ISS products targeted by Witty worm

ISS is warning users to patch their systems against the Witty worm, which writes junk data onto physical hard drives

Network security company ISS is likely to face embarrassing questions from its customers following the discovery of new worm on Saturday that was exploiting flaws in its software.

The worm, dubbed Witty.A, was designed to breach a security hole in the company's widely used firewall product line-ups such as its BlackICE and RealSecure software series.

Reports from Internet monitoring firms suggest the worm is similar to Blaster, which appeared last August and left a multi-million dollar damage trail for companies to clean up.

Security experts say the worm could cause system crashes as it tampers with local hard drives.

ISS posted an update to patch the hole on its Web site late last week but gave no indication of how long they'd known about the weakness. Witty had infected an estimated 10,000 computers by early Saturday, EDT, and recent reports suggest that number may have increased to around 50,000 in the last 24 to 48 hours.

Unlike recent viruses that have relied on email to spread, Witty requires no human intervention in order to propagate.

Like Blaster, Witty spreads autonomously using its host PC as staging point to snoop around for other vulnerable PCs. However, Witty was designed to target a flaw in software used in ISS software products to examine ICQ traffic. Once it has infected a new machine it runs alongside ISS software and continues the infection cycle.

Security experts are advising ISS firewall customers to patch their software immediately or use it to block UDP port 4000 to close the door on the worm.

The worm picked up its name from what appears to be a signature marking left in it source code by the programmer.