Printer Friendly

Wisdom of the Witty Worm.

For all the malicious code that has attacked computers in recent years, no widespread worm has actually targeted security software--until now. The Witty Worm, which struck in March, targeted a vulnerability in firewall products from Internet Security Systems (ISS).


Like other worms, Witty commandeered infected computers to seek out new targets; and like other worms, once its target population had been saturated, the rate of infections quickly dropped off (Witty peaked in about 45 minutes and ultimately infected far fewer computers than did worms such as SQL Slammer).

But despite its limited spread, Witty was a pioneer in many ways, even apart from targeting ISS firewalls. Unlike most other worms, Witty spread without relying on e-mail. It masqueraded as an ICQ instant-message packet, and carried a harmful payload that caused it to write data to the hard drive until the machine crashed--two ways in which this worm signals alarming trends, according to research by analysts at the University of California at San Diego's Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis (CAIDA).

It began its spread only a day after the vulnerability it exploited was made public, "the shortest known interval between vulnerability disclosure and worm release" yet seen, according to a CAIDA paper on Witty. This brings it dangerously close to realizing the much-feared "zero-day exploit," in which an attack will exploit a vulnerability that is not yet known. Worm researcher Jose Nazario, author of the book Defense and Detection Strategies against Internet Worms, agrees that the short interval between disclosure and worm shows "that someone had intimate knowledge of the attack required to leverage the vulnerability" even before the vulnerability was disclosed.

The CAIDA paper also credits Witty with accomplishing an amazing task: It infected no hosts in the first ten seconds of its spread, meaning that it likely used a list of computers known to be vulnerable (the paper calls the chances of a single instance of a worm infecting so many machines randomly in so short a time "vanishingly small").

Not everyone agrees with that assessment, however. Nazario notes that the spread of Internet worms is not typically measured in seconds and says he would like to see "additional measurement points to attempt to discern this phenomenon." But, he adds, "If it's real, then something is really interesting about this."

Witty also proves that worms are an effective tool for compromising machines "even in niches without a software monopoly," according to the CAIDA paper. @ Link to The Spread of the Witty Worm, along with animations of the spread of the worm across the USA and the world, through SM Online. Go to "Beyond Print," then to "Tech Talk."
COPYRIGHT 2004 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Tech Talk
Author:Piazza, Peter
Publication:Security Management
Geographic Code:1USA
Date:Jul 1, 2004
Previous Article:Bulking up video surveillance.
Next Article:Digging through digital data.

Related Articles
The Conqueror Worm.
Attacks, vulnerabilities increase.
Top ten viruses reported to Sophos in February. (Virus Notes).
Boosting the antivirus market.
First Firewall Worm Targets ISS.
Twenty Holes Plugged on Microsoft Patch Day.
Witty Worm.
Backwoods vigilante.
Defending networks against targeted Trojans.
Data breach incidents: don't assume a breach has happened before an investigation has been done.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters