"Witty" Worm Wrecks Computers 587
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Back in my day... (Score:5, Interesting)
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
Re:Liability? (Score:5, Interesting)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
two striking things... (Score:5, Interesting)
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not [bugmenot.com] to find a login. Click here [bugmenot.com]
how do you lose the data? (Score:5, Interesting)
Sivaram Velauthapillai
How does this thing spread? (Score:3, Interesting)
Re:One question (Score:2, Interesting)
For crying out loud - it's supposed to _protect_ your computer - not be a target for an attack... And an ISS product of all... yikes.
I think I'm going to stick to my debian / iptables. Never had a problem (3 years same install and still counting), and it does not thrash my HD
Worthless govt agency (Score:5, Interesting)
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
Re:where are all the virus's that do real damage? (Score:5, Interesting)
Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.
Snort Detection (Score:4, Interesting)
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
Call me a troll if you will... (Score:4, Interesting)
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
IT WAS YOU!!! (Score:5, Interesting)
Re:Stick to hardware routers and firewalls... (Score:1, Interesting)
Yet it is still not worth my time to monitor both white and blackhat security sites daily.
talked with an ISS guy (Score:4, Interesting)
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Knoppix (Score:5, Interesting)
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix [knoppix.net].
Re:This is crazy (Score:3, Interesting)
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environment to make big remote damages because many programs and servers run at administrator rights ; which is the case of this firewall software. In linux, all the firewalling stuff is based on netfilter/iptables, netfilter in kernel space, and iptables as the super-user interface. The benefit of having firewalling facilities in kernel space, integrated with the TCP/IP stuff, are that the size of the potentially unsecure code is quite small, when in windows all the security stuff is a user space developers responsability.
I know this may look like a troll. But windows security design is a disaster ; and I don't think this will really change soon.
Re:Stick to hardware routers and firewalls... (Score:2, Interesting)
Like this [slashdot.org]?
Re:One question, and one answer. (Score:5, Interesting)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
Re:Software offers other features too... (Score:3, Interesting)
If you're so cheap, you can't see spending $200-250 or so for a hardware firewall/router product to protect your developmental web/database server - then the product you're developing must not be of much value to you?
Honestly, if money is really too tight and $200 is too much to spend on security, I'd look at Linux-based solutions running on an older, dedicated PC. I've seen several really nice firewall products you can download free ISO images of and burn to a CDR install disc, for non-commercial use. I'd feel much safer having my firewall on a seperate, dedicated box than running as a service on my desktop (where it's impacting my CPU and RAM usage, too).
first few sectors? (Score:3, Interesting)
I'd hardly call 2GiB a few sectors...
Re:One question (Score:3, Interesting)
Re:where are all the virus's that do real damage? (Score:4, Interesting)
Re:Stick to hardware routers and firewalls... (Score:2, Interesting)
Why do I know this??? because my roommates win XP laptop got infected while he was updating to prevent infections off of my network. we started noticing massive slow downs of the network. When I started blackice back up I notice it had been running the entire time and log every attempt his machine did to try and infect my windows desktop.
Of course the Linux box never gave a shit, she just kept humming along.(read that any way you want)
Erm... remote root indicates a vulnerable service. (Score:3, Interesting)
And _that_ I've never heard of (except in the case of BlackICE and ZoneAlarm)
Re:Stick to hardware routers and firewalls... (Score:5, Interesting)
Re:Thats what you get (Score:3, Interesting)
Re:where are all the virus's that do real damage? (Score:4, Interesting)
Doesn't seem to help. In theory you are correct, a person who runs a virus scanner with an automatic update autoscan should be pretty damn secure. This only works in enviroments where the end user either keeps their PC on 24/7, or doesn't shut off the damn scanner evertime they turn on their PC to use it.
From what I've observed, the people who are not familar with PCs who own them see a scanner popup just close it down as it slowes down their computer when they want to use it... and never take the time to reschedual the scan. Worse they yell at you if they catch a virus / worm / spy ware without taking into account that they are the ones who told their computer to stop scanning for viruses.
Re:points for speed and damage (Score:2, Interesting)
You mean virus? (Score:1, Interesting)
Worms flood, use up resources, crash computer systems, etc. They don't overwrite files. So I believe "Witty" is just another script-kiddie virus. After all... it doesn't take that much knowledge to make Windows unbootable. Just Deltree it with a batch file... =/
Re:Recovery Tool (Score:5, Interesting)
Wow. How is this 'offtopic'?
Am I the only one who, nearly every week, recovers a client's "valuable data" using Knoppix when something has eaten Windows alive? (And sometimes Windows eats itself alive, unfortunately.)
Re:where are all the virus's that do real damage? (Score:3, Interesting)
CTO's CIO's and IT management need to have their asses bitten really fricking hard so they will tell accounting to screw themselves and actually start running corperate IT like it is supposed to be. the last 2 that ran rampant in the company were because of the morons have everyone set as administrator in the domain security policies, they also refuse to block yahoo.com hotmail.com and other we email sites at the proxy or use any common sense or other real solutions to keep us running secure and smoothly.
on the other hand, it will take only one guy who just finished the Cure For MS or Cancer to lose all his reasearch because of it for me to feel really sick for even thinking or suggesting it.
Damned two edged swords... cant we just get a good mace and start smashing?
Re:for the virus experts... (Score:2, Interesting)
You could write an x86 asm routine that did not make an OS call. So it would not care what OS it is running on. I used to write my own string copy routines that would work on any OS.
But, if you take out all access to OS related functions you don't have much you can do. No reading or writing files. Unless you want to try and write a file system into it that would interface with the hardware to read any file system. No access to network interfaces, unless you wrote and added drivers for any hardware the machine might have. And so on.
So basicly you can write an OS that did not talk to a host OS, that is what Linux, Windows, BeOS, and all of those do. But it would not be a very small thing if you wanted to read the users files and send them somewhere.
Re:Hardware FireWalls (Score:3, Interesting)
Well, this site [batbox.org] seems to disagree that your old pentium II box is more flexible than at least some linksys routers.
Re:for the virus experts... (Score:2, Interesting)
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.
Windows == Unix in 1988 (Score:3, Interesting)
I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.
Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?
The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.
You point and click types can whine, but vi
Re:Stick to hardware routers and firewalls... (Score:2, Interesting)
Jaysyn
Re:Stick to hardware routers and firewalls... (Score:3, Interesting)
Even if your firewall gets rooted, you can just click "revert" and it'll be back to normal. Or you can pause it and make a copy for forensic analysis, and switch to a different firewall vm.
Of course you'd need to buy more RAM, and make sure you have enough HDD space. Still a firewall vm doesn't need very much RAM or disk, 32-64MB RAM, 1GB space should be more than enough if you stick to text configs and basic stuff.
Re:Stick to hardware routers and firewalls... (Score:2, Interesting)
It's probably loading as a hidden kernel driver. I'm running Norton Personal Firewall, and it loads several kernel drivers. Download sc (Service Controller) [microsoft.com] from Microsoft to see which services are loading at boot time. Use this command to find BlackIce's:
Disable any you find with this command: Believe it or not, MS's GUI service tools don't show all of the services. Take a look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\ServiRe:How to firewall dialup? (Score:2, Interesting)
I'm not a kernel hacker but I would like to try and keep things straight in my head. In PCI ethernet networks, the ethernet card gets attached to kernel mem locations and a firewall attaches itself between kernel mem locations and the userspace programs that they serve. PPP, from my limited knowledge, gets attached to completely different kernel mem locations and dialup networking userspace programs are allowed to pass PPP mem locations to IP mem locations such that most userspace programs have no trouble getting the info they need from the TCP/IP environment.
So this brings up the interesting question: are there bugs in the PPP components of modern kernels which can be exploited before any commonly available firewalls can filter the packets from the IP stack?
I don't know. Feel free to correct me on the diagram.
Re:where are all the virus's that do real damage? (Score:2, Interesting)
Re:talked with an ISS guy (Score:2, Interesting)
Our HQ is in Dunwoody on Barfield Rd.. It is a truely impressive campus and a really nice place to work.
I very frequently hear the people refer to the location of that sign as our HQ. It's almost worth it to take that thing down.