Witty (computer worm)
| Witty | |
|---|---|
| Surname | Witty |
| Aliases | Blackworm |
| Known since | 2004 |
| origin | Europe |
| Type | Network worm |
| distribution | Internet security systems exploits |
| system | Windows with ISS software |
The Witty worm is a computer worm that began to spread on the Internet on March 19, 2004 , but which no longer seems to be in-the-wild . The worm is also known as the Blackworm . In malware databases it is usually cataloged under the name W32.Witty.Worm .
Gateway
ISS is a manufacturer of security software. These include, for example, the personal firewalls BlackICE PC Protection and RealSecure Desktop . The focus of the products is on burglar detection and defense systems. In technical terminology, these are also called intrusion detection systems or IDS for short.
In order to detect possible attacks, incoming data packets are examined for attack patterns by the so-called Protocol Analysis Module (PAM) . This module is included in all ISS products. For example, UDP packets that the source port have 4000 as ICQ - server considered responses and possible exploits against ICQ clients investigated.
On March 8, 2004, the company eEye Digital Security discovered an error in the processing of character strings in the program routine that analyzes packets of the ICQ protocol . This program error can be exploited : through specifically manipulated packages, the software that is intended to protect against break-ins can itself become a target. eEye notifies ISS of the vulnerability and announces that it will be published on its website soon.
On March 18, the companies eEye and ISS will publish details of the security vulnerability . ISS is providing security updates for the affected products.
The next day, on March 19, 2004 at 05:46 CET, the Witty worm appeared, which exploited this security hole. This represents the shortest interval to date from the publication of a vulnerability to the appearance of an automated attack.
How the worm works
The worm attacked computers on which Internet Security Systems (ISS) security software was installed. A vulnerability in this software enabled the worm to place its code in the vulnerable system's memory to be executed . The Witty worm has a damage routine - a so-called payload - which deletes parts of the hard drive on infected systems. The worm's code contains the text:
(^.^) insert witty message here (^.^)
"Funny (Engl. Witty = Insert, witty) message here"; hence the name of the worm.
If the worm has infected the computer , it generates pseudo-random numbers using the system time using a pseudo-random number generator. It sends 20,000 copies of itself to randomly selected IP addresses in individual UDP packets with a random destination port. The source port is always UDP port 4000. The worm opens a randomly selected one of the first eight hard disks and overwrites a randomly selected cluster on this disk. Then it generates new pseudo-random numbers and sends out another 20,000 copies.
The speed at which the worm spreads is limited by the bandwidth of the network connection. The data traffic triggered by the infected hosts can overload the local network .
The worm is fileless and memory resident . This means that it remains in the system memory . In contrast to a computer virus , it does not affect any other program files. The worm continues its work until the computer is restarted or crashes because of the data destroyed by the worm .
Chronology and extent of distribution
The University of California has a large, registered range of IP addresses, but no services are offered. The Cooperative Association for Internet Data Analysis (CAIDA) records the incoming data packets in this address range with so-called network telescopes . This data is statistically evaluated in order to draw conclusions about the extent to which Internet worms are spread.
By reverse engineering the Witty worm's pseudo-random number generator and analyzing the data from network telescopes, Abhishek Kumar from the Georgia Institute of Technology , Vern Paxson and Nicholas Weaver from the International Computer Science Institute are able to locate the IP address from which the worm was launched close. It belongs to the address range of a European Internet provider .
A targeted 110 computers at a US military base are infected from this address. Starting from these computers, the worm assumes an exponential growth typical for internet worms . More than 12,000 systems are infected in just 75 minutes. The Witty worm proves that worms can spread quickly even on systems that only have a relatively small market share in the network.
Due to the destructive payload that the worm contains, half of the infected computers are no longer active twelve hours after it has started to spread. The worm prevents itself from spreading too much and the wave of infection comes to an end after a short time.
Résumé
With around 12,000 infected computers, the Witty worm is only a sixth of the distribution of the SQL Slammer worm (75,000 infected hosts) or only a thirtieth of the distribution of Code Red (359,000 infected computers). Accordingly, the economic damage is also comparatively low.
However, Witty is notable for the following reasons:
- An ironic aspect is that security software, of all things, is the worm's gateway.
- The witty worm proves that niche products are also endangered by worms.
- The short period of time between the publication of the security hole and the appearance of the worm made a computer worm appear realistic as a zero-day exploit or zero-day attack (zero-day = 0 days): the occurrence of an automated attack for a security hole that was not yet publicly known.
- For the first time, a worm succeeds in locating the IP address of the original sender through technical analysis.
In the following years, as Witty warned, zero-day exploits were actually used.
Web links
- New UDP-based worm Witty spreads , RUS-CERT notification, March 20, 2004
- The Spread of the Witty Worm , analysis by CAIDA (English)
- Abhishek Kumar, Vern Paxson, Nicholas Weaver: Outwitting the Witty Worm . (English; PDF; 1.1 MB)