Witty Worm Kick-Start Methods Revealed 150
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
Source (Score:5, Interesting)
This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.
I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.
Re:Source (Score:2, Interesting)
Only if you make the same assumption these "experts" did: that ONLY people who worked with eEye could have POSSIBLY figured out that there was an exploitable hole, and that nobody else out there in the world had any idea how to go about looking for them.
Re:Source (Score:1)
The day after they went public with the hole.
Whos to say this virus wasn't ready to run and just waiting for an exploitable hole to complete the project?
This is nothing but 0 (1) day expl0its.
Re:Source (Score:2)
Re:Source (Score:2)
Coulda been someone inside, or coulda been someone else who figured out the bug in ISS's software. They write security software, ferchrissakes, it seems like crackers around the world would have their sights trained
Re:Source (Score:3, Interesting)
It's been speculated for years that the best way to create a worm that does maximum damage in minimum time would be to first find a vulnerability, then search the internet for a long list of vulnerable computers. Program this list into the worm, and then set it free. Every time it infects a new computer, it spreads to additional computers, but all of the 2nd generation computers have only half the origional list, and so on, until for example the 5th generation has 1/16th of the origional list. Maximum in
Re:Source (Score:2)
http://www.icir.org/vern/papers/cdc-usenix-sec02/ [icir.org]
Re:Source (Score:2)
Its the HITLIST which is the biggest suggestion... (Score:4, Insightful)
Not being an insider it would still have been possible to write the worm (36 hours only, but it is doable considering how small the worm is), although the interesting part would be how the outsider knew who to hit.
Also... (Score:4, Interesting)
Re:Also... (Score:2)
Of course, scanning large swathes of IP space may not be a great idea if you want to cover your tracks, but run these scans from compromised machines....
Re:Also... (Score:2)
Really? (Score:2)
Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP,
You say:
Whoever wrote the worm had to know in advance about the military base and others in the hitlist.
I'm not sure about either. How rare is an exploit that grew to 12,000 hosts in 75 hours? How much inside knowledge do you have to have to know what services any military base is running? Don't they all run the same
well... (Score:2)
In which case, why hitlist? You just write the whole worm.
Thus in order to create the hitlist, specialized knowledge (the customers in the hitlist) would be needed.
Re:Source (Score:1)
- blackhat uses the exploit for general cracking
- exploit gets published
- blackhat thinks "Darn, gotta cover my tracks and generate some confusion", and starts the worm
No insider information neccessary in this scenario to explain the quickness
Re:Source (Score:2)
(just conjecturing)
Coded quickly? (was: Source) (Score:5, Interesting)
In the case of the Witty worm, with it's pre-determined hit list, it seems likely that reconnaissance was performed before the vulnerability was announced. In fact, the bulk of the worm code might have been sitting around, waiting for the next buffer overflow exploit to come around.
Likewise, the author of the worm might have known about the product defect for months or years before it was announced. They may have exploited it quietly for other purposes, and launched the worm once the defect was announced. Kids sometimes do this out of spite -- if another kid wants to play with their toy, they will sometimes break it.
It's not necessary that the cracker be inside the security company that found and announced the defect, nor be inside the company that made the product.
Re:Coded quickly? (was: Source) (Score:2)
Say it ain't so!
At least it had a sense of humor (Score:4, Funny)
Re:At least it had a sense of humor (Score:1)
Ah, but did it have an American sense of humor, a Canadian sense of humour, a British sense of humour, a French sense of geste, or a German sense of gutlich?
A joke in C frequently won't translate into Java. But it will spill the beans.
Re:At least it had a sense of humor (Score:1)
I've been through several virus scrapes, Slammer, Melissa, Blaster, etc, and I have never seen one hit so fast, and so hard, as this one did. Makes me really miss sneakernet. At least you kne
Re:At least it had a sense of humor (Score:2)
Wow.
Just. Wow.
Flawed worm (Score:4, Funny)
So, the witty worm was not complete. Would that make this worm a half-wit?
Re:Flawed worm (Score:1)
Re:Flawed worm (Score:2)
Re:Flawed worm (Score:1)
Re:Flawed worm (Score:2)
Waxed? (Score:1)
Re:Waxed? (Score:2)
It would periodically delete random sections of the disk.
Re:Waxed? (Score:5, Funny)
Re:Waxed? (Score:1)
Suffice it to say, I've gone through a few drives.
Re:Waxed? (Score:2)
Re:Waxed? (Score:2)
Re:Waxed? (Score:5, Informative)
So essentially, yes.
It was a really nasty character. In fact, I don't know if there have ever been nastier ones. Most of the worms feel more like social engineering proofs of concept than anything else. This one was actually intentionally destructive, which is pretty rare.
D
Re:Waxed? (Score:1)
These days -- yeah... but there was a time when viruses were designed primarly for intentinal destruction. Anyone remember the Monkey virus?
Re:Waxed? (Score:1)
Re:Waxed? (Score:2, Informative)
Re:Waxed? (Score:4, Interesting)
Depends on what you mean by "nastier".
* In terms of total damages, Blaster [wikipedia.org] and Sobig [wikipedia.org] are the record holders.
* Compared to the number of machines on the internet at the time, the Robert Morris Internet Worm [mit.edu] would take the record - it took out about 1 in 10 machines on the internet (ironic for a worm that was intended to spread slow enough that it wouldn't be noticed - whoops!).
Personally, I was really annoyed by Code Red's spamming of my apache logs
Re:Waxed? (Score:2)
i define a virus/worm as being really nasty if it actually destroys or manipulates user data pretty much anything else is annoying but not a major loss.
Re:Waxed? (Score:2)
Personally, I wanted to hurt the little bitch who wrote it, after it hosed my IIS box.
The difference between apache boxes and IIS seems to be "continual amused annoyance" vs. "continual fear of sudden, unexpected Pwnag3"...
Re:Waxed? (Score:2)
Anything else is relatively easy to recover from. Loss of data lasts a lifetime.
Being annoyed is very different from having your life's work potentially lost. And how many people have really good backups?
How do you back up a 1tb disk, anyway?
D
Re:Waxed? (Score:4, Insightful)
1) It naturally limits its growth by taking its hosts offline.
2) It makes sure it's going to be a blast, not a neverending wave like Code Red (of which we still get some infection attempts every week).
3) This makes it ultimately *less* dangerous than most current worms.
4) It has written WATCH DIS, YOU ARE SO OWNED WHEN I DECIDE TO RELEASE THE REAL ONE all over it. Most people don't seem to get this. Believe me, the people making a living from IT security are getting it. Those who don't won't be there after the next one which will *not* limit its growth, but instead adapts a more biological approach. Most security flaws aren't patched for weeks or months, so you have a reasonable timeframe in which you can slowly grow a starting population if you're being a good boy and just sending some queries for new victims with the normal boosts of internet traffic on your host.
I personally find this a *very* elegant approach.
As we're talking about it, to me all of this stuff still is amateur crap. I mean hey, look at it. They immediately catch everyone's attention. They saturate pipes, they hog ressources. They're too loud. They spread fast enough to be detected. They can be easily grepped off the network. (When I wrote assembler back in the early 80s, there were several illegal opcodes which did essentially the same and were just not documented, so you can obfuscate anything by randomly exchanging the illegal opcodes of every instruction before passing it on to the next host, so if you also have the option to mask as legitimate traffic... you can write the payload ahead of time and just wait for some holes that are likely not patched for a while, put them in an off you go. I could go on and on, but the point is, today's worms and virii are just amateur crap, like the first attempts of mankind to build airplanes.
Then again, I'm quite sure there at least some 'skilled' people out there just calmly develop their high-end worms and work at cross-platform compatibility for building multi-million-machine bot nets just because. Maybe something like this is out already, behaving like a good boy and waiting to wake up. I find this a very interesting thing to watch, as it *will* eventually happen.
I just hope that I won't be hit too hard when it comes. Until then, remember that if your data is valuable to you, always backup, and also on removable media (and yes, copy that stuff to new media every once in a year). Yes, I'm talking of your more than 10000 pictures of the family and kids, and all that email you love to keep around from 1990.
Re:Waxed? (Score:2)
So what was the flaw? (Score:1)
Re:So what was the flaw? (Score:2)
Re:So what was the flaw? (Score:4, Insightful)
More likely I think there's a defect in the random number gnerator (RNG) it used. And the inital spread JUST HAPPENED to come from an address the RNG would never have generated, making it patient zero logically
Re:So what was the flaw? (Score:2)
Re:So what was the flaw? (Score:2)
If there was exactly ONE IP address that the RNG didn't cover, the chance of that one being the source would be 2^32... or about 1 in 4 billion.
Re:So what was the flaw? (Score:2)
Not exactly actually.
They used the Network Telescope data to find out who was sending Witty packets and found ONE address that was outside of the range of IP addresses that were covered by the (flawed) algorithm.,/p>
The set of IP addresses that are covered by the algorithm is what is called an "orbit" in the article (see it as if you had a base address, and go around this base address, trying all possibilities starting from that address).
One IP could not possibly belong to this set of possible IP ad
The flaw... (Score:5, Informative)
This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.
The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.
Funny... (Score:1)
Re:Funny... (Score:1)
Re:Funny... (Score:2)
Re:Funny... (Score:2)
Thank you, thank you. I always appreciate my adoring fans!
No doubt it's stretching even more with that new enormous BK breakfast combo.
I hate Burger King. I like Panda Express better!
Dang it! (Score:3, Funny)
I always do that! I always seem to miss some mundane detail!
Re:Dang it! (Score:1)
This one time, me and my buds wrote a worm like they did in Superman 3 that rounded off a fraction of a cent and put it in an account we owned. Unfortunately, I misplaced the decimal point and it ended up taking a lot more than a fraction of a cent. My buddy Peter got totally pissed off, especially because this threatened his relationship with Jennifer Aniston. Anyways, we decided to just give all the money back and say "our bad" and hopefully just go to white collar resort prison.
L
Timeframe... (Score:3, Interesting)
[...]
The vulnerability was discovered by eEye on March 8, 2004 and announced by both eEye and ISS on March 18, 2004. ISS released an alert warning users of a possibly exploitable security hole and provided updated software versions that were not vulnerable to the buffer overflow attack.
I think there's a lesson in this: the only way to keep ahead of exploits is to demand software companies automatically patch your software against security flaws via the Internet when exploits are discovered -- before details are released.
Re:Timeframe... (Score:5, Insightful)
That's the last thing in the world I want happening in a production environment. Random companies patching random servers with 0 testing. .
For example look at the service packs from microsoft, many larger companies have yet to, and are unable to roll out service pack one for windows 2003 because they are still putting it through testing to make sure it doesn't break their existing setup. (this isn't to say they haven't patched as microsoft makes hotfixes and patches availble for people in these situations that can be applied as needed).
Re:Timeframe... (Score:2)
Re:Timeframe... (Score:1)
As a developer myself, I know that getting a patch right 1st time isn't always possible. We are after all only human.
I hate performing updates of my own code, let alone somebody elses.
Users' home systems are in dire need of cleaning up, and in the most part should/can be updated automatically.
Business machines are an entirely different ballgame.
Do you want to be the one who causes the stock market to crash, or even worse?
I agree that patches should be made ava
Anatomy of a worm (Score:3, Interesting)
Re:Anatomy of a worm (Score:1)
Re:Anatomy of a worm (Score:1)
I'm not paranoid (Score:1, Offtopic)
Re:I'm not paranoid (Score:2)
obviously. Because if you were paranoid you would have deleted windows.
Be paranoid (was: I'm not paranoid) (Score:3, Insightful)
This worm caused quite a stir in the security consulting community as a result. Professionals for years were recommending PC firewall products as part of a defense in depth strategy. The risk with these modern fancy host based firewalls is that they let the packet on the box and inspect it before deciding what to do.
Re:I'm not paranoid (Score:4, Informative)
Or if it's that important to you I trust a NAT firewall a lot more than I trust a software firewall.
I specifically asked some Microsoft guys about the Windows Firewall. To paraphrase their answer "Don't you dare try to protect a sensitive system with it but for consumers and especially laptop users who just need a security layer between them and the big bad world it works pretty good"
My translation: Windows Firewall on the gaming machine on DMZ. Everything else hides behind the NATting firewall (or a real ISS)
Re:I'm not paranoid (Score:1)
Its most effective as you say as a second line of defense, but I still recommend running it inside the lan.
Let the hardware wall protect you from the outside world, but your machines need protection from themselves.
Theres nothing worse than a worm bouncing around your internal machines.
Re:I'm not paranoid (Score:2)
Re:I'm not paranoid (Score:2)
How we laughed (Score:2, Funny)
CAIDA ?? (Score:3, Funny)
There's a frightening liability aspect of this... (Score:2)
It's also interested to see a return to data-destructive worms. I can't remember the last time I had to worry about a virus that would actually screw up my machine.
That
Re:There's a frightening liability aspect of this. (Score:2)
Thankfully, many systems worked around this virus by skipping right from 1999 to 19100.
Re:There's a frightening liability aspect of this. (Score:2, Informative)
Some variants of the popular email borne viruses in the last couple years have swept through not only local disk drives but also through connected "mapped drives", replacing many types of files including image files, html files, and so forth with copies of the virus. Much simpler than a worm, but very, very nasty.
RTFA? (Score:1)
Schneier Analysis (Score:5, Interesting)
Uhh (Score:2, Funny)
Re:Uhh (Score:2)
Re:Uhh (Score:1)
Slashdoted (Score:1, Flamebait)
http://www.caida.org/analysis/security/witty/anima tions/world_big-witty_2h.gif [caida.org]
http://www.caida.org/analysis/security/witty/anima tions/usa_big-witty_2h.gif [caida.org]
Prophylactics (Score:2)
> A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
And non-MS OSes protected another 10%...
Re:Prophylactics (Score:2)
or why 4k of memory is missing and CHKDSK only reports 651,264 free?
Ruining a disk is not new under the Sun....
Re:Prophylactics (Score:2)
Re:Prophylactics (Score:2)
only 10% of the internet? I didn't even feel it.. (Score:1, Insightful)
Re:only 10% of the internet? I didn't even feel it (Score:2)
They never said that all 90% of the remaining IPs were successfuly compromised.
Re:only 10% of the internet? I didn't even feel it (Score:3, Informative)
Are those wooden hard drives? (Score:1)
Last time I waxed my hard drive was back in the day when 300 baud was FAST. You know, when you hand-cranked the rheostats
What is this, a time-warp worm?
.
regarding the author of Witty (Score:5, Informative)
One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver [berkeley.edu] and Dan Ellis (of MITRE [mitre.org]), published in the June 2004 issue of ;login, [usenix.org] the
Usenix [usenix.org]
magazine.
Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.
Some insights about the worm author that Weaver and Ellis proposed:
The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.
ThomasOne correction... (Score:5, Informative)
Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.
Re:One correction... (Score:2)
Even presuming that the author learned of the vulnerability at its public release, what would prevent him from scanning networks and comprising a list of installed (but uncompromised) software?
Everything short of the actual exploit could be ready to go, and a database of products and installation locations. Once an exploit is announced for a scanned product, the author needs to only code the exploit, load that product's list of installations, and fire.
-Zipw
Re:One correction... (Score:3, Informative)
Thus, because of this restriction (you need to exploit to scan, and you need to know the exploit to create a scanner), you wouldn't scan to create a hitlist, you would either know the hitlist in advance through some other means (an insider?) or just release the worm without a hitlist.
Re:One correction... (Score:2)
The author didn't scan for vulnerabilities, the author scanned for installed software. The system didn't reply with information about its vulnerability, it simply replied with information about itself (which, in these cases, is the firewall info only). The system may not have intended even to reply with this, but as with some simple webserver identification programs, behavior itself can be used to identify the software in lieu of an actual "ISS v3.5" string.
The author may
Re:regarding the author of Witty (Score:1)
Re:regarding the author of Witty (Score:2, Interesting)
Re:regarding the author of Witty (Score:2)
Wait... oops!
It wasn't a flaw in the RNG... (Score:3, Interesting)
Nope, it was a flaw... (Score:4, Informative)
The attacker could have just as easily protected himself by patching or removing ISS, so he didn't need self protection.
And the flaw was the case of the attacker being too subtle and proper. If you read Knuth, it says to use only the lower 16 bits of a 32 bit linear congruential pRNG, as only the lower 16 bits are reasonably random.
So the attacker called the pRNG twice, concating together the lower 16 bits of each try to create the target address.
The problem is, the linear congruential generator is a 32 bit permutation: if you just take the value it will cover the whole address space
And some of the 10% still got infected: eg, if they were snooping the wire to protect other systems.
Re:Nope, it was a flaw... (Score:4, Interesting)
The analysis of the pseudo-random number generator found that the worm would not generate addresses for about 10 percent of the Internet and would generate the same address twice for another 10 percent of possible Internet addresses. The researchers used their analysis of the generator to plot the orbits -- the sequences of numbers each worm would create -- and found a single address from which copies of the worm propagated but which did not fall on any orbit.
This makes it sound like the originating IP was one of those ten percent.
Maybe it was a very subtle way to attempt to mask the originating IP? Sure it will block a few others, but you'll still hit 90%. It might block enough so that it seems like a programming flaw, but it's actually a deliberate flaw to hide the point of origin?
Though, this hypothesis is definitely getting into the realm of Spy vs. Spy if you ask me.