'Witty' worm infects, dies quickly
Summary
Topics
The worm, dubbed Witty, exploits a flaw found last Wednesday in softwareand devices created by network protection firm
Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.
The worm breached systems through a security hole in ISS's firewallproducts, such as its BlackICE and RealSecure software. While the flawaffects the company's Proventia network devices, the manner in which theworm is constructed prevents it from infecting the devices.
ISS estimated that the worm could only affect about 2 percent of itscustomer base. Subscribers to the company's maintenance service had alreadyreceived the update a week prior to the release of the worm, ISS statedon its Web site.
"We have been doing our own research (into the worm's spread), and wecame up with 12,000 Internet addresses (that seem to be infected) atlast check," said Dan Ingevaldson, director of ISS's vulnerabilityresearch and development group. "It is impossible to know how widespread it is. Whenever you count IP addresses you may be double countingor triple counting machines."
An unknown author created the worm about two days afternews of the flaw became public, in what may be the fastest turnaround ofmalicious code writing to date. Like Slammer, the Witty worm spread throughsingle packets of data sent on the Internet using a protocol known as theuser datagram protocol, or UDP.
"It is the only time that I can think of that this had happened soquickly," Ingevaldson said. "This was surprising. We didn't think wewould see something that could come up this big and fast."
ISS posted an update to patch the hole on its Web site Wednesday afternetwork security firm eEye Digital Security found the flaw. ISS knewabout the weakness for about 10 days, Ingevaldson said.
Witty had infected an estimated 30,000 computers by early Saturdaymorning, according to Internet Storm Center's Ullrich. By Monday, theworm wasn't actively spreading, he said, and the center's measure ofthe threat had been reduced from yellow to green.
"It killed off itself," he said. "It survives around half an hour onaverage."
The worm could spell trouble for ISS, as customers not only were infectedby the program but also likely lost data.
"A lot of people lost data on their hard drives," said Joe Stewart,senior researcher for Internet security firm Lurhq. The worm attempts toinfect 20,000 random addresses and then writes 65 kilobytes of data to a randomlocation on the hard drive, slowly corrupting the infected computer'sfiles.
Witty was designed to target a flaw in software used in ISS software to examine traffic from the Internet messaging application ICQ. Once it has infected a new machine it runs alongside ISS softwareand continues the infection cycle. Security experts are advising ISSfirewall customers to patch their software immediately or use it toblock UDP port 4000 to close the door on the worm.
The worm picked up its name from what appears to be a signature left in its source code by the programmer: "insert.witty.message.here."
ZDNet Australia staff contributed to this report.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
