack: A often-fatal attack on a computer's user whereby a series of complicated graphs is displayed on a computer's monitor at a rate great enough to drive any math student insane. An alternate version of this attack displays a 4D graph, splits the fabric of space and time, and sucks the user into an alternate universe.

You can always use VMware or Virtual Machine

Works great, and the author promised to try and port the software to Linux, although he said it may take some time as he is very busy with his real job, as well as working on developing WR and solving all the small bugs.

The program is under constant development, surprising us with new features. The author is also very quick on responding to bug reports.

WR allows for emulation of IIS, sub7 and other useful applications/Trojan horses, as well as specifying your own ports to listen on.

It's a great program and a project worth supporting.

Important note: the .CAP (capture) files are encrypted using a simple XOR, the .UNX files are the actual captures.

There is some way yet to go until this program hits 'legacy', but as I said it is under constant development, really useful .. and it *is* free.

What's Truly Sad...

[ashitaka]

Is the number of SQL-Slammer-infected systems still out there:

Date: 04/23 01:24:30 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 02:10:26 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 152.66.211.244:3280 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:10:59 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 210.13.22.79:1171 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:32:46 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:49 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:54 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:32:57 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:59:50 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 03:22:04 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 67.163.239.113:1209 -> x.x.x.x:1434
References: none found SID: 2003

Re:What's Truly Sad...

[bot24]

That's not the only problem...(opens web server log and searches for .dll):

[Mon Mar 08 22:31:14 2004] [error] [client x.x.x.x] File does not exist: /var/www/localhost/htdocs/scripts/nsiislog.dll

(11 more of the same)
This log goes from the third(of March 04) to today(4-25-04).
Also have a POST to /_vti_bin/_vti_aut/fp30reg.dll, a very long GET for default.ida, a SEARCH command with a bunch of appended garbage, requests for Yahoo.com and others, a CONNECT command, multiple servers all attacking me with Nimba, and an OPTIONS. There are loads of errors from that bot24 guy. I should ban his IP...

Windows has free built-in worm watching

Just plug and play baby. You can do more than watch worms as well, you can experiance the worm. Take that, Linux.

So I need to run it without a firewall?

Oh, joy. That sounds like a swell idea. I'd rather have something that works with my firewall to report the hits.

Re:So I need to run it without a firewall?

I am sure that as a good geek you can come up with a solution to run it with a firewall, unless that is what you want.

DMZ? NAT? personal firewall allowing this program only?

All allowing you to log, so what's the problem?

Re:So I need to run it without a firewall?

Uh, so I just have to allow access to numerous ports (with various vulnerabilities) on my machine? No thanks. DMZ or NAT really aren't help, they're just ways of getting around the firewall. Your machine will be open on whatever ports you give this program access to.

Excellent!

[dj245]

"NTBugtraq has a post looking for volunteers to run WormRadar nodes.

I volunteer enthusiastically. Wormradar will complement nicely my Gaydar, Chickdar, and of course, flamedar.

For Those of you worried WR might be a Trojan

[Gadi+Evron]

The author of WR is Roger Thompson, a well respected AV professional since the very first days in the late 80's/early 90's.

He is also a CARO member, which is a very respectable organization for old-timer AV researchers.

I know him personally and vouch for him, much like pretty much any other AV researcher in the world. Everybody knows Roger.

Re:For Those of you worried WR might be a Trojan

He's got great timing; hope everyone's keeping an eye out for port 443/tcp now we've seen MS04-011 exploit code.

Anyone running a sweepstake on the first appearance of the next worm? (offer is void for families and friends^W^W of worm writers.)

Re:For Those of you worried WR might be a Trojan

[liquidsin]

Oh, well if YOU'RE willing to vouch for him, then sign me up! You're much less of a faceless, anonymous being at the other end of a keyboard somewhere in the world, since you have a /. UID ;)

reporting for ISPs

[SuperBanana]

How about reporting for ISPs? Say, daily reports grouped by netblock owner in an easily parsed format? Set it up so ISPs can sign up for them. ISP doesn't sign up? Shucks, they must be supporting viruses and whatnot.

While backbone providers love 'em because they get paid for every byte...worms are the scourge of DSL/cablemodem companies, because they don't get paid by the byte, and worms eat into their margins. So you'd think they would have a vested interest in taking care of the problem.

Of course, if they were competent, they'd be running IDS systems that would examine a portion of traffic looking for worm activity, automatically shutting off any systems...

Re:Infect, Effect and Affect

[value_added]

"worms only effect windows machines"

"Infect" refers to passing along a nasty.
"Effect" means "make happen" or "bring about" as in "Make it so."
"Affect" can be understood in terms of a combination the above.

I think you meant to say "worms only affect windows machines".

Affectionately speaking, of course.

PNG for gawds sake!

[eddy]

And oh, "they" use JPEG for the graph! Look at it -- it's horrible!

Okay, you DON'T download and run executables from people who can't even pick the right image format for an image like that one (hint: it's PNG). What's the odds of these people knowing anything about researching worms if they can't even get a fscking image right? Close to zero.

I honestly don't understand how come so many have a problem with this. Just look at that "JPEG patents"-story. Scary. I thought this was a place for nerds?

Here's a heuristics for those of you still confused: "If it's lines, blocks, text (that you want readable) and areas of repetitive pattern(s), then use PNG. Else try JPEG (photographs, noisy images)."

Re:PNG for gawds sake!

[modecx]

Actually, the image looks okay.

They used the size variables in HTML to resize it (which of course makes it look terrible). Image size is 446x668, They resize it to 560x839. Makes no sense.

Still makes their operation look pretty bad.

everything is explained in the NTBUGTRAQ post,

[Gadi+Evron]

Hi Russ,

I am looking for some more folks who would be interested in running
WormRadar. ( http://wormradar.com). The web site is still rudimentary, but
the graph is generated every 30 minutes, and is interesting to watch, and
WormRadar.exe is available for download from there.

It is essentially a distributed Windows honeypot that listens on known
wormy ports (or ports that are likely to become wormy), and crcs, or scans,
anything that comes along. Its purpose is to both measure the frequency of
known, current worms and to alert us all when something new becomes active.
It is free provided you allow it to report to the central site.

If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.

A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...

(1) Green bars are recognized things
(2) Red bars are new (and should be watched)
(3) If I didn't get any data, I generate a name based on whether it was tcp
or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it
was TCP port 17300 and was 0 bytes long.
(4) If I got some data, but couldn't recognize it, I generate a similar
filename, but the suffix is 'unk', for unknown.
(5) I call it a 'summary', because if a single sourceip hits a single
targetip 200 times on the same port (such as a sql dictionary attack on
1433), it is really only one incident, and that is how I summarize it.

It emulates some common servers, such as web and ftp, and some common
backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp
ports that can be set to whatever you like.

To install it, simply make a directory, copy it in, run it, configure it a
bit if you want, and tell it to listen. You can set it to cc yourself, and
you will receive a copy of the email sent to wormradar.com. The UDP
messages are content-identical to the email, although without email-y
things like headers, and I don't UDP the attachment if there is one.

It runs on about any Windows platform but runs best on Win ME, W2k or
WinXP. Win ME is a good platform, because there are fewer services to turn
off to allow WormRadar to listen on those ports. It runs nicely behind
firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It
doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event
that you want to install it on more than one computer, please don't install
them on side by side IP addresses... this just skews the data. What we
really want is a nice, random, widespread distribution.

Thanks

Roger

What WR connects out to.. SMTP and UDP, explained

[Gadi+Evron]

As Roger wrote on NTBUGTRAQ:

If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.

A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...

Excellent! An AC Recommending Suspect Software!

Watch me break a leg in my rush to d/l and install on 2,000 clients because he says it's cool.

Recruit these guys for a good data sample

[G4from128k]

Back when we discussed the Witty worm the article & discussion noted that UCSD Network Telescope mentioned here has 1/256 of the entire IPv4 address space. They seem well suited to track anomolous behavior.

Re:Recruit these guys for a good data sample

that UCSD Network Telescope mentioned here has 1/256 of the entire IPv4 address space

The network telescope only works because UCSD isn't using the vast majority of their IP addresses. Maybe some of the old Class A networks should be broken up.

Re:Recruit these guys for a good data sample

[onet]

Can someone please explain to me why *one* project needs 1/256 of all available IPV4 addresses?

As much as this is a good cause and all...

...I think I'll keep my tinfoil hat on. If we all would just start declining the honor of installing and running everything we can't be certain of being 100% safe, worms might just cease to be a problem.

Re:As much as this is a good cause and all...

You might as well just unpulg your computer..because thats the only thing thats 100% safe.

Or not, someone might just drive a semi though your wall and run it over.

He said... what?!

Win ME is a good platform, [...]

I never thought I'd hear that.

Guys, this is all a big hoax. Where's the hidden camera?

Re:Infect, Effect and Affect

[deathazre]

Parent is correct... sort of.

Effect is a noun. Affect is a verb.

Ya gotta wonder.

I suspect there'll be a report next week about the number of people willing to blindly download and install unknown software.

new open source project idea?

[jasonbrown]

OK so this guy has a good idea but he is a busy programmer and this is not open source software so we can't trust it.

I'm all for a new open source project where we could take all our old AT computers running linux (you know you've got a bunch of them) and put a new and improved open source honeypot/worm tracking and graphing distributed network software on them. It will be open source so we can trust it. We might have more volunteers to help write and test this if it is open source too so it will get done faster. And finally a linux box is less susceptible to these worms than Windows anyway and will have more of a chance of surviving these worms when they hit (i think).

OK I'm not a programmer, just a wishful netwrok guy but hey I'll set one up on my network if you guys out there who care will make it.
just my 2 cents for what it's worth

Re:new open source project idea?

[Gadi+Evron]

I thought the idea of open source was to work together and help out? Not double and compet when there is no real need to?

Email the author and offer your help, he is a great guy and I am sure he will take any help he can get.

I trust him, the question is if he can trust everyone who offers to help with a project such as this? Ask him and you'll find out.

Constructive vs....

Re:new open source project idea?

[jasonbrown]

Yes fair enough. You are right. This is a good idea that he has I think. Working together is the way for sure.... I think I will email him.

So.... question,
In the best possible universe, do you believe that a project like this should be closed source or open source?

Re:new open source project idea?

[Gadi+Evron]

In answer to your questions.. I believe the author has the right to decide if his software is open source or not.

You as a user have the right to decide whether or not you'd use it.

The author is respectable and a very old timer in the AV and security field. He chose to make it freeware, that's something I am going to thank him for (already did, actually).

Re:new open source project idea?

[crisco]

I think secruity is the best argument for open sourcing the client or at least making it available for peer review. It is intended to be used on the open internet and it will become a target for the writers of various malware, any buffer overflows or other subtle errors that can be exploited probably will be.

Even if the author has a great reputation, we all make mistakes at times.

Re:new open source project idea?

You didn't actually answer his question.

You mean absolutely everybody who runs Windoze?

That's a pretty big number. ;-)

"Everybody Knows Roger"? I Don't.

Hands up all those here who know him. What about those who've heard of him. OK. I'm sold. He must be trustworthy.

BTW, who are you? Oh, wait...I'm sure everybody knows you too.

The problem is...

...that we're being stronly encouraged by unknown people to install and run software that has yet to be proven safe, created by a person most of us have never heard of before. That's the problem.

Dshield and myNetwatchman

[JustinXB]

DShield and myNatwatchMan do pretty much the same thing, only for all ports instead of just worms. Gives a much better lay-of-the-land for administrators.

Re:Dshield and myNetwatchman

[NTBugtraq]

Actually, no, they don't do the same thing at all. They report activity, and if you provide complete network dumps someone may, at some time, get around to trying to figure out what you saw.

WormRadar specifically looks for attacks, not just plain old traffic. When something known comes along, it logs it...that part is the same as DShield or myNetwatchman. But when something entirely new comes along, it packages it up and sends it off to Rog. He correlates reports of new things from the instant any one WormRadar node sees it. So, if 10 minutes later another node in a different region sees the same new thing, it gets logged and isn't reported as a new thing.

With a copy of the worm in his hands, Rog is capable (more than capable) of dissecting it and figuring out what it does, how it works, what we might expect from it, etc...

Finally, because of his AV contacts, he's able to get anything new into all of the right hands so everyone can get definitions to detect it.

Re:Dshield and myNetwatchman

So it's snooping in on all of my network traffic, looking for something new? Oh great, spyware.

who is Roger Thompson, you ask?

[Gadi+Evron]

Try Google:
http://energycommerce.house.gov/108/Heari ngs/11192 003hearing1133/Thompson1799.htm

Re:who is Roger Thompson, you ask?

[serutan]

The working link is http://energycommerce.house.gov/108/Hearings/11192 003hearing1133/Thompson1799.htm (no space in the middle).

Because

[autopr0n]

A lot of the worms don't cause the machines to go down. Obviously, a lot of users are oblivious to the fact that their machines are not only spreading viruses around the 'net, but are infested with Spyware and probably being used as Spam zombies.

It seems like windows was implemented with the "everyone is mostly nice" idea that the original internet, and certainly the original email system was. No one at MS anticipated that people would run programs that actively harmed them, and that their computers would turn against them.

What we really need is an OS that doesn't just protect one user from another, but also protects users from programs and vise versa. Yeah, things like this can be done in Linux, probably MacOS, and even, in theory Windows (run the program as a service with a user logon, but most programs aren't services). But I don't think it's at all a general, easy to use feature.

Honestly, the only ones who seem to have thought ahead were the java people with their sandbox, and the ability to give permissions based on code signatures.

And then, of course, we get MS trying to shoehorn the whole thing into their "trusted computing" framework witch also tries to protect the content from the user which I think is Bullshit. An entire system to protect users could be built simply by using memory protection and standard user-level controls.

Well of course!

[pavera]

Currently it looks like only a Windows client is available, though. Why would you need to monitor worm activity on a Linux box?

You all must remember under what "license" this is

[Gadi+Evron]

The guy asked for volunteers, people who are willing to help - on NTBUGTRAQ.

The program is still being developed and there isn't much of a web page, it is an as-is service, and the program does a great job.

The guy runs a new project, which is still very much under development. I suppose you don't have to download and/or run the software if you don't want to.

It is good software, and it worked great, but I don't see any reason to shoot the guy for admitting to needing help with running nodes, while he further develops a currently IN-DEVELOPMENT stages project.

The program was obviously not ready for prime-time (slashdot), by what the guy said, but I believe it can take it. Use it if you like, it is freeware.

Otherwise, make your own, or be quiet about it.

Sloppy graph

Shouldn't they label the friggin x-axis? Excel happy freaks.

It works!

Wormsign to the northwest! Usul has called a big one. SUMMON THE FREMEN!

Port 2000

[toupsie]

I have my Linksys cable/dsl router pointing the DMZ to an old notebook running redhat 8 and portsentry. One thing I have noticed is that a majority of the hits I record are for port 2000. These are coming from all over the world and I have no clue what is hitting it. Does anyone know what would be probing port 2000? I was disappointed that it didn't show up on the graph at the WormRadar site. I figured if I was being probed for the port it would be universal.

Re:Port 2000

[krray]

?

I monitor port probing as well -- and see a wide range of known and "unknown" port attempts also coming from all over the world. In the last week not one (!1) probe on port 2000...

It's just you. :)

Re:Port 2000

[Professor+Cool+Linux]

well get a capture & send to SANS

Ebola

[CatGrep]

ust why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

Well, a virus/worm that kills it's host too easily won't spread too far, will it? It's the same in the biological world. Ebola is very effective at killing it's host quickly, and that's what limits it's spread.

And generally these newer viruses/worms aren't just sitting there, they're figuring out how to spead to all the email addresses in your mailbox.

You are dumb

Was it just me?

[bpiltz]

Did anyone else read the headline as:

WormRadar Nude Volunteers Help Graph Attacks

Re: Was it just me?

[Black+Parrot]

> Did anyone else read the headline as: WormRadar Nude Volunteers Help Graph Attacks

At first I read it as "That hot babe you saw at the store this afternoon is trying to track you down for a weekend of hot sex", but I rubbed my eyes and it went away.

Your sig

What is karma?:

...
Note that being moderated Funny doesn't help your karma. You have to be smart, not just a smart-ass.

Answered by: CmdrTaco
Last Modified: 6/03/03

Hardly broken. Most "Funny" comments aren't. For once I agree with the taco, even if the rest of the time he's an idiot.

The problem is

[Sycraft-fu]

That you CAN'T protect the user from programs, short of trusted computing architecture, because what you are REALLY saying is you want to protect the user from themselves. You want to make sure that the OS intervienes when they try and run software they shouldn't. Fair enough and yes, Linux does that. As a normal user, there is limited damage a person can do to a system.

Problem: You can't not give people root/admin/whatever access to their own systems. They need the ability to install new programs, updates, etc. Well if they have it, they can use it and if they can use it they can abuse it. Linux is actually worse in this respect since root is more powerful than a Windows administrator. Administrators have limits, not many, but they do have them. Root, being the system, has no limits. You can rm -rf / and it'll not stop you as you destroy your drive.

Your model for proection works only in an environment where there is a seperate, trusted, administrator. You can lock users out of doing things that might be harmful (like modifing system files) only so long as there is a person with access to the system that can.

It's directed at your computer

[Sycraft-fu]

Quite hard to claim it is unlawful to intercept something directed at you. That's like saying I unlawfully intercepted the letter you addressed and mailed to me. No I didn't, you SENT it to me, there was no interception.

There's also nothing saying that what run on a port needs to be what conventionally runs on that port. Yes, 21 is conventionally FTP, but that's convention not a legal mandidate. You can run other services (like this) on 21, or run FTP on a different port.

Well said.

Well said sir.

This guy should have done it in java

[mark-t]

And released the source code.

Then anyone with a java compiler could participate, no matter what hardware they have.

(Also, the chance of this being a trojan would be rendered nonexistent)

Say what you will about java performance, but when it comes to writing networking software, java's pretty damn sweet!

The headline had me all excited..

[taxevader]

..until I realised it said node volunteers. Node with an 'o', not a 'u'.

Damn.

dshield

[sir_cello]

Try dshield, I've had my OpenBSD pf firewall generate and submit logs on a daily basis for near a year now. There are a numerous dshield clients and adapter scripts. You will also get daily reports from dshield, there's a tonne of online statistics, and they use your data to submit reports to abuse owners at domain names.

Here's the current statistics:
Records Added:
Last Month - 286,455,729
Last Week - 112,352,882
Today - 591,719

WINE

[JThundley]

Doesn't run under WINE :(

It's obvious why -

They write the worm, they test the worm, and it erases the machine and itself, killing patient 0.

Yes, you can

[autopr0n]

If someone types "rm -rf /" at a terminal, you can be pretty sure they want it to be done.

The problem is that programs these days do things that the user dosn't know about, dosn't want, can't control, and ultimately can't even stop when they find out. That's ridiculous.

If I'm root, and I don't trust a program I'm running, I can su it, and run it as a regular user and lock it down to a single folder on the file system with no network access. You have to do it manually, and on windows you can only do it with services.

What I'm talking about doing is automating the process using certs, things like that, and running them in a java-like sandbox. It's not hard and in the case of java, it's already been done.

Windows only and who would connect it

directly to the internet without some firewall/packet filter between it. Of course there is a large base of windows machines connected to the internet, but I really hope that the ones who would take interest in a project like this, know better than having it directly on the net.
also: "Win ME is a good platform"
Ok maybe for this project but thats about it, I guess if you place it in a virtual machine with vmWare and route all incoming requests to it, this would work.

their radar site blows, crap image resize

[cheekyboy]

http://wormradar.com/

the gif looks like crap

either

A) mozillas image resize is still utter crap made by looser programmers that have NO CLUE on image processing and propper resize algorythms, or the website designers have no clue to make a propper image size spec.

ie

Now , can they get a damn clue, and no force a width, unless they have proper image resize server algos (like zoom.sourceforge.net)

GRRRRR

UTTER MADNESS and incompetence.

I also put equal blame on IE/moz teams for being stupid, I mean id mod moz my self, tho if i would id leave in some nasty comments in the code for em, I have no mercy, I will call em screw ball 1987 wanna bee coders.

Ever since 1997 I thought , "damn what utter crap, are these so called MBA uni grads that stupid?". Proper image resizing using interpolation is trivial, especially if the OS now can do it for you, and even then its utterly painfully basic to code it your self, even after 12 beers, and 4 hrs sleep in a week with 3 hrs coding.

Seams like the old days amiga coders could whip up 10x more effort in 1991.

-old time greetz to alcatraz, mohaney and cactus, team17.

The Graph

[FrostedWheat]

If your using Mozilla, right click on that image and 'View Image'. For some bizarre reason they rescale the image in the HTML and it really kills the fonts.

Unless your browser has smooth scaling! Wasn't Mozilla suppost to have added that a while back?

False reporting ?

[StealthNet]

Maybe Im completely wrong, I didn't install the app, nor will do for now (let's say I'll wait a bit to see where it goes).

But since this app seems to simulate actual servers running on those ports, I would think that (obviously) you need those ports open and free to bind. That means that you can't install it on a NAT perimeter machine (you need, for example, port 80/tcp binded to portmap it to the server inside the DMZ).

If you install it on a machine inside your network, behind a firewall, of course, it will be masked out by your default filtering at the border. I don't think most of our security aware network administrators will portforward lots of "warm exploitable ports" to the internal network to make it work correctly .

so, in a summary, it will report activity on commonly open ports, or even misconfigured ports. Worse, those ports reported may indicate only internal network activity and not real world internet worm activity due to the default perimeter filtering.

It's completely different from other projects like dshield that are actually based on firewall logs, or ids logs that usually take the network and a layer 2 perspective.

Please tell me I'm wrong, otherwise I can't see the usefulness of this app.

Fixed

[Animaether]

Though still a JPEG, the sizing issue is now fixed.

Re:Infect, Effect and Affect

[SiChemist]

Effect is a noun. Affect is a verb.

That's not strictly true. It's also a transitive verb.

See also the usage note at affect.

Witty Worm

[phsolide]

Well, a virus/worm that kills it's host too easily won't spread too far, will it?

What about the Witty worm? To quote from that link, Witty was the first widely propagated Internet worm to carry a destructive payload. The authors of the referenced study think that the Witty Worm infected the entire vulnerable population before it self-destructed by scragging hard disks.

If you invoke the "too" in "kills it's host too easily", then I'll just wave you off as tautological: there's no way to disprove what you've said, in that case.

Now it all makes sense. . .

[bplipschitz]

"Currently it looks like only a Windows client is necessary, though."

*Now* I get it!