Slashdot Mirror
Witty Worm Kick-Start Methods Revealed
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.
This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.
I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.
Video Phone Blogs send video messages straight to the web.
There's nothing worse than a witless worm.
Have you read my blog lately?
So, the witty worm was not complete. Would that make this worm a half-wit?
Statesmen serve to better the country and help the people.
Politicians serve to better themselves and help friends.
What does it mean by waxed? Like delete all the data
They leave out the number 7 or something?
I don't think I ever came across a worm I couldn't humor to death with my witty sense of writing that I share for free with all you slashdotters. I guess that's how the worm turns...
I always do that! I always seem to miss some mundane detail!
Hmmm.
[...]
The vulnerability was discovered by eEye on March 8, 2004 and announced by both eEye and ISS on March 18, 2004. ISS released an alert warning users of a possibly exploitable security hole and provided updated software versions that were not vulnerable to the buffer overflow attack.
I think there's a lesson in this: the only way to keep ahead of exploits is to demand software companies automatically patch your software against security flaws via the Internet when exploits are discovered -- before details are released.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The FA was actually a decent read. It brings to mind that science class in middle school where we dissected worms to find out that they had five 'hearts.' Has anyone created a worm (of the malicious network variety) that can survive having pieces hacked off? I'm imagining the anti-virus/security companies issuing a new definition file and the worm, realzing it has lost it's tail, continues with the other four hearts intact. Hrmm.
Just because I run two separate software based firewalls that have no relationship to each other on my XP machine (and I'm NOT talking about the lame-o one that comes with the system, so there)...
The NSA: The only part of the US government that actually listens.
"...And then I said 'No I'm not, I'm a worm" Oh that witty worm.
OMG! If this analysis was done by *THE* Al CAIDA group, then you know it has to be right. err, I mean, those guys know lots about viruses and terrorism and worms and dirt floors and stuff...
Support NYCountryLawyer RIAA vs People
I think they should have called it the wacky wax worm. That would seem to be a more fitting name for a worm that waxes a hard drive, and isn't quite all there.
oh well, can't win 'em all.
It's also interested to see a return to data-destructive worms. I can't remember the last time I had to worry about a virus that would actually screw up my machine.
That reminds me, did anybody else ever get the millennium virus in the early 90's? Supposedly the virus would cause your hard drive to get wiped out or something on January 1, 2000.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
With an intro this boring, why would anyone be inspirsed to RTFA?
Fantasy Football
No, but the really interesting thing is that they used the flaw to determine the IP address from which the worm originated. In a nutshell (assuming I'm interpreting this correctly), it seems that they had a list of machines that theoretically should have been hit, but weren't, due to the flaw. They then traced the algorithm to determine what the starting point had to have been to miss that specific block of addresses. Turns out they found exactly one IP address that could have produced the hit-and-miss profile of the flaw on the same IP addresses, and were thus able to identify the initial point of insertion. Cool!
Bruce Schneier wrote a great summary of what made this worm special here. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.
Brent J. Nordquist N0BJN
"The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order." Was it download, install, reboot or install, reboot, download? I can't remember!
That reminds me, did anybody else ever get the millennium virus in the early 90's? Supposedly the virus would cause your hard drive to get wiped out or something on January 1, 2000.
Thankfully, many systems worked around this virus by skipping right from 1999 to 19100.
Random and weird software I've written.
Because we are uniquely situated to receive traffic That's why it is not slashdoted yet. BTW thses are the links to the large maps
a tions/world_big-witty_2h.gif
a tions/usa_big-witty_2h.gif
http://www.caida.org/analysis/security/witty/anim
http://www.caida.org/analysis/security/witty/anim
> A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
And non-MS OSes protected another 10%...
Sheesh, evil *and* a jerk. -- Jade
The worm known to Symantec as W32.Witty.Worm actually exploited a defect in commercial firewall products.
This worm caused quite a stir in the security consulting community as a result. Professionals for years were recommending PC firewall products as part of a defense in depth strategy. The risk with these modern fancy host based firewalls is that they let the packet on the box and inspect it before deciding what to do.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
I don't think it's as cut and dry as you make it out to be.
More likely I think there's a defect in the random number gnerator (RNG) it used. And the inital spread JUST HAPPENED to come from an address the RNG would never have generated, making it patient zero logically
I am disrespectful to dirt! Can you see that I am serious?!
Not exactly actually.
They used the Network Telescope data to find out who was sending Witty packets and found ONE address that was outside of the range of IP addresses that were covered by the (flawed) algorithm.,/p>
The set of IP addresses that are covered by the algorithm is what is called an "orbit" in the article (see it as if you had a base address, and go around this base address, trying all possibilities starting from that address).
One IP could not possibly belong to this set of possible IP addresses (it was outside the "orbit") and they deducted it was patient zero since the worm could have generated that particular one.
It seems strange to me that the worm writter missed that one, so patient zero is probably a victim computer and probably not the worm writer's one or anything near him.
I don't understand why the researchers were so concerned about the "hitlist" aspect of this worm. I am sure the author just used some sort of "witty" google search for DNS info or something to find the initial seeds.
I didn't even hear about this worm until now, so to say that only 10% of the internet was saved is hyperbole. Let's try to keep the news reporting a bit more real, aight?
Yes, this claim was made the same day the worm came out. The thing that apparently even professional antivirus types don't always remember is that just because a worm is *released* the same day that a vulnerability was announced doesn't mean it was *coded* quickly.
In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.
Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.
It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives.
...
Last time I waxed my hard drive was back in the day when 300 baud was FAST. You know, when you hand-cranked the rheostats
What is this, a time-warp worm?
.
-- Tigger warning: This post may contain tiggers! --
It is the hitlist which is the biggest suggestion that it was done by an insider. Whoever wrote the worm had to know in advance about the military base and others in the hitlist. THis also suggests that an ISS insider would be more likely than an eEye insider.
Not being an insider it would still have been possible to write the worm (36 hours only, but it is doable considering how small the worm is), although the interesting part would be how the outsider knew who to hit.
Test your net with Netalyzr
A flaw in Windows condemned 90% of the internet.
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
I agree that it was prob. a victim machine. For instance, that could have been a machine who's IP address changed because it was dynamic DSL, cable maybe? Or multihomed?
One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the
Usenix
magazine.
Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.
Some insights about the worm author that Weaver and Ellis proposed:
The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.
ThomasLCG gives a 32 bit number, but only the lower 16 really look good for "random". So, following the Knuth recommendation, LCG was called twice, to create the upper and lower halves of the address.
This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.
The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.
Test your net with Netalyzr
References? Some reason we should believe you? (Sapphire is another name for SQL Slammer, for those who don't know. Both were 1-packet UDP "flash worms".)
Unlike most other vulnerabilities, you really couldn't scan for the ISS vulnerability WITHOUT actually exploiting it. Thus the hitlist had to be based on a-priori knowledge rather than reconnisance.
Test your net with Netalyzr
I betcha it was specifically created to AVOID the creator's systems. It would be trivial to engineer the target generator to skip any IP that gets too close to your home system. Make it overly-paranoid, and you end up with 10%.
Poor means hoping the toothache goes away.
At the time, Dan and I did not know it was a Hitlist, we thought it was a botnet.
Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.
Test your net with Netalyzr
They mean 10% of all IPs were safe from attack automatically, as the worm's RNG had a bug that kept those IPs from ever being attacked.
They never said that all 90% of the remaining IPs were successfuly compromised.
HSJ$$*&#^!#+++ATH0
NO CARRIER
The pRNG bug was really subtle:
,which is what you want in a worm (but not necessarily in a random number). But concating the two 16 bit values together doesnt' cover the whole space. So its a very subtle bug, caused by the attacker being a bit TOO sophisticated.
The attacker could have just as easily protected himself by patching or removing ISS, so he didn't need self protection.
And the flaw was the case of the attacker being too subtle and proper. If you read Knuth, it says to use only the lower 16 bits of a 32 bit linear congruential pRNG, as only the lower 16 bits are reasonably random.
So the attacker called the pRNG twice, concating together the lower 16 bits of each try to create the target address.
The problem is, the linear congruential generator is a 32 bit permutation: if you just take the value it will cover the whole address space
And some of the 10% still got infected: eg, if they were snooping the wire to protect other systems.
Test your net with Netalyzr
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
You must be new here.... Who needs something like proof?
Paranoia is +5 "insightful," and FUD like "the anti-virus companies make viruses" is ok if it comes from us. The only time proof is needed is when it goes against or fits our agenda.
Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP,
You say:
Whoever wrote the worm had to know in advance about the military base and others in the hitlist.
I'm not sure about either. How rare is an exploit that grew to 12,000 hosts in 75 hours? How much inside knowledge do you have to have to know what services any military base is running? Don't they all run the same stuff? Can't you get the IPs from a ping? Couldn't anyone do the same thing for any number of big dumb organizations or companies? As everyone concludes, there's no real proof here.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You can't really scan for this vulnerability. Any scanner for the vulnerability has to be scan & exploit, as it is only when the personal firewall receives and interprets the packet that you know if it is vulnerable. There is no response sent back which tells you that it is vulnerable, UNLESS you actually send an exploit packet.
In which case, why hitlist? You just write the whole worm.
Thus in order to create the hitlist, specialized knowledge (the customers in the hitlist) would be needed.
Test your net with Netalyzr
No, he's got a point. It only infected machines running specific applications. A less grand and sweeping statement, but entirely accurate, would be to say, "if the technique had been paired with a more common Windows vulnerability, only a bug in the worm's RNG would have prevented it from infecting all Internet-connected hosts with that vulnerability."
Fred
"A fool and his freedom are soon parted"
-RMS
...then again, there's always the idea of the worm proving a point. After all, it was a "Witty Worm"
Just google for:
witty "ci host"
or
witty "c i host"
Lots of angry customers over a company that had 36 hours to patch their servers for, perhaps, thousands of customers.
Actually, there was one written like that not too long ago.
I forget it's name, but it worked something like this:
The virus infects the computer and acts as a key logger.
If it sees a pattern that looks like a credit card number it stores it.
The stored number is sent to 5 servers in it's memory. Each server is in a different country.
After uploading the information, it then downloads instructions from the servers, such as which servers to start to ignore, and any new ones to start listening to.
When the virus reproduces, it includes the new information to it's "children".
So, pay for some servers with stolen credit cards. Only access them from public wifi points. When one server is shut down, open a new one and inform all the viruses. Rinse, lather, repeat.
With the servers in different countries, it's almost impossible to shut them all down at the same time.
"That's so plausible, I can't believe it!" - Leela
Shocking... you mean security through obscurity doesn't work?
Say it ain't so!
90% of all potential victims were destroyed.
Attempting to avoid detection would not get that high a kill ratio, it would just give more victims time to upgrade.
If the vulnerability had been in, say, Windows, the next morning there would not be a lot of surviving always on Windows machines connected to the Internet.
that seems very unlikely, wouldn't the chances of that happening be (255^255^255^255)^(255^255^255^255)?
Bypass Compulsory Web Registration -- http://bugmenot.com/
Wouldn't it be 10%?
Well the article stated that 10% of the IP space would never be hit by the RNG... so if you consider IP addresses to be distributed to computers uniformly across the entire range (they're not, but its close enough) then the chance of any one particular IP address not getting covered by the RNG is 10%.
If there was exactly ONE IP address that the RNG didn't cover, the chance of that one being the source would be 2^32... or about 1 in 4 billion.
I am disrespectful to dirt! Can you see that I am serious?!
Prior identification of hosts vulnerable to witty infection was certainly possible. The author of the witty worm had created a tool that could reliably exploit the vulnerable code and reliably generate network traffic. All that would have been required to scan for vulnerable hosts would have been a variant of the exploit that sends out a "gotcha" packet upon successful exploitation to a machine or network under the attacker's control.
nah, it was coded in binary but the characterset wasn't unicoded and left out all the '1's on anything but US keymaps. ;-)
Oh come on, mods, that's funny!