For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
The Witty worm: A new chapter in malware
or
Other Networking and Internet Stories
|
|
|
|
June 02, 2004 (Computerworld) -- If press coverage is any guide, then the Witty worm wasn't all that successful. Blaster, SQL Slammer, Nimda, even Sasser made bigger headlines. Witty infected only about 12,000 machines, almost none of them home users. It didn't seem like a big deal.
But Witty was a big deal (see story). It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did.
Witty was the first worm to target a particular set of security products -- in this case Internet Security System's BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running.
A few things we learned from this worm:
Witty was wildly successful. Twelve thousand machines was the entire vulnerable and exposed population, and Witty infected them all -- worldwide -- in 45 minutes. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow.
Witty was speedily written. Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild.
Witty was very well written. It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with random destination ports, a trick that made it easier to sneak through firewalls. It was -- and this is a very big deal -- bug-free. This strongly implies that the worm was tested before release.
Witty was released cleverly, through a bot network of about 100 infected machines. This technique has been talked about before, but Witty marks the first time we've seen a worm do it in the wild. This, along with the clever way it spread, helped Witty infect every available host in 45 minutes.
Witty was exceptionally nasty. It was the first widespread worm that destroyed the hosts it infected. And it did so cleverly. Its malicious payload, erasing data on random accessible drives in random 64KB chunks, caused immediate damage without significantly slowing the worm's spread.
What do we make of all this? Clearly the worm writer is an intelligent and experienced programmer; Witty is the first worm to combine this level of skill with this level of malice. Either he had inside advance knowledge of the vulnerability -- it is unlikely that he reverse-engineered it from the ISS patch -- or he worked very quickly. Maybe he had the worm written and just dropped the vulnerability in at the last minute. In any case, he seems to have deliberately targeted ISS. If his goal had been maximum spread, he could have waited for a more general vulnerability -- or series of vulnerabilities -- to use. The one he chose was optimized to inflict maximum damage on a specific set of targets. Was the attack against ISS, or against a particular user of ISS products? We don't know.
Witty represents a new chapter in malware. If it had used common Windows vulnerabilities to spread, it would have been the most damaging worm we have seen yet. Worm writers learn from each other, and we have to assume that other worm writers have seen the disassembled code and will reuse it in future worms. Even worse, Witty's author is still unknown and at large -- and we have to assume that he's going to do this kind of thing again.
More information: www.icsi.berkeley.edu/~nweaver/login_witty.txt
Bruce Schneier is chief technology officer of Counterpane Internet Security Inc. and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He can be reached at www.schneier.com.
Print this Story
Send Us Feedback
E-mail this Story
Digg this Story
Slashdot this Story
"Mozilla's successful attempt to set a world record for downloads of a single program, Firefox 3 was dumb...."
Read more...
"It's the early 1990s when this pilot fish is challenged to find a better way to support telecommuting — and..."
Read more...
Read more Networking posts 
or See all Blogs
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone
See your link here
Advance your BlackBerry(R) solution management know-how this July
BlackBerry Technical Seminar, register today!
Go to the webcast 
Download this white paper, free, compliments of Kodak!
(Source: Kodak) For almost 80 years, Kodak has been helping banks, insurance companies, healthcare providers, government agencies and other businesses produce billions of document images. So Kodak is uniquely positioned to know - and deliver-what customers want: easy-to-use scanners that output the best possible image quality.
Download this white paper
Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.
(Source: Computerworld) This briefing looks at the basics of network management, which tend to get lost in the dizzying array of products and processes. It also examines new tools that are on the way to help IT executives deal with management in the new era of automation.
Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.
Download this executive briefing
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
View more whitepapers
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
- Microsoft promises four patches next week
- Google gives away home-cooked Web application security scanner
- Storm botnet stages Fourth of July attacks
- More top stories
| XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. |
Who needs Mrs. Doubtfire? When it comes to spot-on "advice," we've got Aunt Donna.
|
|
Accelerate your pursuit of perfectionFor almost 80 years, Kodak has been helping banks, insurance companies, healthcare providers, government agencies and other businesses produce billions of document images. So Kodak is uniquely positioned to know and deliver–what customers want: easy-to-use scanners that output the best possible image quality. Download this white paper now!
|
 Networking Know-HowFor tips and best practices on building anything in the network, see Sandra Gittlen's regular column. Click here to read the latest column by Sandra Gittlen |
 |
 |
Troubleshooting Remote Site Networks - Best Practices
Management and remote site employees expect the same level of network service as the headquarters site. However, when IT staff are faced with limited resources to support remote site networks, often the applications, services and performance at those sites is not as robust as the headquarters site. See how to deliver a high level of network service at remote sites using the best practices outlined in this white paper.Read whitepaper now |
Super-size your LAN with fiber
Fiber optic technology frees the Local Area Network (LAN) from the confines of a single building, allowing a LAN to extend across a campus or a metropolitan area. Read how the selection of fiber optic components affects repeaterless transmission distance and how one school district used fiber to build a more reliable and more cost effective high-speed, district-wide network. Also, read how Metropolitan Area Network (MAN) ownership may require self-assessment of network performance.Read whitepaper now |
Determining the cause of poor application performance
Are users constantly complaining that your network is too slow? Or that they canât connect or can't stay connected? Are network applications hanging and slowing productivity? Do you spend way too much time trying to isolate the source of the problem and to prove that often the issue isn't the network at all but the application? In this on demand webcast, learn best practices and common root causes of application problems using case studies and live network traffic.Watch webcast now |
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
