Slashdot Mirror
Witty Worm Kick-Start Methods Revealed
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.
This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.
I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.
Video Phone Blogs send video messages straight to the web.
[...]
The vulnerability was discovered by eEye on March 8, 2004 and announced by both eEye and ISS on March 18, 2004. ISS released an alert warning users of a possibly exploitable security hole and provided updated software versions that were not vulnerable to the buffer overflow attack.
I think there's a lesson in this: the only way to keep ahead of exploits is to demand software companies automatically patch your software against security flaws via the Internet when exploits are discovered -- before details are released.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The FA was actually a decent read. It brings to mind that science class in middle school where we dissected worms to find out that they had five 'hearts.' Has anyone created a worm (of the malicious network variety) that can survive having pieces hacked off? I'm imagining the anti-virus/security companies issuing a new definition file and the worm, realzing it has lost it's tail, continues with the other four hearts intact. Hrmm.
Bruce Schneier wrote a great summary of what made this worm special here. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.
Brent J. Nordquist N0BJN
I don't know if there have ever been nastier ones
;)
Depends on what you mean by "nastier".
* In terms of total damages, Blaster and Sobig are the record holders.
* Compared to the number of machines on the internet at the time, the Robert Morris Internet Worm would take the record - it took out about 1 in 10 machines on the internet (ironic for a worm that was intended to spread slow enough that it wouldn't be noticed - whoops!).
Personally, I was really annoyed by Code Red's spamming of my apache logs
All we want to do is eat your brains.
Yes, this claim was made the same day the worm came out. The thing that apparently even professional antivirus types don't always remember is that just because a worm is *released* the same day that a vulnerability was announced doesn't mean it was *coded* quickly.
In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.
Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.
It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
Unlike most other vulnerabilities, you really couldn't scan for the ISS vulnerability WITHOUT actually exploiting it. Thus the hitlist had to be based on a-priori knowledge rather than reconnisance.
Test your net with Netalyzr
I betcha it was specifically created to AVOID the creator's systems. It would be trivial to engineer the target generator to skip any IP that gets too close to your home system. Make it overly-paranoid, and you end up with 10%.
Poor means hoping the toothache goes away.
Of course HE could have been a SHE.
From the article:
The analysis of the pseudo-random number generator found that the worm would not generate addresses for about 10 percent of the Internet and would generate the same address twice for another 10 percent of possible Internet addresses. The researchers used their analysis of the generator to plot the orbits -- the sequences of numbers each worm would create -- and found a single address from which copies of the worm propagated but which did not fall on any orbit.
This makes it sound like the originating IP was one of those ten percent.
Maybe it was a very subtle way to attempt to mask the originating IP? Sure it will block a few others, but you'll still hit 90%. It might block enough so that it seems like a programming flaw, but it's actually a deliberate flaw to hide the point of origin?
Though, this hypothesis is definitely getting into the realm of Spy vs. Spy if you ask me.