Witty Worm Kick-Start Methods Revealed

voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

Re:Waxed?

[daviddennis]

It wrote random junk to random sectors of the drive until the machine died.

So essentially, yes.

It was a really nasty character. In fact, I don't know if there have ever been nastier ones. Most of the worms feel more like social engineering proofs of concept than anything else. This one was actually intentionally destructive, which is pretty rare.

D

Re:I'm not paranoid

[merlin_jim]

Multiple firewalls don't help. Try one properly configured software firewall.

Or if it's that important to you I trust a NAT firewall a lot more than I trust a software firewall.

I specifically asked some Microsoft guys about the Windows Firewall. To paraphrase their answer "Don't you dare try to protect a sensitive system with it but for consumers and especially laptop users who just need a security layer between them and the big bad world it works pretty good"

My translation: Windows Firewall on the gaming machine on DMZ. Everything else hides behind the NATting firewall (or a real ISS)

regarding the author of Witty

[nthomas]

One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the Usenix magazine.

Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.

Some insights about the worm author that Weaver and Ellis proposed:

• he was a fairly proficient programmer - there were no significant bugs in the code of the worm, he knew how to program x86 assembly and access the Windows API, he implemented a stack-overflow attack, and most importantly, he constructed a payload that was malicious to the host, but didn't significantly slow the worm's spread.
• he was quite clever at what he did - randomly padded packet sizes, randomized the destinations and port numbers, and he seeded the worm (rather than start at a single location, the worm started out from 110 different victims) -- prior to this no one had significantly seeded their worms
• he wrote compact code, Witty consists of 177 x86 instructions in 474 bytes (the rest is the buffer overflow and padding); with 177 instructions, he was able to construct routines to cleanup from the overflow attack, seed the RNG, propagate the worm, and execute the malicious payload (Witty slowly overwrites disks on the infected hosts until the machine crashes)
• he worked quite fast; the stack overflow in the ISS BlackIce products was published on March 18, 2004. Witty was released on March 19, 2004, less than 48 hours after the security advisory was published by eEye; it is possible that he knew of the vulnerability when eEye notified ISS on March 8, 2004, but the paper goes into why this is unlikely
• he probably tested the worm before he released it (cf. the lack of major bugs); this combined with the fact that he seeded on 110 hosts, means that he had access to a wide array of compromised machines -- it probably means he has access to the "hacker underground", to gain access to these machines in such a short time frame

The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.

Thomas

The flaw...

[nweaver]

LCG gives a 32 bit number, but only the lower 16 really look good for "random". So, following the Knuth recommendation, LCG was called twice, to create the upper and lower halves of the address.

This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.

The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.

One correction...

[nweaver]

At the time, Dan and I did not know it was a Hitlist, we thought it was a botnet.

Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.

Re:One correction...

[nweaver]

This vulnerability, in order to discover that it exists, requires exploitation. A system will NOT reply with any information about it being vulnerable unless the scan contains an exploit code which generates a response.

Thus, because of this restriction (you need to exploit to scan, and you need to know the exploit to create a scanner), you wouldn't scan to create a hitlist, you would either know the hitlist in advance through some other means (an insider?) or just release the worm without a hitlist.

Nope, it was a flaw...

[nweaver]

The pRNG bug was really subtle:

The attacker could have just as easily protected himself by patching or removing ISS, so he didn't need self protection.

And the flaw was the case of the attacker being too subtle and proper. If you read Knuth, it says to use only the lower 16 bits of a 32 bit linear congruential pRNG, as only the lower 16 bits are reasonably random.

So the attacker called the pRNG twice, concating together the lower 16 bits of each try to create the target address.

The problem is, the linear congruential generator is a 32 bit permutation: if you just take the value it will cover the whole address space ,which is what you want in a worm (but not necessarily in a random number). But concating the two 16 bit values together doesnt' cover the whole space. So its a very subtle bug, caused by the attacker being a bit TOO sophisticated.

And some of the 10% still got infected: eg, if they were snooping the wire to protect other systems.

Re:There's a frightening liability aspect of this.

[voixderaison]

It's also interested to see a return to data-destructive worms. I can't remember the last time I had to worry about a virus that would actually screw up my machine.

Some variants of the popular email borne viruses in the last couple years have swept through not only local disk drives but also through connected "mapped drives", replacing many types of files including image files, html files, and so forth with copies of the virus. Much simpler than a worm, but very, very nasty.

Re:Waxed?

[voixderaison]

That confusion is natural. Modern worms have borrowed techniques from all types of malware, and it's really not easy to tell them apart any longer. In the old days, trojans, viruses, and worms were different. Nowadays the worms:

• come into your network as spyware by crawling down a browser,
• open up a trojan backdoor port,
• log your keystrokes,
• fetch instructions and installable components from remote servers via IRC, tftp, http, and other means,
• upload email addresses, passwords, data, and,
• probe your network and others on various ports.

Is that a virus? Yes.
Is that a trojan? Yes.
Is that a worm? Yes, it spreads without asking you...

I send you this tar file to have your advice.

Sorry. I couldn't resist.

Re:only 10% of the internet? I didn't even feel it

[ThisIsFred]

No, he's got a point. It only infected machines running specific applications. A less grand and sweeping statement, but entirely accurate, would be to say, "if the technique had been paired with a more common Windows vulnerability, only a bug in the worm's RNG would have prevented it from infecting all Internet-connected hosts with that vulnerability."