Slashdot Mirror
Witty Worm Kick-Start Methods Revealed
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.
This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.
I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.
Video Phone Blogs send video messages straight to the web.
There's nothing worse than a witless worm.
Have you read my blog lately?
So, the witty worm was not complete. Would that make this worm a half-wit?
Statesmen serve to better the country and help the people.
Politicians serve to better themselves and help friends.
Most viruses and commercial products just clean your harddrive, but this one put a final coat of wax on too. If only some commercial disk cleaner could get that kind of a beautiful shiny finish added to its products....
I Am My Own Worst Enemy
I always do that! I always seem to miss some mundane detail!
Hmmm.
[...]
The vulnerability was discovered by eEye on March 8, 2004 and announced by both eEye and ISS on March 18, 2004. ISS released an alert warning users of a possibly exploitable security hole and provided updated software versions that were not vulnerable to the buffer overflow attack.
I think there's a lesson in this: the only way to keep ahead of exploits is to demand software companies automatically patch your software against security flaws via the Internet when exploits are discovered -- before details are released.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
It wrote random junk to random sectors of the drive until the machine died.
So essentially, yes.
It was a really nasty character. In fact, I don't know if there have ever been nastier ones. Most of the worms feel more like social engineering proofs of concept than anything else. This one was actually intentionally destructive, which is pretty rare.
D
The FA was actually a decent read. It brings to mind that science class in middle school where we dissected worms to find out that they had five 'hearts.' Has anyone created a worm (of the malicious network variety) that can survive having pieces hacked off? I'm imagining the anti-virus/security companies issuing a new definition file and the worm, realzing it has lost it's tail, continues with the other four hearts intact. Hrmm.
"...And then I said 'No I'm not, I'm a worm" Oh that witty worm.
OMG! If this analysis was done by *THE* Al CAIDA group, then you know it has to be right. err, I mean, those guys know lots about viruses and terrorism and worms and dirt floors and stuff...
Support NYCountryLawyer RIAA vs People
Bruce Schneier wrote a great summary of what made this worm special here. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.
Brent J. Nordquist N0BJN
"The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order." Was it download, install, reboot or install, reboot, download? I can't remember!
The worm known to Symantec as W32.Witty.Worm actually exploited a defect in commercial firewall products.
This worm caused quite a stir in the security consulting community as a result. Professionals for years were recommending PC firewall products as part of a defense in depth strategy. The risk with these modern fancy host based firewalls is that they let the packet on the box and inspect it before deciding what to do.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
Multiple firewalls don't help. Try one properly configured software firewall.
Or if it's that important to you I trust a NAT firewall a lot more than I trust a software firewall.
I specifically asked some Microsoft guys about the Windows Firewall. To paraphrase their answer "Don't you dare try to protect a sensitive system with it but for consumers and especially laptop users who just need a security layer between them and the big bad world it works pretty good"
My translation: Windows Firewall on the gaming machine on DMZ. Everything else hides behind the NATting firewall (or a real ISS)
I am disrespectful to dirt! Can you see that I am serious?!
I don't think it's as cut and dry as you make it out to be.
More likely I think there's a defect in the random number gnerator (RNG) it used. And the inital spread JUST HAPPENED to come from an address the RNG would never have generated, making it patient zero logically
I am disrespectful to dirt! Can you see that I am serious?!
I don't know if there have ever been nastier ones
;)
Depends on what you mean by "nastier".
* In terms of total damages, Blaster and Sobig are the record holders.
* Compared to the number of machines on the internet at the time, the Robert Morris Internet Worm would take the record - it took out about 1 in 10 machines on the internet (ironic for a worm that was intended to spread slow enough that it wouldn't be noticed - whoops!).
Personally, I was really annoyed by Code Red's spamming of my apache logs
All we want to do is eat your brains.
Yes, this claim was made the same day the worm came out. The thing that apparently even professional antivirus types don't always remember is that just because a worm is *released* the same day that a vulnerability was announced doesn't mean it was *coded* quickly.
In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.
Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.
It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
It is the hitlist which is the biggest suggestion that it was done by an insider. Whoever wrote the worm had to know in advance about the military base and others in the hitlist. THis also suggests that an ISS insider would be more likely than an eEye insider.
Not being an insider it would still have been possible to write the worm (36 hours only, but it is doable considering how small the worm is), although the interesting part would be how the outsider knew who to hit.
Test your net with Netalyzr
One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the
Usenix
magazine.
Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.
Some insights about the worm author that Weaver and Ellis proposed:
The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.
ThomasLCG gives a 32 bit number, but only the lower 16 really look good for "random". So, following the Knuth recommendation, LCG was called twice, to create the upper and lower halves of the address.
This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.
The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.
Test your net with Netalyzr
Unlike most other vulnerabilities, you really couldn't scan for the ISS vulnerability WITHOUT actually exploiting it. Thus the hitlist had to be based on a-priori knowledge rather than reconnisance.
Test your net with Netalyzr
I betcha it was specifically created to AVOID the creator's systems. It would be trivial to engineer the target generator to skip any IP that gets too close to your home system. Make it overly-paranoid, and you end up with 10%.
Poor means hoping the toothache goes away.
At the time, Dan and I did not know it was a Hitlist, we thought it was a botnet.
Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.
Test your net with Netalyzr
The pRNG bug was really subtle:
,which is what you want in a worm (but not necessarily in a random number). But concating the two 16 bit values together doesnt' cover the whole space. So its a very subtle bug, caused by the attacker being a bit TOO sophisticated.
The attacker could have just as easily protected himself by patching or removing ISS, so he didn't need self protection.
And the flaw was the case of the attacker being too subtle and proper. If you read Knuth, it says to use only the lower 16 bits of a 32 bit linear congruential pRNG, as only the lower 16 bits are reasonably random.
So the attacker called the pRNG twice, concating together the lower 16 bits of each try to create the target address.
The problem is, the linear congruential generator is a 32 bit permutation: if you just take the value it will cover the whole address space
And some of the 10% still got infected: eg, if they were snooping the wire to protect other systems.
Test your net with Netalyzr
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
- come into your network as spyware by crawling down a browser,
- open up a trojan backdoor port,
- log your keystrokes,
- fetch instructions and installable components from remote servers via IRC, tftp, http, and other means,
- upload email addresses, passwords, data, and,
- probe your network and others on various ports.
Is that a virus? Yes.Is that a trojan? Yes.
Is that a worm? Yes, it spreads without asking you... Sorry. I couldn't resist.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
OTOH it was a quite brilliant and subtle move of the author to make it so destructive.
1) It naturally limits its growth by taking its hosts offline.
2) It makes sure it's going to be a blast, not a neverending wave like Code Red (of which we still get some infection attempts every week).
3) This makes it ultimately *less* dangerous than most current worms.
4) It has written WATCH DIS, YOU ARE SO OWNED WHEN I DECIDE TO RELEASE THE REAL ONE all over it. Most people don't seem to get this. Believe me, the people making a living from IT security are getting it. Those who don't won't be there after the next one which will *not* limit its growth, but instead adapts a more biological approach. Most security flaws aren't patched for weeks or months, so you have a reasonable timeframe in which you can slowly grow a starting population if you're being a good boy and just sending some queries for new victims with the normal boosts of internet traffic on your host.
I personally find this a *very* elegant approach.
As we're talking about it, to me all of this stuff still is amateur crap. I mean hey, look at it. They immediately catch everyone's attention. They saturate pipes, they hog ressources. They're too loud. They spread fast enough to be detected. They can be easily grepped off the network. (When I wrote assembler back in the early 80s, there were several illegal opcodes which did essentially the same and were just not documented, so you can obfuscate anything by randomly exchanging the illegal opcodes of every instruction before passing it on to the next host, so if you also have the option to mask as legitimate traffic... you can write the payload ahead of time and just wait for some holes that are likely not patched for a while, put them in an off you go. I could go on and on, but the point is, today's worms and virii are just amateur crap, like the first attempts of mankind to build airplanes.
Then again, I'm quite sure there at least some 'skilled' people out there just calmly develop their high-end worms and work at cross-platform compatibility for building multi-million-machine bot nets just because. Maybe something like this is out already, behaving like a good boy and waiting to wake up. I find this a very interesting thing to watch, as it *will* eventually happen.
I just hope that I won't be hit too hard when it comes. Until then, remember that if your data is valuable to you, always backup, and also on removable media (and yes, copy that stuff to new media every once in a year). Yes, I'm talking of your more than 10000 pictures of the family and kids, and all that email you love to keep around from 1990.
Who is General Failure and why is he reading my hard disk?
No, he's got a point. It only infected machines running specific applications. A less grand and sweeping statement, but entirely accurate, would be to say, "if the technique had been paired with a more common Windows vulnerability, only a bug in the worm's RNG would have prevented it from infecting all Internet-connected hosts with that vulnerability."
Fred
"A fool and his freedom are soon parted"
-RMS