Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Bug Operating Systems Software Windows

"Witty" Worm Wrecks Computers 587

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
This discussion has been archived. No new comments can be posted.

"Witty" Worm Wrecks Computers

Comments Filter:
  • by berniecase ( 20853 ) * on Saturday March 20, 2004 @08:58PM (#8623915) Homepage Journal
    Although they ain't perfect, at least they're not running on your computer. Yikes.
    • by U.I.D 754625 ( 754625 ) on Saturday March 20, 2004 @09:03PM (#8623964) Homepage Journal
      Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).
    • by Frambooz ( 555784 ) on Saturday March 20, 2004 @09:04PM (#8623970) Homepage
      "Although they ain't perfect, at least they're not running on your computer. Yikes."

      People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.

    • I agree, except in some colo/hosted environments its not practical or cost effective to have each customer on its own isolated firewall interface. In this environment a local firewall is better than nothing. Security should be applied in layers.
    • They call it security software and have services in listening state? Nobody seems to get it.
    • by hendridm ( 302246 ) on Saturday March 20, 2004 @09:12PM (#8624025) Homepage
      Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.

      luser: "It says someone might be trying to break into my computer! How can I stop them?"
      Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
      luser: "But BlackICE says it might be an attack!"
      Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."

      For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.
      • by Nogami_Saeko ( 466595 ) on Saturday March 20, 2004 @09:20PM (#8624093)
        Well, blackice should probably default to logging, but not alerting about the most common scans and such, but it's certainly useful for detecting a large number of attacks coming from specific addresses or blocks.

        I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to :)

        I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.

        • Well, blackice should probably default to logging, but not alerting about the most common scans and such

          The problem with someone that claims to protect you from something is that they will make a lot of noise about all the things they're supposedly protecting you from, so that you think they're making you safe. Those crappy Windows firewalls do that, as well as AV software. For a non-software example, look at how US prosecutors love to bring cases for "terrorism" and make lots of noise about it, even if those cases all get thrown out of court.

    • Stick to hardware routers and firewalls

      And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then? All of your boxes are potentially vulnerable instead, that's what. Trusting your security to a single product, hardware or software, is a disaster waiting to happen, and for some of ISS's customers its probably happening right now.

      Pretty much all SOHO routers have a firewall capabilty these days, and there are free "personal" firewall systems for all majors OSs. If

      • And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then?

        I'd rather my hardware firewall be exploited and/or DoS'd because it doesn't have GB upon GB of data on it that could potentitally be lost. And yes, I back up my data. A lot of users don't, though.
      • Be realistic (Score:5, Informative)

        by nurb432 ( 527695 ) on Saturday March 20, 2004 @09:37PM (#8624220) Homepage Journal
        The average joe isnt going to be monitoring any lists.. they will just ( hopefully ) plug in whatever box that came with their pc.. or at worst, accept defaults on software, which normally is useless..

        Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )
      • >And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then?

        The real problem here isnt soft vs. hard (although runnig a firewall on different machine is always smarter) its that firewall vendors are suffering from feature-creep and creating more exploitable situations. Man, have you seen a modern win firewall? Its not just port-blocking, its everything they can toss in there - spam blocking, remote admin, ad blocking, 'smart' triggering, report generator, gives your
  • by slash-tard ( 689130 ) on Saturday March 20, 2004 @08:58PM (#8623919)
    How can we blame M$ for this?
    • by dicepackage ( 526497 ) <<moc.liamg> <ta> <egakcapecid>> on Saturday March 20, 2004 @09:05PM (#8623977) Homepage
      Or better yet blame SCO.
    • Re:One question (Score:2, Interesting)

      by CodeMaster ( 28069 )
      How about: by generating the need to create a patchwork of protections on your OS...

      For crying out loud - it's supposed to _protect_ your computer - not be a target for an attack... And an ISS product of all... yikes.

      I think I'm going to stick to my debian / iptables. Never had a problem (3 years same install and still counting), and it does not thrash my HD ;-)
    • by iansmith ( 444117 ) on Saturday March 20, 2004 @09:42PM (#8624239) Homepage
      Actually, pretty easy.

      If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.

      My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.

      In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.

      The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something. :-)
      • In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.

        You can't tell whats running? This is very easy, actually. Try this:

        To see what ports are currently listening:
        netstat -an

        To see what services are attached to what process:
        tasklist /svc

        To stop a process (until next boot):
        sc stop _service_name_

        To query a state of a process:
        sc query _service_name_

    • Re:One question (Score:3, Interesting)

      by Epistax ( 544591 )
      They wrote the infectable software... they provide windows as a kill-all solution but don't package a real firewall... How can we not blame them?
  • fp (Score:2, Funny)

    by itallushrt ( 148885 )
    Insert "witty" first post comment
  • by Anonymous Coward on Saturday March 20, 2004 @08:59PM (#8623932)
    glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things
    • by aenea ( 34844 ) on Saturday March 20, 2004 @09:10PM (#8624007)
      And more pressure on users to keep their systems patched up. It's a rare virus/worm that comes in through an unknown exploit.

      If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.
    • by JPriest ( 547211 ) on Saturday March 20, 2004 @09:16PM (#8624063) Homepage
      Why is this modded troll, it is a good point. If they wipe the disk clean they force the USER to police their own system, rather than forcing admins to try an police the mess of traffic caused by users that don't give a shit.

      Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.

    • I feel dirty for agreeing, but I do hope that t he next one that spreads like fricking wildfire delete's the hell out of xls,ppt and doc files as well as send flaming profanity to every email in the outlook global addressbook.

      CTO's CIO's and IT management need to have their asses bitten really fricking hard so they will tell accounting to screw themselves and actually start running corperate IT like it is supposed to be. the last 2 that ran rampant in the company were because of the morons have everyone s
  • Nasty flaw (Score:5, Insightful)

    by BlueLightning ( 442320 ) on Saturday March 20, 2004 @09:00PM (#8623937) Homepage Journal
    It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(
  • Back in my day... (Score:5, Interesting)

    by Anonymous Coward on Saturday March 20, 2004 @09:01PM (#8623944)

    Worms and Viruses caused DATA LOSS!

    It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
  • Thats what you get (Score:3, Insightful)

    by MajorDick ( 735308 ) on Saturday March 20, 2004 @09:01PM (#8623946)
    I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router. I have never understood why you would want to run the firewall on the actual connected system. Guess they cant say its better than running nothing anymore.
    • by Anonymous Coward on Saturday March 20, 2004 @09:05PM (#8623974)
      I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.

      Three words: application access privileges.
      • by jhoger ( 519683 )
        Well the disconnect is that most people think of firewalls as what protects them from the Internet. You are more interested in protecting your network from your users. That is a worthy goal.

        You should still have a separate box to run the firewall on the edge of the network. But if you have stupid users or strict policies for use, you could run local software firewalls.

        They are independent issues...
    • by neoThoth ( 125081 )
      Well to be honest I run blackice on some of my windows laptops *plus* the hw firewall at my perimeter. One can never be too careful. For laptops that travel and connect to random networks (borders wifi, client networks, etc) I like having the extra layer of protection. Plus if someone finds a 0day on my hw firewall I'd rather have at least some form of protection on each of the machines. Granted I'm thinking about finding some other sw fw to run on those machines now.
  • Come on.... (Score:5, Funny)

    by karlm ( 158591 ) on Saturday March 20, 2004 @09:02PM (#8623952) Homepage
    Do you really expect us to believe more than ten people worldwide run Windows on their firewalls? ;-)
  • "All computers", you sure?

    Don'tcha mean "Windows computers"?

    Me and my Quantian box are browsing safely and recklessly.

    On a less triumphant note, I'll eventually get called to fix Windows machines that suffer from that worm. How can you recover someone's data from an unbootable HD?
    • Re:Imprecise! (Score:3, Insightful)

      by djupedal ( 584558 )
      How can you recover someone's data from an unbootable HD?

      Bolt it into a G4 Mac tower and pull files to your heart's delight.
      • Re:Imprecise! (Score:3, Informative)

        by pair-a-noyd ( 594371 )
        Boot Knoppix [] too and pull anything you desire from ANY M$ formatted drive.
        NTFS, FAT, whatever...

        I NEVER make a service call without a Knoppix CD with me..

    • I'm sorry that you read so poorly. Here, let me help by quoting the relevant sentence for you:

      "all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure,"

      Google tells me Quantian is Knoppix/Debian. h p

      While there are RealSecure sensor nodes for Linux, the desktop software being referred to here is also a Windows product.

      In other words, BZZZT! Thanks for playing the troll today.
    • Re:Imprecise! (Score:5, Informative)

      by Xugumad ( 39311 ) on Saturday March 20, 2004 @09:57PM (#8624304)

      Try running Testdisk: []

      It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.

  • by CGP314 ( 672613 ) <CGP AT ColinGregoryPalmer DOT net> on Saturday March 20, 2004 @09:04PM (#8623969) Homepage
    Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones

    I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /

    -Colin []
  • by Eudial ( 590661 ) on Saturday March 20, 2004 @09:06PM (#8623980)
    "FGTRGDI" (Feels good to run gnu/linux doesent it?)

    More cryptic acronyms to the people!
  • by RGautier ( 749908 ) on Saturday March 20, 2004 @09:06PM (#8623985) Homepage
    Now that you've got yourself a computer system at home, you'll want to protect it from the evils of the Internet. Because Operating Systems are chock full of holes just waiting to be exploited, you should, at a minimum, take the following steps... Step 1. Go out and buy a firewall product for your machine. Also pick up some virus protection software. Step 2. Ok, now install the firewall software... Oh......Damn It!
  • by psycho_tinman ( 313601 ) on Saturday March 20, 2004 @09:07PM (#8623987) Journal

    First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(

    By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not [] to find a login. Click here []

  • How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?

    Sivaram Velauthapillai
  • Very sad. (Score:4, Insightful)

    by lazy_arabica ( 750133 ) on Saturday March 20, 2004 @09:07PM (#8623990) Homepage
    Now, every windows user aware of this will believe a firewall is a great danger for his computer.

    Oh... After all, what will it change ?
  • by cmacb ( 547347 ) on Saturday March 20, 2004 @09:09PM (#8624000) Homepage Journal
    If the only thing this does is wipe out the hard drive, how does it spread to other systems? Is there a dormant version of this, or does it postpone doing the damage for a certain number of hours? The articles didn't explain.
  • Infection (Score:2, Offtopic)

    by CGP314 ( 672613 )
    "With all these hard drive problems, the infection rates are going to shrink pretty quickly as all these affected machines grind themselves to a halt," Stewart said.

    Well thanks Stewart. I'm glad to know I won't have to worry about the infection rate of AIDS once most people have AIDS.

    -Colin []
  • by myowntrueself ( 607117 ) on Saturday March 20, 2004 @09:11PM (#8624015)
    From LURHQ []

    "This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

    Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

    It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

    I think this will be with us for a while, particularly when mutations start showing up.

  • by EvilStein ( 414640 ) <> on Saturday March 20, 2004 @09:12PM (#8624027)
    It's a weekend, why should they care about putting out their timely alerts, eh?

    "Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
  • Hardware FireWalls (Score:3, Insightful)

    by Bruha ( 412869 ) on Saturday March 20, 2004 @09:16PM (#8624062) Homepage Journal
    I'd advise anyone who depends on any kind of software firewall to go out and buy some sort of hardware firewall.

    I reccomend Linksys

    Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.
    • It's not necessarily even an issue of buying something. I used an old pentium II box running a customized Linux firewall distro to protect my network.

      Much more customizable than a Linksys box. And you can add edge VPN at no cost.

      With an extra card and some configuration you have a DMZ port.

      You would have to spend >$300 for a low end Cisco router and VPN is probably extra...
      • by rthille ( 8526 )
        ...customized Linux firewall distro...Much more customizable than a Linksys box.

        Well, this site [] seems to disagree that your old pentium II box is more flexible than at least some linksys routers.
    • by pe1chl ( 90186 ) on Sunday March 21, 2004 @06:05AM (#8626372)
      >buy some sort of hardware firewall.

      >I reccomend Linksys

      I hate to disappoint you, but your linksys box is not a hardware firewall.
      It is a dedicated microcomputer that runs a SOFTWARE firewall.

      The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.

      All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
      Calling it "hardware" isn't going to do that either.
  • by ljavelin ( 41345 ) on Saturday March 20, 2004 @09:17PM (#8624068)
    Hey, serves these folks right! I mean who'd be stupid enough to have a Windows machine on the internet without any kind of firewa...

    err, never mind.
  • Snort Detection (Score:4, Interesting)

    by Leme ( 303299 ) <(jboyce) (at) (> on Saturday March 20, 2004 @09:18PM (#8624074)
    Installed a snort rule this morning using:

    alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
    content:"|29202020202020696e73657274207 76974747920 6d6573736167652068657265|";re\v:1;)

    Found via 0 [].

    After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
  • by tuckericj ( 658475 ) on Saturday March 20, 2004 @09:19PM (#8624083)
    This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.
  • by PacoTaco ( 577292 ) on Saturday March 20, 2004 @09:22PM (#8624110)
    I bet this worm was written by a disgruntled network administrator sick of those "I'm being attacked" emails.
  • by TheRealMindChild ( 743925 ) on Saturday March 20, 2004 @09:23PM (#8624127) Homepage Journal
    but this is inherently why the idea of a firewall LOCAL to the system it is protecting is a ... shall I say "retarded" idea.

    A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
  • by jeramybsmith ( 608791 ) on Saturday March 20, 2004 @09:30PM (#8624173)
    I was on a scuba cruise and there was a guy from ISS onboard. He was bragging to me about how ISS had all these 18 year old uber-crackers with fast cares and no college degree making their products.

    I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.

    This is just priceless though, I wish that guy a hardy Nelson "har har".

  • Knoppix (Score:5, Interesting)

    by amembleton ( 411990 ) <aembleton AT bigfoot DOT com> on Saturday March 20, 2004 @09:32PM (#8624181) Homepage
    The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data.

    Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix [].

  • This is why... (Score:3, Insightful)

    by .@. ( 21735 ) on Saturday March 20, 2004 @09:40PM (#8624235) Homepage
    This is why having a firewall running on the machine(s) it's supposed to protect is idiotic.

    When will the Windows world (and, to a lesser extent, the *nix world) wake up and realize that putting all services on a single box is just asking for trouble?

    A firewall should be a dedicated, hardened host that is easily rebuilt if compromised. A firewall should not be the only layer of security.
  • first few sectors? (Score:3, Interesting)

    by Anonymous Coward on Saturday March 20, 2004 @09:46PM (#8624255)
    From looking at the disassembly it looks more like it sends 20000 copies of itself to random destinations, then tries to open one of HD0-7, if the open fails it goes back to sending, if it succeeds it overwrites a random 64kB-aligned 64kB chunk of the first 2 GiB with some data, reseeds the prng and goes back to sending, if the open fails it simply loops back to sending another 20k copies.

    I'd hardly call 2GiB a few sectors...
  • Incorrect analysis? (Score:5, Informative)

    by James_G ( 71902 ) <james.globalmegacorp@org> on Saturday March 20, 2004 @10:22PM (#8624494)
    According to this analysys [], it does a lot more than corrupt the first few sectors of the drive:

    The worm's functionality is as follows:

    1) Generates a random IP address
    2) Sends the worm payload
    3) Repeats steps 1-2 20,000 times
    4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
    5) Seeks to a random point on the disk
    6) Writes 65K of data from the beginning of the vulnerable DLL to the disk

    7) Closes the disk
    8) Starts the process over from step 1

    (emphasis mine)

  • by neoThoth ( 125081 ) on Saturday March 20, 2004 @10:26PM (#8624530) Homepage
    Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
    I've also updated my blog with all the relevent links and data []. The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
    Listed on the above blog are the following links:
    eEye advisory
    ISS advisory
    lurhq analysis
    SANS diary report
    F-Secure writeup
    Symantec writeup
    Witty Worm Capture 1 and 2 (from
    and the text from SANS capture of the worm.

    I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
  • by Animats ( 122034 ) on Saturday March 20, 2004 @10:54PM (#8624705) Homepage
    Every time there's some high-profile attack that exploits a huge hole like this, there are probably other attacks using the same hole. Ones that quietly break in, look for interesting data like credit card numbers, transmit to a remote system, and exit.

    This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.

  • by _ph1ux_ ( 216706 ) on Saturday March 20, 2004 @11:06PM (#8624754)
    "Witty" Worm Wrecks Workstations!
  • by Chatmag ( 646500 ) <> on Sunday March 21, 2004 @02:41AM (#8625778) Homepage Journal
    "Witty" Worm did not destroy your system.
  • by puzzled ( 12525 ) on Sunday March 21, 2004 @04:06AM (#8626090) Journal

    I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.

    Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?

    The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.

    You point and click types can whine, but vi /etc/ipf.rules ; ipf -Fa -f /etc/ipf.rules hasn't done me wrong yet ...

  • by Axisted ( 581252 ) on Sunday March 21, 2004 @09:06AM (#8626771)
    [accidently posted this in the hardware router anonymously] After running BlackICE for less than a week, curious to see for myself what it was capable of, I was unlucky enough to get hit with this and lucky enough to kill it after it ran for an hour and half (blackd.exe opened port 4000 locally at 5:17 gmt, Mar.19.) It doesn't appear to have done any damage though, certainlly not to my MBR (though if it randomly writes to any sector I don't think there was a chance of this,) but I'm certain it sent more than the 20,000 needed to trigger the junk data being written in the 90 minutes it ran. With no record of the packets it sent, I do have a record of nearly 10,000 angry ICMP responses, the bulk of which are from a single address which first caused me to believe my IP was being spoofed, but I suspect this represents a fraction of the addresses it successfully sent to (locally it attempted to send ~6GB at 10Mb/s.) Up until now I've never felt the need for a hardware router.

"An organization dries up if you don't challenge it with growth." -- Mark Shepherd, former President and CEO of Texas Instruments