"Witty" Worm Wrecks Computers

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

Re:Imprecise!

[Anonymous Coward]

Presumably by sticking it into a machine that has a different boot disk. Or using a boot CD.

Re:Stick to hardware routers and firewalls...

[slash-tard]

I agree, except in some colo/hosted environments its not practical or cost effective to have each customer on its own isolated firewall interface. In this environment a local firewall is better than nothing. Security should be applied in layers.

This is an interesting one, almost biological

[myowntrueself]

From LURHQ [lurhq.com]

"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

I think this will be with us for a while, particularly when mutations start showing up.

Re:Imprecise!

[orkysoft]

If it destroys just the first sector, and the disk had just one big partition, you can use fdisk to fix the mess.

If it had more partitions, use gpart to find the partitions. It's not perfect, so watch what you're doing.

If it destroys more than just the first sector, it'll (on FAT filesystems) destroy the partition boot sector, the directory, and the FATs. Which means you have to recover the data from backups.

Re:Oh no

[delta407]

Blaster disabled a system, but it was fixable. This one can make a total mess.

Oh, whatever.

Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation [sourceforge.net]. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool [salvagentfs.com] that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.

If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".

Re:This is crazy

[blcknight]

HEY SMARTY!

This virus was because of people running firewall software.

First Hand Experience

[tuckericj]

This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.

Re:how do you lose the data?

[Stinking Pig]

If it's a FAT16 or FAT32 partition, the primary FAT table will be wiped. While there is a second copy at the end of the partition, finding and restoring it will not be trivial.

Read the User agreement Re:Liability?

[Bruha]

Most if not all user agreements for any software, anti-virii, Windows and it's related software usually contain:

In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.

Re:Imprecise!

[Ironsides]

Two ways to recover data from an 'Unbootable Drive'.

#1 Install it as a secondary drive on a computer that has a bootable drive. Asuming the File Alocation Tables have not been overwriten, you can read the data as usuall. Also assuming that the windows permisions let you do this. I have known some NTFS drives that won't let you, but that is fixable with a software program I think.

#2 Same way you recover information after a hard drive crash. Take it to the people that do the pro recovery.

Since it has been said that it only overwrites the first few sectors, sounds like only the boot sector is affected. If the it is running a FAT file system, the FAT tables may get overwritten, bu the data is still recoverable (try using the 'scandisk /F' command I think it is for recovery). From what I understand of NTFS, the FAT table is spread over the drive, so it shouldn't be affected by it as much. Still, everything should be recoverable easily (relatively speaking). It's not as if the data was overwritten.

Re:How does this thing spread?

[greenreaper]

In fact, it's the other way around [iss.net]:

The worm will attempt to propagate immediately by sending copies of itself out across the wire to random targets. After sending a predefined number of packets, Witty attempts to open a randomly determined physical drive and write 64k of data to a random location. This cycle repeats for every 20,000 packets sent.

Re:One question

[niittyniemi]

Easy :)

"The Witty worm....only infects Win32 systems." [iss.net]

To be fair (and it pains me to be so) but it seems to be a problem with the application rather than system softs.

Norton Antivirus / BlackICE patches

[djace]

According to Symantec's Witty information page [sarc.com], Norton Antivirus can't detect it because it is memory resident only, and never written to disk.

As the story summary states, it "attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues." Devastating.

BlackICE patches are available [iss.net].

Re:How...

[Detritus]

Code running with Administrator privileges is assumed to be trustworthy and know what it is doing. The problem is that there is way too much code running as Administrator.

Re:Call me a troll if you will...

[tuckericj]

Most of the systems that we have running this tool are those that regularly leave our facility. In this global age it is not unusual for a company of 1300 people to have 200-300 systems outside their network at any given time. A mixture of traveling employees, demonstration products and a variety of rogue systems demands the personal firewall be a part of the concentric rings of security.

Be realistic

[nurb432]

The average joe isnt going to be monitoring any lists.. they will just ( hopefully ) plug in whatever box that came with their pc.. or at worst, accept defaults on software, which normally is useless..

Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )

Re:where are all the virus's that do real damage?

[__aafkqj3628]

It might be "real damage" in some cases, but it seems to be quite stupid. According to Symantec's bulliten [symantec.com] -

"Attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues."

Given the amount of sectors on a hard-drive, how long will it take for the worm to randomly choose the boot sectors on the boot disk?

Re:Imprecise!

[Xugumad]

Try running Testdisk: http://www.cgsecurity.org/index.html?testdisk.html [cgsecurity.org]

It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.

Overwrites 64k of data at random location,NOT MBR!

[gbrayut]

From the ISS X-Force alert: [iss.net]

Description:

The Witty worm exploits a stack-based overflow in ICQ response parsing
in the Protocol Analysis Module (PAM) of ISS products. It is a memory-
resident worm only, and contains no file payload. Witty propagates via
UDP, sending UDP packets with a random destination and destination port.
The source port of Witty traffic is 4000, and the source address is not
spoofed.

The worm will attempt to propagate immediately by sending copies of
itself out across the wire to random targets. After sending a predefined
number of packets, Witty attempts to open a randomly determined physical
drive and write 64k of data to a random location. This cycle repeats for
every 20,000 packets sent.

Ouch....

Not so trivial...

[Svartalf]

It doesn't just write the the MBR. It pushes 64k of data to RANDOM locations on a randomly selected hard-disk. At some point it bombs the MBR, but it bombs other portions of the disks on a machine.

NASTY worm. Definitely old-school in nature- I wondered when someone would get around to making something along these lines.

Incorrect analysis?

[James_G]

According to this analysys [lurhq.com], it does a lot more than corrupt the first few sectors of the drive:

The worm's functionality is as follows:

1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1

(emphasis mine)

Re:Witty worm not just a computer parasite

[neoThoth]

I saw this one too! I have that as a non sequitor in the blog I run. Pretty funny that google didn't update on that one fast enough. I wonder how many extra hits they will get because of the worms name. Also I think it's ironic it's an "anal device" and the worm pretty much f'sck you there when it writes to disk.

Re:Imprecise!

[pair-a-noyd]

Boot Knoppix [knopper.net] too and pull anything you desire from ANY M$ formatted drive.
NTFS, FAT, whatever...

I NEVER make a service call without a Knoppix CD with me..

Re:Is ZoneAlarm Vulnerable too?

[Gary Destruction]

A memory dump is a blue screen. And most memory dumps in an NT/NT based environment are due to hardware or driver problems. Programs run at ring 3 in their own memory spaces. Windows 9x blue screens could also be caused by hardware or drivers but were usually due to bad memory management, direct access to hardware and everything running at ring 0.

Re:for the virus experts...

[Alex_Ionescu]

Actually you basically can't for a simple reason.

Yes, you can write x86 *CODE* that will run on any OS, by using BIOS interrupts, or even making different calls/checks to see what OS this is, and then using the appropriate system calls. But how to run this code?

Windows uses PE files, Linux uses ELF files, MacOS 9 uses data+ressource forks...etc. It would take a hell of a lot of hacking the formats to somehow make the PE offsets correspond to the ELF offsets or somehow put both kinds of headers in the executable program so it can run on both OSs.

So while your code might be multi-platform compatible, the cointainer itself will end up being OS-specific.

Re:One question, and one answer.

[sleezly]

In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.

You can't tell whats running? This is very easy, actually. Try this:

To see what ports are currently listening:
netstat -an

To see what services are attached to what process:
tasklist /svc

To stop a process (until next boot):
sc stop _service_name_

To query a state of a process:
sc query _service_name_

My WinXP box got hit with this

[Axisted]

[accidently posted this in the hardware router anonymously] After running BlackICE for less than a week, curious to see for myself what it was capable of, I was unlucky enough to get hit with this and lucky enough to kill it after it ran for an hour and half (blackd.exe opened port 4000 locally at 5:17 gmt, Mar.19.) It doesn't appear to have done any damage though, certainlly not to my MBR (though if it randomly writes to any sector I don't think there was a chance of this,) but I'm certain it sent more than the 20,000 needed to trigger the junk data being written in the 90 minutes it ran. With no record of the packets it sent, I do have a record of nearly 10,000 angry ICMP responses, the bulk of which are from a single address which first caused me to believe my IP was being spoofed, but I suspect this represents a fraction of the addresses it successfully sent to (locally it attempted to send ~6GB at 10Mb/s.) Up until now I've never felt the need for a hardware router.

One vulnerability seen in several firewalls. Why?

[labradort]

The list of firewalls vulnerable:

RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before

Assuming this is one vulnerability, I'd have to also assume that these products share some common code or at least a common library with the vulnerability.

I don't see any discussion as to why several different products share the same vulnerability!

That in itself is a discredit to the value of choosing such products. It looks like they rely on some black box code that these companies do not develop themselves and thus doesn't get the type of code review required in a security product.

I did briefly run Black ICE on a machine designated for firewall/gateway several years ago when routers were more expensive than reusing an old PC. I'd likely not do that again, and I'd certainly never recommend using software firewall for protecting the machine running the firewall software.