March 26, 2004 3:11 PM PST

Witty worm frays patch-based security

Related Stories

'Witty' worm infects, dies quickly

March 22, 2004

Damage control

February 6, 2003

Patchwork security

January 24, 2001
The Witty worm first hit computers known to be vulnerable and emerged so quickly that most companies had no time to apply a patch, according to an analysis of the program.

The worm started spreading around the Internet last week, less than 48 hours after the first public description of the flaw was released. That's the fastest development to date of a worm from a vulnerability, according to a report published Thursday by the Cooperative Association for Internet Data Analysis (CAIDA) and the University of California at San Diego.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"The fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end users apply patches to plug security holes is not viable," the report stated.

Witty took advantage of a flaw in Internet Security Systems software security products such as RealSecure and BlackIce. While ISS has said that only 2 percent of its users were vulnerable to the worm, as many as 12,000 computers may have been infected in less than an hour, according to the report.

If other worms can be produced as quickly, companies will likely have to start relying less on plugging holes in the security of their software and more on other methods of reducing the threat of vulnerabilities, said Colleen Shannon, senior security researcher at CAIDA and one of the report's authors.

"Two days is not enough time to get a large group of people to do anything," she said, adding that "it requires so much skill on the side of the end user" to stay up-to-date on patches that most users don't patch often.

The report also found evidence that the worm was released in a way that would it allow it to speed its attack on vulnerable servers.

The Witty worm started spreading early Saturday morning. In about 45 minutes, the worm had infected the majority of vulnerable servers--about 12,000--on the Internet, according to the report. Within 10 seconds, 110 compromised hosts appeared, which led CAIDA to believe that those servers were used to actively spread the worm, a tactic known as "preseeding."

"The worm had to have been preseeded," Shannon said. "It is not possible (given the data) for it not to be."

The Witty worm burned out quickly, due to its malicious nature. The worm slowly corrupted the information on a system's hard drive by writing 65 kilobytes of data to a random place on the drive. As a result, nearly half the systems infected by the worm crashed within 12 hours.

Compared with the Microsoft SQL Slammer worm, which infected 70,000 to 100,000 computers, the Witty worm attacked a smaller population, according to CAIDA. The worm also attacked computers that were specifically in place to protect against such threats.

The implications of this evolution should not be ignored, the report said.

"With minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts," it stated.


Join the conversation!
Add your comment
ISS and multi function software.
When one piece of software, which can do one thing and do it well, is turned into software that tries to do several things, it no longer does the first job as well and the odds of errors in the code increase dramatically. Either that or programmers have just plain become sloppy. You choose the cause, but results are surfacing daily. Since no one wants to hold these software vendors accountable, don't expect things to get better anytime soon. Software gets more bloated with each new version and flaws in the code are getting more and more numerous. From XP down the line. And every time the vendor is not held accountable, complacency becomes greater. Simple human nature. And it is that way not just with IT. While accountability is exacted in all other consumer/vendor activity, the IT community seems to enjoy the damages caused by software which is obviously lacking in quality control. And developed with less than due diligence applied to the process. How many readers are held accountable in there jobs. I bet all.
Posted by bjbrock (98 comments )
Reply Link Flag
Worms and Virus spread
While companies scramble to solve downtime and patches Technology is already available. It is not software solutions it is Hardware that is very inexpensive. ISIR and outside the box appliances provided by Voom Technologies. To ignore these solutions is to feed into the hands of the big software developers. I don't get it! The website does not give full picture of what they have. Just call them as I did. The CEO David Biessener is a genius. Simple solutions. They just have not gotten exposure.
Posted by (7 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.