Witty (computer worm)

The Witty worm is a computer worm that spread from March 19, 2004 at the Internet, but now no longer seems to occur in-the- wild. The worm is also known under the name Blackworm. In malware databases it is usually cataloged under the name W32.Witty.Worm.

The worm infested computers on which security software from Internet Security Systems (ISS ) was installed. A vulnerability in this software allowed the worm to place in the memory of the vulnerable system his code so that he was executed. The Witty worm has a damage routine - a so-called payload - that clears on infected systems parts of the hard drive. The code of the worm contains the text:

(^. ^ ) Insert witty message here (^. ^ ) "Funny ( engl. = witty, witty ) insert message here "; hence the name of the worm.

Gateway

The company ISS is the manufacturer of security software. This includes, for example, personal firewalls BlackICE PC Protection and RealSecure Desktop. The focus of the products is on intrusion detection and response systems. In technical terms, this also Intrusion Detection Systems or IDS shortly be mentioned.

To detect possible attacks incoming data packets from the so-called Protocol Analysis Module (PAM ) are examined for patterns of attack. This module is included in all ISS products. Thus, for example UDP packets that have the source port of 4000, regarded as ICQ server responses and examined for possible exploits against ICQ clients.

On 8 March 2004, the company eEye Digital Security discovered in the routine, the packets of the ICQ protocol analyzes, an error in the processing of strings. This bug is exploitable: By deliberately manipulated packets the software that is to serve as intrusion defense can even be targeted for attack. eEye is ISS from the weakness in knowledge and announces the upcoming release on its website.

On March 18, the company eEye and ISS publish details of the vulnerability. ISS provides security updates for the affected products ready.

The very next day, on 19 March 2004 at 05:46 CET appeared on the Witty worm that exploits this vulnerability. This represents the shortest interval dar. to date of the publication of a gap until the emergence of an automated attack

How the worm

Has the worm infect a computer, it generated using pseudo-random number generator using the system time pseudo-random numbers. He sent 20,000 copies of itself to random IP addresses in individual UDP packets with random destination port. The source port is always the UDP port 4000. The worm opens a random the first eight hard drives and overwrites a cluster randomly chosen this record. He then generates new pseudo-random numbers again and again sends 20,000 copies.

The proliferation rate of the worm is limited by the bandwidth of the network connection. By triggered by infected hosts traffic can cause an overload of the local network.

The worm is dateilos and memory resident. This means that it stays in the memory of the system. In contrast to a computer virus attacks he no more program files. The worm continues his work, until the computer is restarted or crashes due to destroyed by the worm data.

Chronology and extent of dissemination

The University of California has a large, registered IP address range, but in which no services are provided. The Cooperative Association for Internet Data Analysis ( CAIDA ) detects the incoming data packets in this address range with so-called network telescopes. This data will be statistically analyzed in order to draw conclusions about the prevalence of Internet worms.

By reverse engineering the pseudo-random number generator of the Witty worm and the analysis of data from network telescopes succeeds Abhishek Kumar from the Georgia Institute of Technology, Vern Paxson and Nicholas Weaver from the International Computer Science Institute, the IP address from which the worm is started, locate to make. It belongs to the address space of a European Internet provider.

From this address 110 hosts a U.S. military base are infects targeted. Based on these machines takes the worm to a typical Internet worms exponential growth. In just 75 minutes, more than 12,000 systems are affected. The Witty worm proves that worms can spread quickly, even on systems that have a relatively small market share in the net.

Based on the payload, which contains the worms, is already half the infected computer are no longer active twelve hours following the start of distribution. How does the spread of the worm a swift end.

Summary

With around 12,000 infected computers of the Witty worm reaches only one-sixth of the spread of SQL Slammer computer worm ( 75,000 infected hosts) or even only one-thirtieth of the spread of Code Red ( 359,000 infected computers). Accordingly, the economic damage is probably relatively low.

However Witty is remarkable for the following reasons:

  • An ironic aspect is that of all security software is the gateway of the worm.
  • The Witty worm proves that niche products are vulnerable to worms.
  • The short time between the publication of vulnerability and emergence of the worm was a computer worm known as zero - day exploit or zero-day attack ( zero-day = 0 days ) appear to be realistic: the emergence of an automated attack for a not yet publicly known vulnerability.
  • For the first time it is possible for a worm to make technical analysis, the IP address of the Erstversenders identified.

In the following years, zero-day exploits were as Witty was to be feared, in fact utilized.

Network packet Modular programming Client (computing) Data cluster Bandwidth (signal processing) Host (network) Computer memory Crash (computing) Network service
827090
de