"Witty" Worm Wrecks Computers 587
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Re:Imprecise! (Score:1, Informative)
Re:Stick to hardware routers and firewalls... (Score:2, Informative)
This is an interesting one, almost biological (Score:5, Informative)
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."
Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.
It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).
I think this will be with us for a while, particularly when mutations start showing up.
Re:Imprecise! (Score:2, Informative)
If it had more partitions, use gpart to find the partitions. It's not perfect, so watch what you're doing.
If it destroys more than just the first sector, it'll (on FAT filesystems) destroy the partition boot sector, the directory, and the FATs. Which means you have to recover the data from backups.
Re:Oh no (Score:5, Informative)
Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation [sourceforge.net]. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool [salvagentfs.com] that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.
If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".
Re:This is crazy (Score:2, Informative)
This virus was because of people running firewall software.
First Hand Experience (Score:4, Informative)
Re:how do you lose the data? (Score:5, Informative)
Read the User agreement Re:Liability? (Score:3, Informative)
In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.
Re:Imprecise! (Score:2, Informative)
#1 Install it as a secondary drive on a computer that has a bootable drive. Asuming the File Alocation Tables have not been overwriten, you can read the data as usuall. Also assuming that the windows permisions let you do this. I have known some NTFS drives that won't let you, but that is fixable with a software program I think.
#2 Same way you recover information after a hard drive crash. Take it to the people that do the pro recovery.
Since it has been said that it only overwrites the first few sectors, sounds like only the boot sector is affected. If the it is running a FAT file system, the FAT tables may get overwritten, bu the data is still recoverable (try using the 'scandisk
Re:How does this thing spread? (Score:2, Informative)
The worm will attempt to propagate immediately by sending copies of itself out across the wire to random targets. After sending a predefined number of packets, Witty attempts to open a randomly determined physical drive and write 64k of data to a random location. This cycle repeats for every 20,000 packets sent.
Re:One question (Score:2, Informative)
Easy
"The Witty worm....only infects Win32 systems." [iss.net]
To be fair (and it pains me to be so) but it seems to be a problem with the application rather than system softs.
Norton Antivirus / BlackICE patches (Score:2, Informative)
As the story summary states, it "attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues." Devastating.
BlackICE patches are available [iss.net].
Re:How... (Score:5, Informative)
Re:Call me a troll if you will... (Score:2, Informative)
Be realistic (Score:5, Informative)
Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )
Re:where are all the virus's that do real damage? (Score:2, Informative)
"Attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues."
Given the amount of sectors on a hard-drive, how long will it take for the worm to randomly choose the boot sectors on the boot disk?
Re:Imprecise! (Score:5, Informative)
Try running Testdisk: http://www.cgsecurity.org/index.html?testdisk.html [cgsecurity.org]
It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.
Overwrites 64k of data at random location,NOT MBR! (Score:3, Informative)
Not so trivial... (Score:4, Informative)
NASTY worm. Definitely old-school in nature- I wondered when someone would get around to making something along these lines.
Incorrect analysis? (Score:5, Informative)
The worm's functionality is as follows:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
(emphasis mine)
Re:Witty worm not just a computer parasite (Score:3, Informative)
Re:Imprecise! (Score:3, Informative)
NTFS, FAT, whatever...
I NEVER make a service call without a Knoppix CD with me..
Re:Is ZoneAlarm Vulnerable too? (Score:2, Informative)
Re:for the virus experts... (Score:3, Informative)
Yes, you can write x86 *CODE* that will run on any OS, by using BIOS interrupts, or even making different calls/checks to see what OS this is, and then using the appropriate system calls. But how to run this code?
Windows uses PE files, Linux uses ELF files, MacOS 9 uses data+ressource forks...etc. It would take a hell of a lot of hacking the formats to somehow make the PE offsets correspond to the ELF offsets or somehow put both kinds of headers in the executable program so it can run on both OSs.
So while your code might be multi-platform compatible, the cointainer itself will end up being OS-specific.
Re:One question, and one answer. (Score:3, Informative)
You can't tell whats running? This is very easy, actually. Try this:
To see what ports are currently listening:
netstat -an
To see what services are attached to what process: /svc
tasklist
To stop a process (until next boot):
sc stop _service_name_
To query a state of a process:
sc query _service_name_
My WinXP box got hit with this (Score:3, Informative)
One vulnerability seen in several firewalls. Why? (Score:2, Informative)
Assuming this is one vulnerability, I'd have to also assume that these products share some common code or at least a common library with the vulnerability.
I don't see any discussion as to why several different products share the same vulnerability!
That in itself is a discredit to the value of choosing such products. It looks like they rely on some black box code that these companies do not develop themselves and thus doesn't get the type of code review required in a security product.
I did briefly run Black ICE on a machine designated for firewall/gateway several years ago when routers were more expensive than reusing an old PC. I'd likely not do that again, and I'd certainly never recommend using software firewall for protecting the machine running the firewall software.