Ads by TechWords

See your link here
Receive the latest technology news and information.
Networking
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

The Witty worm: A new chapter in malware

June 2, 2004 12:00 PM ET

Computerworld - If press coverage is any guide, then the Witty worm wasn't all that successful. Blaster, SQL Slammer, Nimda, even Sasser made bigger headlines. Witty infected only about 12,000 machines, almost none of them home users. It didn't seem like a big deal.
But Witty was a big deal (see story). It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did.
Witty was the first worm to target a particular set of security products -- in this case Internet Security System's BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running.
A few things we learned from this worm:
Witty was wildly successful. Twelve thousand machines was the entire vulnerable and exposed population, and Witty infected them all -- worldwide -- in 45 minutes. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow.
Witty was speedily written. Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild.
Witty was very well written. It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with random destination ports, a trick that made it easier to sneak through firewalls. It was -- and this is a very big deal -- bug-free. This strongly implies that the worm was tested before release.
Witty was released cleverly, through a bot network of about 100 infected machines. This technique has been talked about before, but Witty marks the first time we've seen a worm do it in the wild. This, along with the clever way it spread, helped Witty infect every available host in 45 minutes.

Witty was exceptionally nasty. It was the first widespread worm that destroyed the hosts it infected. And it did so cleverly. Its malicious payload, erasing data on random accessible drives in random 64KB chunks, caused immediate damage without significantly slowing the worm's spread.
What do we make of all this? Clearly the worm writer is an intelligent and experienced programmer; Witty is the first worm to



Jump to comments

Viruses

Additional Resources

Xerox
By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!
Microsoft
Save time and mitigate security risk. Deploy it now.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

White Papers & Webcasts

How to Secure and Accelerate Your Oracle Applications
Learn about the escalating application performance and security challenges facing corporations, today!  

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

Optimize Performance of Datacenter to Datacenter Traffic
To get the backups and database synchronizations completed on time, enterprises rely on WAN optimization from Blue Coat.  

Mitigate Risk, Lower Costs and Improve Network Efficiency
Create a stable IP network that not only meets today's challenges, but is flexible enough to also meet future demands.

Enterprise Application Delivery: No User Left Behind
Gain the ability to deliver applications to all users, using any device, across any network.  

Preparing Your Business Services for the Future
Would you trust your network monitoring tools enough to know when something is truly halting a business service?

Practical Strategies to Accelerate Business Applications Across the WAN
Discover how Blue Coat SG appliances, uses five essential techniques to speed delivery of internal and externally hosted business applications  

IPAM: Slashing Network Costs
Slashing Network Costs by Consolidating and Automating Core Network Services

Infonetics: WAN Optimization Appliance Market Highlights 1 Q09
Vendor market share positions shuffled once again in 1Q09, learn more now!  

Horror stories: Managing IT Across Multiple Locations
How one extra sharp IT manager eliminates daily agony, hassle and repetition.