Witty extinction

Evil new 'firsts' in the ever-changing world of worms and viruses

  • alert
  • submit to reddit

High performance access to file storage

The "Witty" worm appeared on 19 March, and within a few short days it completed its mission and effectively disappeared. It received minimal coverage by the major news media outlets and for many people it has already been largely forgotten, a mere blip on the radar among so many blips of new viruses and virus variants that appear each week. If the Witty worm didn't affect you, as is the case for most people, you probably don't care. But you should. The Witty worm set a dangerous precedent on the Internet because it introduced a number of evil new "firsts" in the ever-changing world of modern worms and viruses.

CAIDA, the Cooperative Association for Internet Data Analysis, recently released an analysis of the Witty worm by Colleen Shannon and David Moore, that should be an eye-opener for many people. It shows new techniques used by the malicious creators of this worm, a new level of sophistication and helps disprove some basic assumptions that many people have made about malicious code.

The evil goes beyond what many people believed was a basic tenet of modern malicious worms: don't destroy the hosts you compromise, or else you'll lose the ability to propagate. At 637 bytes, Witty's payload was larger than the 376 byte Slammer worm but it's still very small as compared to, say, the 12KB virus bombs. Instead of immediately destroying the host, Witty sent out 20,000 packets of its payload (plus some random padding) as fast as possible, and then it started to eat away at its host. Mission accomplished.

For the first time ever, we saw the appearance of a widely spread Internet worm that ultimately destroyed the hosts it infected, writing data to the hard drive until the machine was either rebooted or rendered unusable. Thousands of people no doubt woke up on that Saturday morning to find that their server or workstation, protected by security vendor ISS, had been effectively destroyed. It's also the first time a security product was targeted by a worm.

Slammer was smaller and faster than Witty, sure - but it did not destroy its host, did not target such a small population, and did not come out a mere a day after the vulnerability it exploited was first announced. Slammer didn't target a security product, either. By analyzing packets received across an entire Class-A segment of the Internet, the CAIDA report on Witty is hard to dispute. It is interesting to note that threat analysts at Symantec have also analyzed the worm's propagation and have so far come up with the same conclusion as CAIDA. There are likely others that have analyzed this in-depth as well.

A limited audience, destroyed

According to CAIDA, it took only about 45 minutes for the Witty worm to reach saturation across the entire Internet - about three times as long as the now-famous Slammer worm, but let's put things in perspective. It is believed that there were only about 12,000 installs of vulnerable products from ISS, and thus a fraction of the roughly 75,000 vulnerable hosts Slammer used to propagate once infected. Witty also didn't bring the Internet to a halt, either: it simply stopped propagating and destroyed its host once its mission was completed. Apparently, that's not especially news-worthy.

Some people were able to recover their inoperable systems, of course, but no doubt countless home users without those skills were not. Say goodbye to your taxes, Aunt Tillie's casserole recipes, and anything else you had on your firewall-protected home computer.


Updated definition files were created for Witty by all the major anti-virus vendors in their usual speedy fashion. But however fast these updates were released, it was far too late. By then the Witty worm had long since destroyed the machines it had targeted, leaving little choice for administrators and users but to start over. So much for protection from the major AV companies.

The fact that Witty came out only one short day after the exploit vulnerability was announced, and that it went after a specific set of products designed to provide adequate security to hosts means that the concept of defense in depth, or layered security, is becoming ever-more important. It should already be a given for most organizations: a multi-vendor, multi-layered security architecture to protect a network even when a single component fails. But it would be ridiculous to expect the same thing from the average home user, even the ones who proactively went out and purchased a personal firewall, already have up-to-date AV software, and are current with their patches -- and still woke up to a dead machine.

Launched from a bot network

Several groups now suspect that Witty was released through a bot network of compromised machine, giving it a "kickstart" or "jumpstart" to start infecting as many machines at the same time as possible. This is quite different from just one malicious individual releasing one copy of a worm into the wild. Using a bot network is a relatively new way to release a worm, and it allows malevolent individuals to greatly speed the initial infection times of a new worm. However, I have to wonder if a saturation time of, say, an hour or even two, instead of 45 minutes would have made any difference anyway.

All those hundreds of thousands of compromised machines out there, loosely held together in bot networks to be used for anything from DDOS attacks to spam relays for the low-life spammers, can apparently also be used to provide some anonymity and speed the release of new worms - as if Slammer and its ilk weren't effective enough.

One suggestion I've heard on a possible solution is to make security vendors accountable for the damage caused by vulnerabilities in their products, which by nature were designed to improve security of a given system, rather than make them more vulnerable. This is a noble goal but one that is unlikely to happen anytime soon, unless large corporate customers begin to demand it. Having worked for several large software companies myself, I suspect that this is clearly not a liability vendors will take lightly, if at all.

There have always been security vulnerabilities in software written by humans, and there always will be. Much of the focus on malicious code so far has looked at some of the most popular software products on the Internet and how these might be compromised en-masse by a new worm. Reports have even been written for and against "software monoculture," or the extinction of an entire class of systems on the Internet in the face of a new, and as-yet unknown threat - but Witty clearly shows that even products without very large install bases can be wiped out of existence, a mere day after an exploit is announced.

We're fortunate that the most widely-spread worms thus far have appeared months, sometimes many months, after the vulnerability they exploit was first announced. Let's hope that the Witty worm was just an anomaly, an exception. Under the current model of constant, frequent patching (yes, of all operating systems and applications, across the board), that lag is pretty much the only thing we as security professionals can hang onto to give us time to do our jobs.
Copyright © 2004, 0

Related stories

Witty attacks your firewall and destroys your data
Security is our biggest ever challenge - Gates
Is it a worm, a virus, or a trojan?
Monoculture or Mass Hysteria?
The trouble with anti-virus

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.