X

'Witty' worm infects, dies quickly

A worm exploiting holes in one company's Internet security software quickly infected tens of thousands of servers this weekend.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A worm exploiting holes in one company's Internet security software quickly compromised tens of thousands of servers this weekend, before crashing the infected computers.

The worm, dubbed Witty, exploits a flaw found last Wednesday in software and devices created by network protection firm Internet Security Systems. Using a manner of infection similar to the fast-spreading Slammer worm, the Witty program compromised more than 20,000 machines in less than an hour. The worm also overwrote data on the infected computer, quickly crashing systems, said Johannes Ullrich, chief technology officer for the Internet Storm Center.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


"Because it crashes the machines eventually, (the worm) died off really fast," Ullrich said. He estimated that almost 30,000 computer had been infected by the worm, and most of them had crashed because of file corruption within 30 minutes of being infected.

The worm breached systems through a security hole in ISS's firewall products, such as its BlackICE and RealSecure software. While the flaw affects the company's Proventia network devices, the manner in which the worm is constructed prevents it from infecting the devices.

ISS estimated that the worm could only affect about 2 percent of its customer base. Subscribers to the company's maintenance service had already received the update a week prior to the release of the worm, ISS stated on its Web site.

"We have been doing our own research (into the worm's spread), and we came up with 12,000 Internet addresses (that seem to be infected) at last check," said Dan Ingevaldson, director of ISS's vulnerability research and development group. "It is impossible to know how widespread it is. Whenever you count IP addresses you may be double counting or triple counting machines."

An unknown author created the worm about two days after news of the flaw became public, in what may be the fastest turnaround of malicious code writing to date. Like Slammer, the Witty worm spread through single packets of data sent on the Internet using a protocol known as the user datagram protocol, or UDP.

"It is the only time that I can think of that this had happened so quickly," Ingevaldson said. "This was surprising. We didn't think we would see something that could come up this big and fast."

ISS posted an update to patch the hole on its Web site Wednesday after network security firm eEye Digital Security found the flaw. ISS knew about the weakness for about 10 days, Ingevaldson said.

Witty had infected an estimated 30,000 computers by early Saturday morning, according to Internet Storm Center's Ullrich. By Monday, the worm wasn't actively spreading, he said, and the center's measure of the threat had been reduced from yellow to green.

"It killed off itself," he said. "It survives around half an hour on average."

The worm could spell trouble for ISS, as customers not only were infected by the program but also likely lost data.

"A lot of people lost data on their hard drives," said Joe Stewart, senior researcher for Internet security firm Lurhq. The worm attempts to infect 20,000 random addresses and then writes 65 kilobytes of data to a random location on the hard drive, slowly corrupting the infected computer's files.

Witty was designed to target a flaw in software used in ISS software to examine traffic from the Internet messaging application ICQ. Once it has infected a new machine it runs alongside ISS software and continues the infection cycle. Security experts are advising ISS firewall customers to patch their software immediately or use it to block UDP port 4000 to close the door on the worm.

The worm picked up its name from what appears to be a signature left in its source code by the programmer: "insert.witty.message.here."

ZDNet Australia staff contributed to this report.