Slashdot Mirror
Witty Worm Kick-Start Methods Revealed
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
I seriously hope you are joking.
.
That's the last thing in the world I want happening in a production environment. Random companies patching random servers with 0 testing. .
For example look at the service packs from microsoft, many larger companies have yet to, and are unable to roll out service pack one for windows 2003 because they are still putting it through testing to make sure it doesn't break their existing setup. (this isn't to say they haven't patched as microsoft makes hotfixes and patches availble for people in these situations that can be applied as needed).
The worm known to Symantec as W32.Witty.Worm actually exploited a defect in commercial firewall products.
This worm caused quite a stir in the security consulting community as a result. Professionals for years were recommending PC firewall products as part of a defense in depth strategy. The risk with these modern fancy host based firewalls is that they let the packet on the box and inspect it before deciding what to do.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
I don't think it's as cut and dry as you make it out to be.
More likely I think there's a defect in the random number gnerator (RNG) it used. And the inital spread JUST HAPPENED to come from an address the RNG would never have generated, making it patient zero logically
I am disrespectful to dirt! Can you see that I am serious?!
I didn't even hear about this worm until now, so to say that only 10% of the internet was saved is hyperbole. Let's try to keep the news reporting a bit more real, aight?
It is the hitlist which is the biggest suggestion that it was done by an insider. Whoever wrote the worm had to know in advance about the military base and others in the hitlist. THis also suggests that an ISS insider would be more likely than an eEye insider.
Not being an insider it would still have been possible to write the worm (36 hours only, but it is doable considering how small the worm is), although the interesting part would be how the outsider knew who to hit.
Test your net with Netalyzr
OTOH it was a quite brilliant and subtle move of the author to make it so destructive.
1) It naturally limits its growth by taking its hosts offline.
2) It makes sure it's going to be a blast, not a neverending wave like Code Red (of which we still get some infection attempts every week).
3) This makes it ultimately *less* dangerous than most current worms.
4) It has written WATCH DIS, YOU ARE SO OWNED WHEN I DECIDE TO RELEASE THE REAL ONE all over it. Most people don't seem to get this. Believe me, the people making a living from IT security are getting it. Those who don't won't be there after the next one which will *not* limit its growth, but instead adapts a more biological approach. Most security flaws aren't patched for weeks or months, so you have a reasonable timeframe in which you can slowly grow a starting population if you're being a good boy and just sending some queries for new victims with the normal boosts of internet traffic on your host.
I personally find this a *very* elegant approach.
As we're talking about it, to me all of this stuff still is amateur crap. I mean hey, look at it. They immediately catch everyone's attention. They saturate pipes, they hog ressources. They're too loud. They spread fast enough to be detected. They can be easily grepped off the network. (When I wrote assembler back in the early 80s, there were several illegal opcodes which did essentially the same and were just not documented, so you can obfuscate anything by randomly exchanging the illegal opcodes of every instruction before passing it on to the next host, so if you also have the option to mask as legitimate traffic... you can write the payload ahead of time and just wait for some holes that are likely not patched for a while, put them in an off you go. I could go on and on, but the point is, today's worms and virii are just amateur crap, like the first attempts of mankind to build airplanes.
Then again, I'm quite sure there at least some 'skilled' people out there just calmly develop their high-end worms and work at cross-platform compatibility for building multi-million-machine bot nets just because. Maybe something like this is out already, behaving like a good boy and waiting to wake up. I find this a very interesting thing to watch, as it *will* eventually happen.
I just hope that I won't be hit too hard when it comes. Until then, remember that if your data is valuable to you, always backup, and also on removable media (and yes, copy that stuff to new media every once in a year). Yes, I'm talking of your more than 10000 pictures of the family and kids, and all that email you love to keep around from 1990.
Who is General Failure and why is he reading my hard disk?