Slashdot Mirror

← Back to Stories (view on slashdot.org)

Witty Worm Kick-Start Methods Revealed

Posted by CmdrTaco on from the know-your-foe dept.

voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

10 of 150 comments (clear)

  1. Source by ProfaneBaby · · Score: 4, Interesting

    Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.

    This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.

    I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.

    --
    Video Phone Blogs send video messages straight to the web.
  2. Flawed worm by Vertdang · · Score: 4, Funny
    "A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

    So, the witty worm was not complete. Would that make this worm a half-wit?

    --
    Statesmen serve to better the country and help the people.
    Politicians serve to better themselves and help friends.
  3. Re:Waxed? by nizo · · Score: 5, Funny

    Most viruses and commercial products just clean your harddrive, but this one put a final coat of wax on too. If only some commercial disk cleaner could get that kind of a beautiful shiny finish added to its products....

    --
    I Am My Own Worst Enemy
  4. Re:Waxed? by daviddennis · · Score: 4, Informative

    It wrote random junk to random sectors of the drive until the machine died.

    So essentially, yes.

    It was a really nasty character. In fact, I don't know if there have ever been nastier ones. Most of the worms feel more like social engineering proofs of concept than anything else. This one was actually intentionally destructive, which is pretty rare.

    D

  5. Re:Timeframe... by jchawk · · Score: 4, Insightful

    I seriously hope you are joking.

    That's the last thing in the world I want happening in a production environment. Random companies patching random servers with 0 testing. . .

    For example look at the service packs from microsoft, many larger companies have yet to, and are unable to roll out service pack one for windows 2003 because they are still putting it through testing to make sure it doesn't break their existing setup. (this isn't to say they haven't patched as microsoft makes hotfixes and patches availble for people in these situations that can be applied as needed).

  6. Schneier Analysis by Brent+Nordquist · · Score: 5, Interesting

    Bruce Schneier wrote a great summary of what made this worm special here. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.

    --
    Brent J. Nordquist N0BJN
  7. Coded quickly? (was: Source) by voixderaison · · Score: 5, Interesting

    Yes, this claim was made the same day the worm came out. The thing that apparently even professional antivirus types don't always remember is that just because a worm is *released* the same day that a vulnerability was announced doesn't mean it was *coded* quickly.

    In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.

    Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.

    It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.

    --
    Things should be made as simple as possible, but not any simpler. -- Albert Einstein
  8. regarding the author of Witty by nthomas · · Score: 5, Informative

    One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the Usenix magazine.

    Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.

    Some insights about the worm author that Weaver and Ellis proposed:

    • he was a fairly proficient programmer - there were no significant bugs in the code of the worm, he knew how to program x86 assembly and access the Windows API, he implemented a stack-overflow attack, and most importantly, he constructed a payload that was malicious to the host, but didn't significantly slow the worm's spread.
    • he was quite clever at what he did - randomly padded packet sizes, randomized the destinations and port numbers, and he seeded the worm (rather than start at a single location, the worm started out from 110 different victims) -- prior to this no one had significantly seeded their worms
    • he wrote compact code, Witty consists of 177 x86 instructions in 474 bytes (the rest is the buffer overflow and padding); with 177 instructions, he was able to construct routines to cleanup from the overflow attack, seed the RNG, propagate the worm, and execute the malicious payload (Witty slowly overwrites disks on the infected hosts until the machine crashes)
    • he worked quite fast; the stack overflow in the ISS BlackIce products was published on March 18, 2004. Witty was released on March 19, 2004, less than 48 hours after the security advisory was published by eEye; it is possible that he knew of the vulnerability when eEye notified ISS on March 8, 2004, but the paper goes into why this is unlikely
    • he probably tested the worm before he released it (cf. the lack of major bugs); this combined with the fact that he seeded on 110 hosts, means that he had access to a wide array of compromised machines -- it probably means he has access to the "hacker underground", to gain access to these machines in such a short time frame

    The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.

    Thomas
  9. The flaw... by nweaver · · Score: 4, Informative

    LCG gives a 32 bit number, but only the lower 16 really look good for "random". So, following the Knuth recommendation, LCG was called twice, to create the upper and lower halves of the address.

    This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.

    The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.

    --
    Test your net with Netalyzr
  10. One correction... by nweaver · · Score: 5, Informative

    At the time, Dan and I did not know it was a Hitlist, we thought it was a botnet.

    Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.

    --
    Test your net with Netalyzr