"Witty" Worm Wrecks Computers 587
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Stick to hardware routers and firewalls... (Score:5, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Funny)
People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.
Re:Stick to hardware routers and firewalls... (Score:2, Funny)
Recovery Tool (Score:5, Insightful)
Re:Recovery Tool (Score:5, Interesting)
Wow. How is this 'offtopic'?
Am I the only one who, nearly every week, recovers a client's "valuable data" using Knoppix when something has eaten Windows alive? (And sometimes Windows eats itself alive, unfortunately.)
Re:Stick to hardware routers and firewalls... (Score:5, Interesting)
Or if you prefer... (Score:4, Funny)
How 1980s. Yikes.
Re:Stick to hardware routers and firewalls... (Score:2, Informative)
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."
For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.
Re:Stick to hardware routers and firewalls... (Score:5, Insightful)
I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to
I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.
N.
Re:Stick to hardware routers and firewalls... (Score:4, Insightful)
The problem with someone that claims to protect you from something is that they will make a lot of noise about all the things they're supposedly protecting you from, so that you think they're making you safe. Those crappy Windows firewalls do that, as well as AV software. For a non-software example, look at how US prosecutors love to bring cases for "terrorism" and make lots of noise about it, even if those cases all get thrown out of court.
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then? All of your boxes are potentially vulnerable instead, that's what. Trusting your security to a single product, hardware or software, is a disaster waiting to happen, and for some of ISS's customers its probably happening right now.
Pretty much all SOHO routers have a firewall capabilty these days, and there are free "personal" firewall systems for all majors OSs. If
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
I'd rather my hardware firewall be exploited and/or DoS'd because it doesn't have GB upon GB of data on it that could potentitally be lost. And yes, I back up my data. A lot of users don't, though.
Be realistic (Score:5, Informative)
Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )
Re:Stick to hardware routers and firewalls... (Score:3, Insightful)
The real problem here isnt soft vs. hard (although runnig a firewall on different machine is always smarter) its that firewall vendors are suffering from feature-creep and creating more exploitable situations. Man, have you seen a modern win firewall? Its not just port-blocking, its everything they can toss in there - spam blocking, remote admin, ad blocking, 'smart' triggering, report generator, gives your
Erm... remote root indicates a vulnerable service. (Score:3, Interesting)
And _that_ I've never heard of (except in the case of BlackICE and ZoneAlarm)
Re:Stick to hardware routers and firewalls... (Score:3, Interesting)
Even if your firewall gets rooted, you can just click "revert" and it'll be back to normal. Or you can pause it and make a copy for forensic analysis, and switch to a different firewall vm.
Of course you'd need to buy more RAM, and make sure you have enough HDD space. Still a firewall vm doesn't need very much RAM or disk, 32-64MB RAM, 1GB space should be more than enough if you stick to text configs and basic stuff.
One question (Score:4, Funny)
Re:One question (Score:4, Funny)
Re:One question (Score:2, Interesting)
For crying out loud - it's supposed to _protect_ your computer - not be a target for an attack... And an ISS product of all... yikes.
I think I'm going to stick to my debian / iptables. Never had a problem (3 years same install and still counting), and it does not thrash my HD
Re:One question, and one answer. (Score:5, Interesting)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
Re:One question, and one answer. (Score:3, Informative)
You can't tell whats running? This is very easy, actually. Try this:
To see what ports are currently listening:
netstat -an
To see what services are attached to what process: /svc
tasklist
To stop a process (until next boot):
sc stop _service_name_
To query a state of a process:
sc query _service_name_
Re:One question (Score:3, Interesting)
Re:One question (Score:3, Insightful)
Re:One question (Score:3, Insightful)
Nearly any vulnerability in ipfw or the Linux ipchains implementation that resulted in execution of arbitrary code would allow the attacker to write to the boot block of the disk, among other nasty things.
fp (Score:2, Funny)
IT WAS YOU!!! (Score:5, Interesting)
Re:fp (Score:4, Funny)
Ahhhh~
where are all the virus's that do real damage? (Score:5, Insightful)
Re:where are all the virus's that do real damage? (Score:5, Insightful)
If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.
Re:where are all the virus's that do real damage? (Score:4, Interesting)
Re:where are all the virus's that do real damage? (Score:5, Interesting)
Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.
Re:where are all the virus's that do real damage? (Score:4, Interesting)
Doesn't seem to help. In theory you are correct, a person who runs a virus scanner with an automatic update autoscan should be pretty damn secure. This only works in enviroments where the end user either keeps their PC on 24/7, or doesn't shut off the damn scanner evertime they turn on their PC to use it.
From what I've observed, the people who are not familar with PCs who own them see a scanner popup just close it down as it slowes down their computer when they want to use it... and never take the time to reschedual the scan. Worse they yell at you if they catch a virus / worm / spy ware without taking into account that they are the ones who told their computer to stop scanning for viruses.
Re:where are all the virus's that do real damage? (Score:3, Interesting)
CTO's CIO's and IT management need to have their asses bitten really fricking hard so they will tell accounting to screw themselves and actually start running corperate IT like it is supposed to be. the last 2 that ran rampant in the company were because of the morons have everyone s
Re:where are all the virus's that do real damage? (Score:3, Insightful)
With that said, there are -plenty- of places on a windows machine where randomly writing 64KB of data would 'destroy the machine', but even that it recoverable. Data is harder to bring back, especially if you've made backups between getting infected and noticing the infection.
Nasty flaw (Score:5, Insightful)
Back in my day... (Score:5, Interesting)
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
Thats what you get (Score:3, Insightful)
Re:Thats what you get (Score:5, Insightful)
Three words: application access privileges.
Re:Thats what you get (Score:3, Insightful)
You should still have a separate box to run the firewall on the edge of the network. But if you have stupid users or strict policies for use, you could run local software firewalls.
They are independent issues...
Re:Thats what you get (Score:3, Interesting)
Re:Software offers other features too... (Score:3, Interesting)
If you're so cheap, you can't see spending $200-250 or so for a hardware firewall/router product to protect your developmental web/database server - then the product you're developing must not be of much value to you?
Honestly, if money is really too tight and $200 is too much to spend on security, I'd look at Linux-based sol
Come on.... (Score:5, Funny)
Imprecise! (Score:2, Flamebait)
Don'tcha mean "Windows computers"?
Me and my Quantian box are browsing safely and recklessly.
On a less triumphant note, I'll eventually get called to fix Windows machines that suffer from that worm. How can you recover someone's data from an unbootable HD?
Re:Imprecise! (Score:3, Insightful)
Bolt it into a G4 Mac tower and pull files to your heart's delight.
Re:Imprecise! (Score:3, Informative)
NTFS, FAT, whatever...
I NEVER make a service call without a Knoppix CD with me..
Re:Imprecise! (Score:3, Funny)
"all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure,"
Google tells me Quantian is Knoppix/Debian.
http://www.iss.net/products_services/blackice.p h p
While there are RealSecure sensor nodes for Linux, the desktop software being referred to here is also a Windows product.
In other words, BZZZT! Thanks for playing the troll today.
Re:Imprecise! (Score:5, Informative)
Try running Testdisk: http://www.cgsecurity.org/index.html?testdisk.html [cgsecurity.org]
It comes as part of Knoppix I believe, and was a great help last time someone lost their partition table. After that, just fsck as normal.
Now that's powerful (Score:4, Funny)
I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /
-Colin [colingregorypalmer.net]
This is a perfect time to promote the expression (Score:5, Funny)
More cryptic acronyms to the people!
Re:This is a perfect time to promote the expressio (Score:3, Funny)
> More cryptic acronyms to the people!
That's MCATTP around here, chum.
Avoiding Viruses and Trojans (Score:4, Funny)
two striking things... (Score:5, Interesting)
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not [bugmenot.com] to find a login. Click here [bugmenot.com]
how do you lose the data? (Score:5, Interesting)
Sivaram Velauthapillai
Re:how do you lose the data? (Score:5, Insightful)
Re:how do you lose the data? (Score:5, Informative)
Overwrites 64k of data at random location,NOT MBR! (Score:3, Informative)
Re:how do you lose the data? (Score:3, Insightful)
Very sad. (Score:4, Insightful)
Oh... After all, what will it change ?
How does this thing spread? (Score:3, Interesting)
Infection (Score:2, Offtopic)
Well thanks Stewart. I'm glad to know I won't have to worry about the infection rate of AIDS once most people have AIDS.
-Colin [colingregorypalmer.net]
This is an interesting one, almost biological (Score:5, Informative)
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."
Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.
It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).
I think this will be with us for a while, particularly when mutations start showing up.
Re:This is an interesting one, almost biological (Score:4, Funny)
-
Fumble: [f-secure.com]
- This virus will generate typing errors, every now and then. That is, if you press the "R" key for example, it will occasionally insert another letter like "E" in the text instead.
-
dBASE: [f-secure.com]
- The dBase virus is very rare, but rather curious. It is clearly intended to garble dBase files, or rather any file with a name that ends in
.DBF.
.DBF file, it will garble all the outgoing data. However, when the data is read back later, the virus will correct the garbled data.
.DBF file that is more that three months old, the virus will try to destroy the FAT and root directory on drives D:, E: .... Z: There is a bug in the code, however, so the destruction will be rather unpredictable.
I have no idea why someone hasn't put an imaginatively evil payload in a modern virus.If the virus is active in memory when a program writes to a
There is just one problem. If the virus is detected and removed, the data will be useless because the virus will not be present to "de-garble" it when it is read back.
There is a more harmful side to this virus. If an attempt is made to write to a
Worthless govt agency (Score:5, Interesting)
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
Hardware FireWalls (Score:3, Insightful)
I reccomend Linksys
Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.
Re:Hardware FireWalls (Score:3)
Much more customizable than a Linksys box. And you can add edge VPN at no cost.
With an extra card and some configuration you have a DMZ port.
You would have to spend >$300 for a low end Cisco router and VPN is probably extra...
Re:Hardware FireWalls (Score:3, Interesting)
Well, this site [batbox.org] seems to disagree that your old pentium II box is more flexible than at least some linksys routers.
Re:Hardware FireWalls (Score:5, Insightful)
>I reccomend Linksys
I hate to disappoint you, but your linksys box is not a hardware firewall.
It is a dedicated microcomputer that runs a SOFTWARE firewall.
The potential for an exploit that pierces this firewall or erases all its program memory is not less than with the product currently under attack.
All firewalls can have bugs. This is determined by the quality of the software, and the fact that it runs in a small plastic box is not automatically going to improve that.
Calling it "hardware" isn't going to do that either.
Serves 'em right. (Score:4, Funny)
err, never mind.
Snort Detection (Score:4, Interesting)
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
First Hand Experience (Score:4, Informative)
My personal theory (Score:4, Funny)
Call me a troll if you will... (Score:4, Interesting)
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
talked with an ISS guy (Score:4, Interesting)
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Knoppix (Score:5, Interesting)
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix [knoppix.net].
This is why... (Score:3, Insightful)
When will the Windows world (and, to a lesser extent, the *nix world) wake up and realize that putting all services on a single box is just asking for trouble?
A firewall should be a dedicated, hardened host that is easily rebuilt if compromised. A firewall should not be the only layer of security.
first few sectors? (Score:3, Interesting)
I'd hardly call 2GiB a few sectors...
Incorrect analysis? (Score:5, Informative)
The worm's functionality is as follows:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
(emphasis mine)
points for speed and damage (Score:5, Insightful)
I've also updated my blog with all the relevent links and data [blogspot.com]. The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.
I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
One wonders what else got in this way (Score:4, Insightful)
This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.
Shouldnt it be: (Score:4, Funny)
If you can read this message (Score:3, Funny)
Windows == Unix in 1988 (Score:3, Interesting)
I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.
Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?
The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.
You point and click types can whine, but vi
My WinXP box got hit with this (Score:3, Informative)
Re:Liability? (Score:5, Interesting)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
Read the User agreement Re:Liability? (Score:3, Informative)
In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.
Re: (Score:2, Insightful)
Re:What's the problem (Score:3, Insightful)
Who knows who windows will interpreit a partition table containg random data, it might boot far enough to write to the drive using a mistaken idea of how big the partitions are reducing the chance of
Re:Oh no (Score:5, Informative)
Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation [sourceforge.net]. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool [salvagentfs.com] that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.
If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".
Re:This is crazy (Score:3, Interesting)
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environm
Re:How... (Score:5, Informative)
Not so trivial... (Score:4, Informative)
NASTY worm. Definitely old-school in nature- I wondered when someone would get around to making something along these lines.
Re:Witty worm not just a computer parasite (Score:3, Informative)
Re:Is ZoneAlarm Vulnerable too? (Score:3, Funny)
As a Linux user.. (Score:5, Insightful)
We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.
I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).
So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.
Re:Sucks to be a Windows user (Score:3, Insightful)
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX,
Re:Sucks to be a Windows user (Score:4, Insightful)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Oh god shut up, shut up, shut the FUCK UP.
*cough*
Excuse me, but you can shove that condescending know-it-all attitude straight up your ass.
I use Windows because the overall experience, at least for Desktop use, has been better. Stuff actually works the way I expect it to. I plug in a firewire hard disk, it installs and loads drivers, and the partitions, if any, appear. Instantly. No going to linux1394.org, downloading a shell script, and hoping it works. I click a torrent in mozilla, or Explorer, or whatever, and it loads my Bittorrent client automatically. More recent distros are better, but you won't win anyone over with that attitude.
Last time I had reliability problems with windows, the hard disk was failing. But since I fixed that problem (which not even Linux is immune to) I've had ZERO problems booting. And to be honest, I haven't had any security problems.
Whoa, you think I'm lying, right?
No, I'm not. In the time I've been running 2K and XP, not once have I had:
A Trojan
A Worm
Spyware
Malware
of any sort have any sort of presence on my machine.
Granted, I run Mozilla, Apache (with a secured user-account of its own,) instead of the usual windows implements. Sometimes the opensource community does create stuff that truly JUST WORKS. At least they're smart enough to not get arrogant about it.
But for kicks I run without a firewall and as an administrator 100% of the time. Still waiting for all the problems you describe.
So, kindly, pull that stick out of your ass. Thank you.
Re:for the virus experts... (Score:3, Informative)
Yes, you can write x86 *CODE* that will run on any OS, by using BIOS interrupts, or even making different calls/checks to see what OS this is, and then using the appropriate system calls. But how to run this code?
Windows uses PE files, Linux uses ELF files, MacOS 9 uses data+ressource forks...etc. It would take a hell of a lot of hacking the formats to somehow make the PE offsets correspond to the ELF offsets or somehow put both kinds of headers in the exec