Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Worms Security

Witty Worm Kick-Start Methods Revealed 150

Posted by CmdrTaco from the know-your-foe dept.
voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."
This discussion has been archived. No new comments can be posted.

Witty Worm Kick-Start Methods Revealed More

Witty Worm Kick-Start Methods Revealed

Comments Filter:

  • Source (Score:5, Interesting)

    by ProfaneBaby ( 821276 ) on Wednesday May 25, 2005 @04:21PM (#12638167)
    Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.

    This part is both very interesting and very scary. There has been speculation recently that many of the 'security' firms are sitting on vulnerabilities for unusually long periods of time. In my experience, eEye and ISS seemed relatively reputable (eEye in particular), so this statement is somewhat shocking.

    I suppose it just takes one jackass employee to start speculation. Hopefully, if it really was an inside matter, the companies find and report the person responsible.

    • Re:Source (Score:2, Interesting)

      by Qzukk ( 229616 )
      I suppose it just takes one jackass employee to start speculation.

      Only if you make the same assumption these "experts" did: that ONLY people who worked with eEye could have POSSIBLY figured out that there was an exploitable hole, and that nobody else out there in the world had any idea how to go about looking for them.
      • The worm was unleashed on the 19th.
        The day after they went public with the hole.

        Whos to say this virus wasn't ready to run and just waiting for an exploitable hole to complete the project?

        This is nothing but 0 (1) day expl0its.
        • I'm guessing someone already had this one figured out and was already using it (viz. the number of initial infected hosts). Then, when "their" hole was uncovered, they knew they'd be patched out within a few days and turned this thing loose.
    • That logic doesn't work very well for me. Anyone who knew about the vulnerability would have known to create a hit list. Yes, it could have been an inside contact that acquired information about the vulnerability in the first place, but this is not two points of data, as implied by above quote.

      Coulda been someone inside, or coulda been someone else who figured out the bug in ISS's software. They write security software, ferchrissakes, it seems like crackers around the world would have their sights trained

    • Re:Source (Score:3, Interesting)

      by zerocool^ ( 112121 )

      It's been speculated for years that the best way to create a worm that does maximum damage in minimum time would be to first find a vulnerability, then search the internet for a long list of vulnerable computers. Program this list into the worm, and then set it free. Every time it infects a new computer, it spreads to additional computers, but all of the 2nd generation computers have only half the origional list, and so on, until for example the 5th generation has 1/16th of the origional list. Maximum in

    • Its the HITLIST which is the biggest suggestion... (Score:4, Insightful)

      by nweaver ( 113078 ) on Wednesday May 25, 2005 @05:00PM (#12638496) Homepage
      It is the hitlist which is the biggest suggestion that it was done by an insider. Whoever wrote the worm had to know in advance about the military base and others in the hitlist. THis also suggests that an ISS insider would be more likely than an eEye insider.

      Not being an insider it would still have been possible to write the worm (36 hours only, but it is doable considering how small the worm is), although the interesting part would be how the outsider knew who to hit.

      • Also... (Score:4, Interesting)

        by nweaver ( 113078 ) on Wednesday May 25, 2005 @05:08PM (#12638575) Homepage
        Unlike most other vulnerabilities, you really couldn't scan for the ISS vulnerability WITHOUT actually exploiting it. Thus the hitlist had to be based on a-priori knowledge rather than reconnisance.
        • The article doesn't go into enough detail, but wouldn't it be possible to fire up nmap to find a list of potential candidates (in this case, ISS boxes)?

          Of course, scanning large swathes of IP space may not be a great idea if you want to cover your tracks, but run these scans from compromised machines....
        • I don't think that necessarily follows. Exploit it, get a shell, then just exit it. How many admins are going to watch the logs that closely?
      • The article says:

        Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP,

        You say:

        Whoever wrote the worm had to know in advance about the military base and others in the hitlist.

        I'm not sure about either. How rare is an exploit that grew to 12,000 hosts in 75 hours? How much inside knowledge do you have to have to know what services any military base is running? Don't they all run the same

        • You can't really scan for this vulnerability. Any scanner for the vulnerability has to be scan & exploit, as it is only when the personal firewall receives and interprets the packet that you know if it is vulnerable. There is no response sent back which tells you that it is vulnerable, UNLESS you actually send an exploit packet.

          In which case, why hitlist? You just write the whole worm.

          Thus in order to create the hitlist, specialized knowledge (the customers in the hitlist) would be needed.
    • I assumed it worked in this order:

      - blackhat uses the exploit for general cracking
      - exploit gets published
      - blackhat thinks "Darn, gotta cover my tracks and generate some confusion", and starts the worm

      No insider information neccessary in this scenario to explain the quickness
    • What if eEye didn't discover the thing but took it from some obscure 0day place (irc chan?). They wouldn't be able to tell, as that would make all their discoveries suspicious of same thing.
      (just conjecturing)
  • There's nothing worse than a witless worm.
    • There's nothing worse than a witless worm.

      Ah, but did it have an American sense of humor, a Canadian sense of humour, a British sense of humour, a French sense of geste, or a German sense of gutlich?

      A joke in C frequently won't translate into Java. But it will spill the beans.

    • It certainly wasn't very funny when we get hit by it last year. Thank god we have an amazing team that all pulled together, even though they were painting our building the same weekend, and brought all of our production back online before Monday morning. We were still cleaning up systems a month later, though. :(

      I've been through several virus scrapes, Slammer, Melissa, Blaster, etc, and I have never seen one hit so fast, and so hard, as this one did. Makes me really miss sneakernet. At least you kne

  • Flawed worm (Score:4, Funny)

    by Vertdang ( 822271 ) on Wednesday May 25, 2005 @04:22PM (#12638178)
    "A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

    So, the witty worm was not complete. Would that make this worm a half-wit?

  • What does it mean by waxed? Like delete all the data
    • What does it mean by waxed? Like delete all the data

      It would periodically delete random sections of the disk.

    • Re:Waxed? (Score:5, Funny)

      by nizo ( 81281 ) * on Wednesday May 25, 2005 @04:24PM (#12638207) Homepage Journal
      Most viruses and commercial products just clean your harddrive, but this one put a final coat of wax on too. If only some commercial disk cleaner could get that kind of a beautiful shiny finish added to its products....

    • Re:Waxed? (Score:5, Informative)

      by daviddennis ( 10926 ) <david@amazing.com> on Wednesday May 25, 2005 @04:26PM (#12638220) Homepage
      It wrote random junk to random sectors of the drive until the machine died.

      So essentially, yes.

      It was a really nasty character. In fact, I don't know if there have ever been nastier ones. Most of the worms feel more like social engineering proofs of concept than anything else. This one was actually intentionally destructive, which is pretty rare.

      D
      • This one was actually intentionally destructive, which is pretty rare.

        These days -- yeah... but there was a time when viruses were designed primarly for intentinal destruction. Anyone remember the Monkey virus?

      • Sorry for the double-post, just wanted to clear up that I'm not suggesting that worms and viruses are the same thing, only that intentional destruction isn't a new idea, just one that hasn't been practiced much lately.

        • Re:Waxed? (Score:2, Informative)

          by voixderaison ( 665336 )
          That confusion is natural. Modern worms have borrowed techniques from all types of malware, and it's really not easy to tell them apart any longer. In the old days, trojans, viruses, and worms were different. Nowadays the worms:
          • come into your network as spyware by crawling down a browser,
          • open up a trojan backdoor port,
          • log your keystrokes,
          • fetch instructions and installable components from remote servers via IRC, tftp, http, and other means,
          • upload email addresses, passwords, data, and,
          • probe your net

      • Re:Waxed? (Score:4, Interesting)

        by Rei ( 128717 ) on Wednesday May 25, 2005 @04:48PM (#12638416) Homepage
        I don't know if there have ever been nastier ones

        Depends on what you mean by "nastier".

        * In terms of total damages, Blaster [wikipedia.org] and Sobig [wikipedia.org] are the record holders.

        * Compared to the number of machines on the internet at the time, the Robert Morris Internet Worm [mit.edu] would take the record - it took out about 1 in 10 machines on the internet (ironic for a worm that was intended to spread slow enough that it wouldn't be noticed - whoops!).

        Personally, I was really annoyed by Code Red's spamming of my apache logs ;)
        • most modern worms whilst they may have high damages in agregate are not nasty enough to the infected individuals to really cause people trouble.

          i define a virus/worm as being really nasty if it actually destroys or manipulates user data pretty much anything else is annoying but not a major loss.
        • >> Personally, I was really annoyed by Code Red's spamming of my apache logs ;)

          Personally, I wanted to hurt the little bitch who wrote it, after it hosed my IIS box.

          The difference between apache boxes and IIS seems to be "continual amused annoyance" vs. "continual fear of sudden, unexpected Pwnag3"...

        • I agree with Peter (someone who also responded to your message). Really serious consequences are the destruction of data on your system.

          Anything else is relatively easy to recover from. Loss of data lasts a lifetime.

          Being annoyed is very different from having your life's work potentially lost. And how many people have really good backups?

          How do you back up a 1tb disk, anyway?

          D

      • Re:Waxed? (Score:4, Insightful)

        by Doctor O ( 549663 ) on Wednesday May 25, 2005 @05:40PM (#12638853) Homepage Journal
        OTOH it was a quite brilliant and subtle move of the author to make it so destructive.

        1) It naturally limits its growth by taking its hosts offline.
        2) It makes sure it's going to be a blast, not a neverending wave like Code Red (of which we still get some infection attempts every week).
        3) This makes it ultimately *less* dangerous than most current worms.
        4) It has written WATCH DIS, YOU ARE SO OWNED WHEN I DECIDE TO RELEASE THE REAL ONE all over it. Most people don't seem to get this. Believe me, the people making a living from IT security are getting it. Those who don't won't be there after the next one which will *not* limit its growth, but instead adapts a more biological approach. Most security flaws aren't patched for weeks or months, so you have a reasonable timeframe in which you can slowly grow a starting population if you're being a good boy and just sending some queries for new victims with the normal boosts of internet traffic on your host.

        I personally find this a *very* elegant approach.

        As we're talking about it, to me all of this stuff still is amateur crap. I mean hey, look at it. They immediately catch everyone's attention. They saturate pipes, they hog ressources. They're too loud. They spread fast enough to be detected. They can be easily grepped off the network. (When I wrote assembler back in the early 80s, there were several illegal opcodes which did essentially the same and were just not documented, so you can obfuscate anything by randomly exchanging the illegal opcodes of every instruction before passing it on to the next host, so if you also have the option to mask as legitimate traffic... you can write the payload ahead of time and just wait for some holes that are likely not patched for a while, put them in an off you go. I could go on and on, but the point is, today's worms and virii are just amateur crap, like the first attempts of mankind to build airplanes.

        Then again, I'm quite sure there at least some 'skilled' people out there just calmly develop their high-end worms and work at cross-platform compatibility for building multi-million-machine bot nets just because. Maybe something like this is out already, behaving like a good boy and waiting to wake up. I find this a very interesting thing to watch, as it *will* eventually happen.

        I just hope that I won't be hit too hard when it comes. Until then, remember that if your data is valuable to you, always backup, and also on removable media (and yes, copy that stuff to new media every once in a year). Yes, I'm talking of your more than 10000 pictures of the family and kids, and all that email you love to keep around from 1990.
        • This worm also had it's growth limited by the number of machines running the software it was exploiting. As did SQL Slammer. Is there still any SQL Slammer traffic? It is kind of obvious when your DB server becomes unresponsive and you would expect it to be brought down.
  • They leave out the number 7 or something?
    • No, but the really interesting thing is that they used the flaw to determine the IP address from which the worm originated. In a nutshell (assuming I'm interpreting this correctly), it seems that they had a list of machines that theoretically should have been hit, but weren't, due to the flaw. They then traced the algorithm to determine what the starting point had to have been to miss that specific block of addresses. Turns out they found exactly one IP address that could have produced the hit-and-miss p

      • Re:So what was the flaw? (Score:4, Insightful)

        by merlin_jim ( 302773 ) <{James.McCracken} {at} {stratapult.com}> on Wednesday May 25, 2005 @04:47PM (#12638410)
        I don't think it's as cut and dry as you make it out to be.

        More likely I think there's a defect in the random number gnerator (RNG) it used. And the inital spread JUST HAPPENED to come from an address the RNG would never have generated, making it patient zero logically

      • Not exactly actually.

        They used the Network Telescope data to find out who was sending Witty packets and found ONE address that was outside of the range of IP addresses that were covered by the (flawed) algorithm.,/p>

        The set of IP addresses that are covered by the algorithm is what is called an "orbit" in the article (see it as if you had a base address, and go around this base address, trying all possibilities starting from that address).

        One IP could not possibly belong to this set of possible IP ad

    • The flaw... (Score:5, Informative)

      by nweaver ( 113078 ) on Wednesday May 25, 2005 @05:03PM (#12638527) Homepage
      LCG gives a 32 bit number, but only the lower 16 really look good for "random". So, following the Knuth recommendation, LCG was called twice, to create the upper and lower halves of the address.

      This is the bug: For a worm you don't want random, you want random COVERAGE. By doing the concatination, about 10% of the 32 bit address space is never generated.

      The flaw for patient 0 was different: It was simply running different code, so it produced different random numbers.
  • I don't think I ever came across a worm I couldn't humor to death with my witty sense of writing that I share for free with all you slashdotters. I guess that's how the worm turns...

  • Dang it! (Score:3, Funny)

    by Mz6 ( 741941 ) * on Wednesday May 25, 2005 @04:24PM (#12638209) Journal
    "A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

    I always do that! I always seem to miss some mundane detail!

    • I know how you feel.

      This one time, me and my buds wrote a worm like they did in Superman 3 that rounded off a fraction of a cent and put it in an account we owned. Unfortunately, I misplaced the decimal point and it ended up taking a lot more than a fraction of a cent. My buddy Peter got totally pissed off, especially because this threatened his relationship with Jennifer Aniston. Anyways, we decided to just give all the money back and say "our bad" and hopefully just go to white collar resort prison.

      L

  • Timeframe... (Score:3, Interesting)

    by Sheetrock ( 152993 ) on Wednesday May 25, 2005 @04:25PM (#12638217) Homepage Journal
    On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability

    [...]

    The vulnerability was discovered by eEye on March 8, 2004 and announced by both eEye and ISS on March 18, 2004. ISS released an alert warning users of a possibly exploitable security hole and provided updated software versions that were not vulnerable to the buffer overflow attack.

    I think there's a lesson in this: the only way to keep ahead of exploits is to demand software companies automatically patch your software against security flaws via the Internet when exploits are discovered -- before details are released.

    • Re:Timeframe... (Score:5, Insightful)

      by jchawk ( 127686 ) on Wednesday May 25, 2005 @04:33PM (#12638291) Homepage Journal
      I seriously hope you are joking.

      That's the last thing in the world I want happening in a production environment. Random companies patching random servers with 0 testing. . .

      For example look at the service packs from microsoft, many larger companies have yet to, and are unable to roll out service pack one for windows 2003 because they are still putting it through testing to make sure it doesn't break their existing setup. (this isn't to say they haven't patched as microsoft makes hotfixes and patches availble for people in these situations that can be applied as needed).
    • I'm conflicted, I agree and I don't agree.

      As a developer myself, I know that getting a patch right 1st time isn't always possible. We are after all only human.
      I hate performing updates of my own code, let alone somebody elses.

      Users' home systems are in dire need of cleaning up, and in the most part should/can be updated automatically.

      Business machines are an entirely different ballgame.

      Do you want to be the one who causes the stock market to crash, or even worse?

      I agree that patches should be made ava

  • Anatomy of a worm (Score:3, Interesting)

    by Mille Mots ( 865955 ) on Wednesday May 25, 2005 @04:26PM (#12638225)
    The FA was actually a decent read. It brings to mind that science class in middle school where we dissected worms to find out that they had five 'hearts.' Has anyone created a worm (of the malicious network variety) that can survive having pieces hacked off? I'm imagining the anti-virus/security companies issuing a new definition file and the worm, realzing it has lost it's tail, continues with the other four hearts intact. Hrmm.
    • What do you mean "pieces of it hacked off"? While I've never designed a worm or really analyzed the source code, I'm sure that somebody has designed a modular component worm which can take the form of multiple attack vectors. Wern't there some cross-platform viruses a while back? In the previous /. article about honeypotting (look back a few days) there was talk about how phishers are utilizing more advanced systems to avoid detection. With encryption, archiving, polymorphism and a modular design with plugg
    • The poor metaphor, you seem to have stretched it so far, that it has ripped.
  • Just because I run two separate software based firewalls that have no relationship to each other on my XP machine (and I'm NOT talking about the lame-o one that comes with the system, so there)...
    • ...on my XP machine

      obviously. Because if you were paranoid you would have deleted windows.

    • The worm known to Symantec as W32.Witty.Worm [symantec.com] actually exploited a defect in commercial firewall products.

      This worm caused quite a stir in the security consulting community as a result. Professionals for years were recommending PC firewall products as part of a defense in depth strategy. The risk with these modern fancy host based firewalls is that they let the packet on the box and inspect it before deciding what to do.

    • Re:I'm not paranoid (Score:4, Informative)

      by merlin_jim ( 302773 ) <{James.McCracken} {at} {stratapult.com}> on Wednesday May 25, 2005 @04:44PM (#12638390)
      Multiple firewalls don't help. Try one properly configured software firewall.

      Or if it's that important to you I trust a NAT firewall a lot more than I trust a software firewall.

      I specifically asked some Microsoft guys about the Windows Firewall. To paraphrase their answer "Don't you dare try to protect a sensitive system with it but for consumers and especially laptop users who just need a security layer between them and the big bad world it works pretty good"

      My translation: Windows Firewall on the gaming machine on DMZ. Everything else hides behind the NATting firewall (or a real ISS)
      • The best part about the windows firewall is its small size and almost unnoticable performance drop when using it.

        Its most effective as you say as a second line of defense, but I still recommend running it inside the lan.

        Let the hardware wall protect you from the outside world, but your machines need protection from themselves.

        Theres nothing worse than a worm bouncing around your internal machines.
      • Multiple firewalls don't help. Try one properly configured software firewall.
        Another option is a firewall in hardware - you can get firewalls on a network card now confugurable by a web page. They run embedded linux on an ARM processor, which is plenty of power to run a stateful firewall.
      • Multiple properly configured firewalls do help. When one has a major compromise (as was the case in this article) the other still does the job. Keep in mind they are working in serial fashion, not in parallel.

  • How we laughed (Score:2, Funny)

    by ThomS ( 866280 )
    "...And then I said 'No I'm not, I'm a worm" Oh that witty worm.

  • CAIDA ?? (Score:3, Funny)

    by zappepcs ( 820751 ) on Wednesday May 25, 2005 @04:29PM (#12638249) Journal
    OMG! If this analysis was done by *THE* Al CAIDA group, then you know it has to be right. err, I mean, those guys know lots about viruses and terrorism and worms and dirt floors and stuff...
  • The rumbling under the surface about holding individuals financially responsible for damages caused by their compromised machines is disturbing. They have a point, though, in that user-level mitigation/prevention isn't always sufficient, and as virus writers become more clever, user-level activity may become increasingly insufficient.

    It's also interested to see a return to data-destructive worms. I can't remember the last time I had to worry about a virus that would actually screw up my machine.

    That

    • That reminds me, did anybody else ever get the millennium virus in the early 90's? Supposedly the virus would cause your hard drive to get wiped out or something on January 1, 2000.

      Thankfully, many systems worked around this virus by skipping right from 1999 to 19100.

    • It's also interested to see a return to data-destructive worms. I can't remember the last time I had to worry about a virus that would actually screw up my machine.

      Some variants of the popular email borne viruses in the last couple years have swept through not only local disk drives but also through connected "mapped drives", replacing many types of files including image files, html files, and so forth with copies of the virus. Much simpler than a worm, but very, very nasty.

  • With an intro this boring, why would anyone be inspirsed to RTFA?

  • Schneier Analysis (Score:5, Interesting)

    by Brent Nordquist ( 11533 ) <bjnord@gmai l . c om> on Wednesday May 25, 2005 @04:35PM (#12638311) Homepage
    Bruce Schneier wrote a great summary of what made this worm special here [computerworld.com]. It's true that Witty didn't get as much press coverage as some; it really deserved to get more. The whole thing fit inside one UDP packet (like SQL Slammer) and it ramped up very quickly given that it only targeted a small fraction of Internet hosts (those running a couple of ISS products). And it was destructive to the host without harming its ability to spread. Rather breathtaking.

  • Uhh (Score:2, Funny)

    by buckymatters ( 885912 )
    "The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order." Was it download, install, reboot or install, reboot, download? I can't remember!
    • It's more like:
      • Download
      • Install in test environment
      • Confirm it doesn't break anything. (This in itself may take days or even weeks)
        • If it doesn't, schedule downtime to install on live. In many organisations, this may involve formal change control procedures.
        • If it does, either find out how you can fix the resulting breakage or mitigate the effect of not applying the patch at all.
      • Sit back and wait for the next vulnerability which has potential to affect you to be announced.

  • Slashdoted (Score:1, Flamebait)

    by anandpur ( 303114 )
    Because we are uniquely situated to receive traffic That's why it is not slashdoted yet. BTW thses are the links to the large maps

    http://www.caida.org/analysis/security/witty/anima tions/world_big-witty_2h.gif [caida.org]

    http://www.caida.org/analysis/security/witty/anima tions/usa_big-witty_2h.gif [caida.org]


  • > A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

    And non-MS OSes protected another 10%...


    • side 1, cylinder 0, sector 3 -Anyone know why DOS would have its boot sector there?
      or why 4k of memory is missing and CHKDSK only reports 651,264 free?
      Ruining a disk is not new under the Sun....
    • I think it had more to do with two firewall applications that happened to run on MS operating systems than with Windows itself. But hey, I didn't pay that much attention to it because I don't run those products, and my firewalls are all iptables-based.
    • Don't forget intersections ;)

  • only 10% of the internet? I didn't even feel it.. (Score:1, Insightful)

    by Anonymous Coward
    I didn't even hear about this worm until now, so to say that only 10% of the internet was saved is hyperbole. Let's try to keep the news reporting a bit more real, aight?
    • They mean 10% of all IPs were safe from attack automatically, as the worm's RNG had a bug that kept those IPs from ever being attacked.

      They never said that all 90% of the remaining IPs were successfuly compromised.

      • No, he's got a point. It only infected machines running specific applications. A less grand and sweeping statement, but entirely accurate, would be to say, "if the technique had been paired with a more common Windows vulnerability, only a bug in the worm's RNG would have prevented it from infecting all Internet-connected hosts with that vulnerability."
  • this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives.

    Last time I waxed my hard drive was back in the day when 300 baud was FAST. You know, when you hand-cranked the rheostats ...

    What is this, a time-warp worm?

    .

  • regarding the author of Witty (Score:5, Informative)

    by nthomas ( 10354 ) on Wednesday May 25, 2005 @05:03PM (#12638522)

    One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver [berkeley.edu] and Dan Ellis (of MITRE [mitre.org]), published in the June 2004 issue of ;login, [usenix.org] the Usenix [usenix.org] magazine.

    Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.

    Some insights about the worm author that Weaver and Ellis proposed:

    • he was a fairly proficient programmer - there were no significant bugs in the code of the worm, he knew how to program x86 assembly and access the Windows API, he implemented a stack-overflow attack, and most importantly, he constructed a payload that was malicious to the host, but didn't significantly slow the worm's spread.
    • he was quite clever at what he did - randomly padded packet sizes, randomized the destinations and port numbers, and he seeded the worm (rather than start at a single location, the worm started out from 110 different victims) -- prior to this no one had significantly seeded their worms
    • he wrote compact code, Witty consists of 177 x86 instructions in 474 bytes (the rest is the buffer overflow and padding); with 177 instructions, he was able to construct routines to cleanup from the overflow attack, seed the RNG, propagate the worm, and execute the malicious payload (Witty slowly overwrites disks on the infected hosts until the machine crashes)
    • he worked quite fast; the stack overflow in the ISS [iss.net] BlackIce products was published on March 18, 2004. Witty was released on March 19, 2004, less than 48 hours after the security advisory was published by eEye [eeye.com]; it is possible that he knew of the vulnerability when eEye notified ISS on March 8, 2004, but the paper goes into why this is unlikely
    • he probably tested the worm before he released it (cf. the lack of major bugs); this combined with the fact that he seeded on 110 hosts, means that he had access to a wide array of compromised machines -- it probably means he has access to the "hacker underground", to gain access to these machines in such a short time frame

    The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.

    Thomas

    • One correction... (Score:5, Informative)

      by nweaver ( 113078 ) on Wednesday May 25, 2005 @05:11PM (#12638606) Homepage
      At the time, Dan and I did not know it was a Hitlist, we thought it was a botnet.

      Knowing that it WAS a hitlist (that the author couldn't have scanned for in advance), makes it seem more likely that the author was an insider, someone with a relationship to ISS, rather than an outsider who worked fast, as the attacker had to know, in advance, the vulnerable systems needed to create the hitlist.
      • Why couldn't he have scanned for it in advance?

        Even presuming that the author learned of the vulnerability at its public release, what would prevent him from scanning networks and comprising a list of installed (but uncompromised) software?

        Everything short of the actual exploit could be ready to go, and a database of products and installation locations. Once an exploit is announced for a scanned product, the author needs to only code the exploit, load that product's list of installations, and fire.

        -Zipw

        • Re:One correction... (Score:3, Informative)

          by nweaver ( 113078 )
          This vulnerability, in order to discover that it exists, requires exploitation. A system will NOT reply with any information about it being vulnerable unless the scan contains an exploit code which generates a response.

          Thus, because of this restriction (you need to exploit to scan, and you need to know the exploit to create a scanner), you wouldn't scan to create a hitlist, you would either know the hitlist in advance through some other means (an insider?) or just release the worm without a hitlist.
          • I think you've missed my point.

            The author didn't scan for vulnerabilities, the author scanned for installed software. The system didn't reply with information about its vulnerability, it simply replied with information about itself (which, in these cases, is the firewall info only). The system may not have intended even to reply with this, but as with some simple webserver identification programs, behavior itself can be used to identify the software in lieu of an actual "ISS v3.5" string.

            The author may

    • Re:regarding the author of Witty (Score:2, Interesting)

      by Anonymous Coward
      Of course HE could have been a SHE.
    • Ah, it sure feels great to read such glowing praise. I am teh r33tn3ss! I sure showed that CS professor who gave me a D! See, I knew the the SlashDot community would fully appreciate the Machiavellian subtlety of my devious, malicious code.

      Wait... oops!

  • It wasn't a flaw in the RNG... (Score:3, Interesting)

    by GuruBuckaroo ( 833982 ) on Wednesday May 25, 2005 @05:10PM (#12638601) Homepage
    I betcha it was specifically created to AVOID the creator's systems. It would be trivial to engineer the target generator to skip any IP that gets too close to your home system. Make it overly-paranoid, and you end up with 10%.

    • Nope, it was a flaw... (Score:4, Informative)

      by nweaver ( 113078 ) on Wednesday May 25, 2005 @05:18PM (#12638676) Homepage
      The pRNG bug was really subtle:

      The attacker could have just as easily protected himself by patching or removing ISS, so he didn't need self protection.

      And the flaw was the case of the attacker being too subtle and proper. If you read Knuth, it says to use only the lower 16 bits of a 32 bit linear congruential pRNG, as only the lower 16 bits are reasonably random.

      So the attacker called the pRNG twice, concating together the lower 16 bits of each try to create the target address.

      The problem is, the linear congruential generator is a 32 bit permutation: if you just take the value it will cover the whole address space ,which is what you want in a worm (but not necessarily in a random number). But concating the two 16 bit values together doesnt' cover the whole space. So its a very subtle bug, caused by the attacker being a bit TOO sophisticated.

      And some of the 10% still got infected: eg, if they were snooping the wire to protect other systems.

      • Re:Nope, it was a flaw... (Score:4, Interesting)

        by Qrlx ( 258924 ) on Wednesday May 25, 2005 @06:19PM (#12639183) Homepage Journal
        From the article:

        The analysis of the pseudo-random number generator found that the worm would not generate addresses for about 10 percent of the Internet and would generate the same address twice for another 10 percent of possible Internet addresses. The researchers used their analysis of the generator to plot the orbits -- the sequences of numbers each worm would create -- and found a single address from which copies of the worm propagated but which did not fall on any orbit.

        This makes it sound like the originating IP was one of those ten percent.

        Maybe it was a very subtle way to attempt to mask the originating IP? Sure it will block a few others, but you'll still hit 90%. It might block enough so that it seems like a programming flaw, but it's actually a deliberate flaw to hide the point of origin?

        Though, this hypothesis is definitely getting into the realm of Spy vs. Spy if you ask me.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close