"Witty" Worm Wrecks Computers 587
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Stick to hardware routers and firewalls... (Score:5, Insightful)
where are all the virus's that do real damage? (Score:5, Insightful)
Nasty flaw (Score:5, Insightful)
Thats what you get (Score:3, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
Re:Thats what you get (Score:5, Insightful)
Three words: application access privileges.
Very sad. (Score:4, Insightful)
Oh... After all, what will it change ?
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
Re:where are all the virus's that do real damage? (Score:5, Insightful)
If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.
Comment removed (Score:2, Insightful)
Re:One question (Score:2, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."
For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.
Re:Imprecise! (Score:3, Insightful)
Bolt it into a G4 Mac tower and pull files to your heart's delight.
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then? All of your boxes are potentially vulnerable instead, that's what. Trusting your security to a single product, hardware or software, is a disaster waiting to happen, and for some of ISS's customers its probably happening right now.
Pretty much all SOHO routers have a firewall capabilty these days, and there are free "personal" firewall systems for all majors OSs. If you are connected to the net and have a clue about security, you'll be using both and monitoring both white and blackhat security sites daily. That all patches are applied as soon as prudent goes without saying of course...
Re:how do you lose the data? (Score:5, Insightful)
Hardware FireWalls (Score:3, Insightful)
I reccomend Linksys
Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.
One answer: (Score:0, Insightful)
You could say this was Microsoft's fault for making a crappy, userless don't-manage-memory-well kernel, for having inadequate file systems that lack permision bits, and the list goes on and on. Why else did the poor suckers have to BUY a third party firewall? Because Microsoft is a toy OS that has no place on the internet, that's why. There are many other good reasons this is Microsoft's fault, I'll leave them to others. That would be funny if it were not true.
Recovery Tool (Score:5, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to
I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.
N.
Re:Thats what you get (Score:3, Insightful)
You should still have a separate box to run the firewall on the edge of the network. But if you have stupid users or strict policies for use, you could run local software firewalls.
They are independent issues...
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
I'd rather my hardware firewall be exploited and/or DoS'd because it doesn't have GB upon GB of data on it that could potentitally be lost. And yes, I back up my data. A lot of users don't, though.
Re:What's the problem (Score:3, Insightful)
Who knows who windows will interpreit a partition table containg random data, it might boot far enough to write to the drive using a mistaken idea of how big the partitions are reducing the chance of data recovery.
We are just guessing based on these first reports. Someone will analyse the worm properly in a day or two and give a better idea of how to deal with it.
Re:Stick to hardware routers and firewalls... (Score:2, Insightful)
Try relaxing some time, you will get more work done than cruising security sites all day. I used to do security for a living and I managed to ignore them both equaly with great success. If you have to feed your paranoia and or curiosity, check your vendor sites and leave it at that.
Re:how do you lose the data? (Score:2, Insightful)
MS Support article [microsoft.com]
This is why... (Score:3, Insightful)
When will the Windows world (and, to a lesser extent, the *nix world) wake up and realize that putting all services on a single box is just asking for trouble?
A firewall should be a dedicated, hardened host that is easily rebuilt if compromised. A firewall should not be the only layer of security.
Re:Back in my day... (Score:2, Insightful)
When (not if) somebody REALLY wants to destabilize things in the United States, or anywhere in the world for that matter, they will unleash one or several worms that affect systems similarly to this one. I have heard theories from a few people that the root cause of last summer's blackout was the result of something like this. It is easy to dismiss these claims as the wack job rants of conspiracy theorists, but it certainly IS possible, and if this was the real cause there were a lot of people who had a vested interest in keeping it quiet. Remember there is usually some element of truth in what the "nuts" have to say.
A group with enough talent and financial support (even small-to-mid level drug dealer types can generate millions of dollars every month) would have no trouble performing audits on and locating holes in all kinds of systems, and could write worms that could shut down a very large portion of the computers on the internet, including many military and governmnent installations. Google for "warhol worm" too get an idea of how quickly this could be done.
Our main concern shouldn't be the spammers who write viruses, it should be the first REAL cyberterrorist out there that decides to actually do something.
For the record, I know I am not any safer (well, not much safer anyway) because I run ipfilter for my firewall and apache for my web server, and update my virus patterns every day. IPV6 might help a little, at least in a 128 bit address space, my system won't be found by anybody's random scans.
points for speed and damage (Score:5, Insightful)
I've also updated my blog with all the relevent links and data [blogspot.com]. The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.
I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
Re:One question (Score:3, Insightful)
One wonders what else got in this way (Score:4, Insightful)
This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.
Re:Stick to hardware routers and firewalls... (Score:4, Insightful)
The problem with someone that claims to protect you from something is that they will make a lot of noise about all the things they're supposedly protecting you from, so that you think they're making you safe. Those crappy Windows firewalls do that, as well as AV software. For a non-software example, look at how US prosecutors love to bring cases for "terrorism" and make lots of noise about it, even if those cases all get thrown out of court.
As a Linux user.. (Score:5, Insightful)
We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.
I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).
So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.
Re:where are all the virus's that do real damage? (Score:2, Insightful)
Windows keeps a second copy of the boot sector and or partition/fat tables when it creates a drive. This is with fat32 or ntfs even when doing it from dos (ntsf is more or less stored in a file that can be recovered and aplied).
Most often even when the boot sector has been wiped (repartitioned/formated/destroyed by another program like a boot loader) this copy can be used to recreate it. The cherynoble virus varients proved this. Even if you cannot find the backup there are several free/comercial utilities that scan the format and can rebuild the drive savign most if not all the data on it. I'm not sure how well this works with ntfs drives because i have been successfull most of the time by using proceedure described previously. (fixboot and fixmbr from recovery console)
Any ways, just don't give up hope because one set of people are short sighted enough to say it can't be done. The average user won't be able to fix this, as might be the same with some MCSEs or the whatever makes you a windows expert nowadays but there are remedies availible. I'm temped to try to get infected with it just to play around with it.
good luck
Re:where are all the virus's that do real damage? (Score:3, Insightful)
With that said, there are -plenty- of places on a windows machine where randomly writing 64KB of data would 'destroy the machine', but even that it recoverable. Data is harder to bring back, especially if you've made backups between getting infected and noticing the infection.
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
The real problem here isnt soft vs. hard (although runnig a firewall on different machine is always smarter) its that firewall vendors are suffering from feature-creep and creating more exploitable situations. Man, have you seen a modern win firewall? Its not just port-blocking, its everything they can toss in there - spam blocking, remote admin, ad blocking, 'smart' triggering, report generator, gives your daily horoscope, etc.
The nice thing about plain-jane hardware firewalls like the commodity stuff you can get at best buy is that they don't really do much other than block and forward ports. Less complexity is better when it comes to security.
Re:Sucks to be a Windows user (Score:3, Insightful)
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Let's look at your points:
Anyway, your last (unnumbered) point about programs needing refinement is probably the only accurate one. Most do need refinement; however, the beautiful thing about the Linux and Free Software community is that they constantly are being refined. And if there's something you don't like, I suggest you help out, or quit complaining about it.
Why does this worm look familiar? (Score:2, Insightful)
Now where have I seen this before? Let me think. What are the distinctive points about Witty's design?
Now where have I seen this before? Oh yes - SQL Slammer/Sapphire.
Witty roots a firewall, it spreads rapidly, it's extremely small and minimalistic (sort of bootsector size) yet still carries a destructive payload... this is not your average 16-year-old, this is one of the old school. Probably in his 30s, it's very probably the same author who wrote Sapphire, and he's probably a pro by now (white-hat? av company? competing firewall?).
Re:Sucks to be a Windows user (Score:4, Insightful)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Oh god shut up, shut up, shut the FUCK UP.
*cough*
Excuse me, but you can shove that condescending know-it-all attitude straight up your ass.
I use Windows because the overall experience, at least for Desktop use, has been better. Stuff actually works the way I expect it to. I plug in a firewire hard disk, it installs and loads drivers, and the partitions, if any, appear. Instantly. No going to linux1394.org, downloading a shell script, and hoping it works. I click a torrent in mozilla, or Explorer, or whatever, and it loads my Bittorrent client automatically. More recent distros are better, but you won't win anyone over with that attitude.
Last time I had reliability problems with windows, the hard disk was failing. But since I fixed that problem (which not even Linux is immune to) I've had ZERO problems booting. And to be honest, I haven't had any security problems.
Whoa, you think I'm lying, right?
No, I'm not. In the time I've been running 2K and XP, not once have I had:
A Trojan
A Worm
Spyware
Malware
of any sort have any sort of presence on my machine.
Granted, I run Mozilla, Apache (with a secured user-account of its own,) instead of the usual windows implements. Sometimes the opensource community does create stuff that truly JUST WORKS. At least they're smart enough to not get arrogant about it.
But for kicks I run without a firewall and as an administrator 100% of the time. Still waiting for all the problems you describe.
So, kindly, pull that stick out of your ass. Thank you.
Microsoft Addons... (Score:1, Insightful)
Linux needs to take a lesson here -- before it is too late. The major opensource distros need to get together and back an open source virus detection program and all distros should provide disk space for the distribution of updates. The opensource firewall is already there but it needs to be "dumbed down" and gui'ed.
Re:One question (Score:3, Insightful)
Nearly any vulnerability in ipfw or the Linux ipchains implementation that resulted in execution of arbitrary code would allow the attacker to write to the boot block of the disk, among other nasty things.
Re:how do you lose the data? (Score:3, Insightful)
Re:Hardware FireWalls (Score:5, Insightful)
>I reccomend Linksys
I hate to disappoint you, but your linksys box is not a hardware firewall.
It is a dedicated microcomputer that runs a SOFTWARE firewall.
The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.
All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
Calling it "hardware" isn't going to do that either.