Slashdot Mirror


Witty Worm Kick-Start Methods Revealed

voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

2 of 150 comments (clear)

  1. Schneier Analysis by Brent+Nordquist · · Score: 5, Interesting

    Bruce Schneier wrote a great summary of what made this worm special here. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.

    --
    Brent J. Nordquist N0BJN
  2. Coded quickly? (was: Source) by voixderaison · · Score: 5, Interesting

    Yes, this claim was made the same day the worm came out. The thing that apparently even professional antivirus types don't always remember is that just because a worm is *released* the same day that a vulnerability was announced doesn't mean it was *coded* quickly.

    In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.

    Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.

    It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.

    --
    Things should be made as simple as possible, but not any simpler. -- Albert Einstein