Witty worm traced to Europe

Researchers deduce that the worm was set up to target systems at a U.S. military base. They develop a theory about its author, too.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
3 min read
A year after the Witty worm infected over 12,000 servers worldwide in just 75 minutes, researchers say they have discovered where the worm started and that the attack might have been an inside job.

Witty hit the Internet on March 19, 2004, taking advantage of a flaw in products from Internet Security Systems (ISS), including RealSecure and BlackIce. Its payload was malicious, corrupting the information on a system's hard drive. The worm crashed nearly half the systems it infected.

Now, new information on Witty has been compiled by researchers Vern Paxson and Nicholas Weaver, both of the International Computer Science Institute, and by Abhishek Kumar, a student at the Georgia Institute of Technology.

Get our reporters' take
on today's threats,
spam and scams.

The researchers re-created how Witty propagated on the Internet, by combining knowledge of the worm's code and the random number generator it used to pick its targets.

They found that the worm was most likely launched from a server at a European Internet service provider and that it was set up to target systems at a U.S. military base.

"To our knowledge, this represents the first time that a Patient Zero has been identified for a major worm outbreak," the researchers wrote in a report published online this week. "Patient Zero" refers to the system used to initiate the spreading of the worm. The numeric Internet address, or IP address, of the server has been reported to law enforcement, the report said. (Click here for a PDF of the report.)

The researchers suspect that Witty was created by an ISS insider. The worm's rapid sprawl was helped by a "hit list" of 110 vulnerable systems that were infected within 10 seconds of its onset, according to the report. All of these 110 systems were at a single U.S. military installation, the researchers found.

"We might then speculate that the attacker knew about the ISS installation at the site," the researchers wrote. Additionally, the attacker likely knew about the flaws in the ISS products and was able to construct the worm rapidly, which "suggests that the attacker was an ISS insider," according to the report.

An ISS representative declined to comment.

From their analysis, the researchers also deduced that Witty failed to scan about 10 percent of the Internet's address space, meaning that systems with those addresses would not be attacked.

In the course of their work, the researchers said they found ways to improve future investigations of worms. The researchers relied on data that was captured by computers used to monitor Internet attacks, so-called network telescopes. Distortions were found in the data collected by these systems, the researchers wrote.

"The techniques developed in our study, while specific to the Witty worm...provide a template for future analysis of such similar events," the report said.

The telescopes capture traffic sent to unused portions of the Internet's address space. This traffic was likely part of an attack, as there is no reason for legitimate traffic there. Worms and other malicious programs often randomly generate and connect to IP addresses, including ones not in use.

Network telescopes have been a key to investigating the spread of worms since Code Red started spreading in mid-2001. In the Witty investigation, the researchers used one telescope system at the Cooperative Association for Internet Data Analysis and one at the University of Wisconsin.