March 22, 2004 1:36 PM PST

'Witty' worm infects, dies quickly

Related Stories

ISS adds spam filter with Cobion buy

January 14, 2004

ISS unveils attack-blocking devices

November 18, 2003

Damage control

February 6, 2003
A worm exploiting holes in one company's Internet security software quickly compromised tens of thousands of servers this weekend, before crashing the infected computers.

The worm, dubbed Witty, exploits a flaw found last Wednesday in software and devices created by network protection firm Internet Security Systems. Using a manner of infection similar to the fast-spreading Slammer worm, the Witty program compromised more than 20,000 machines in less than an hour. The worm also overwrote data on the infected computer, quickly crashing systems, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"Because it crashes the machines eventually, (the worm) died off really fast," Ullrich said. He estimated that almost 30,000 computer had been infected by the worm, and most of them had crashed because of file corruption within 30 minutes of being infected.

The worm breached systems through a security hole in ISS's firewall products, such as its BlackICE and RealSecure software. While the flaw affects the company's Proventia network devices, the manner in which the worm is constructed prevents it from infecting the devices.

ISS estimated that the worm could only affect about 2 percent of its customer base. Subscribers to the company's maintenance service had already received the update a week prior to the release of the worm, ISS stated on its Web site.

"We have been doing our own research (into the worm's spread), and we came up with 12,000 Internet addresses (that seem to be infected) at last check," said Dan Ingevaldson, director of ISS's vulnerability research and development group. "It is impossible to know how widespread it is. Whenever you count IP addresses you may be double counting or triple counting machines."

An unknown author created the worm about two days after news of the flaw became public, in what may be the fastest turnaround of malicious code writing to date. Like Slammer, the Witty worm spread through single packets of data sent on the Internet using a protocol known as the user datagram protocol, or UDP.

"It is the only time that I can think of that this had happened so quickly," Ingevaldson said. "This was surprising. We didn't think we would see something that could come up this big and fast."

ISS posted an update to patch the hole on its Web site Wednesday after network security firm eEye Digital Security found the flaw. ISS knew about the weakness for about 10 days, Ingevaldson said.

Witty had infected an estimated 30,000 computers by early Saturday morning, according to Internet Storm Center's Ullrich. By Monday, the worm wasn't actively spreading, he said, and the center's measure of the threat had been reduced from yellow to green.

"It killed off itself," he said. "It survives around half an hour on average."

The worm could spell trouble for ISS, as customers not only were infected by the program but also likely lost data.

"A lot of people lost data on their hard drives," said Joe Stewart, senior researcher for Internet security firm Lurhq. The worm attempts to infect 20,000 random addresses and then writes 65 kilobytes of data to a random location on the hard drive, slowly corrupting the infected computer's files.

Witty was designed to target a flaw in software used in ISS software to examine traffic from the Internet messaging application ICQ. Once it has infected a new machine it runs alongside ISS software and continues the infection cycle. Security experts are advising ISS firewall customers to patch their software immediately or use it to block UDP port 4000 to close the door on the worm.

The worm picked up its name from what appears to be a signature left in its source code by the programmer: ""

ZDNet Australia staff contributed to this report.


Join the conversation!
Add your comment
Worms and Virus spread
Roger Kay an analyst at IDC is quoted "To increase market share requires "Devil's bargain. You have to support inexperienced buyers in order to get their business" This reference is made pursuant to the most recent customer service issues that have been addressed according to new new reports that rate the satisfaction.
The best reports indicate customer satisfaction at best is 40%. As a small business owner I can say first hand that since discovering a simple hardware solution it has virtually eliminated any potential infections or melt down and provides instant save and instant recovery. Absolutely zero down time. Voom Technologies has developed such a product. Absolutely incredible inexpensive solution. While every one is looking for Software,Software and more software I sleep well knowing I am fully protected.
I dealt with the CEO directly David Biessener.
I swear when Rivals such as IBM,Dell and HP discover this product , it will be on every PC..

Tom Kane Jr.
Posted by (7 comments )
Reply Link Flag
Voom makes it sound good but...
I think every IT solution provider will tell you theirs is the best, no matter what type of solution. I'm sure it works well for you, also. But I doubt their product is any better that the norm. The proof will be when some hacker decides he doesn't like Voom. There have been no vendors who have successfully stopped a hacker who wants to make a point. It is just a matter of who gets targeted. The so called biggest and best vendors out there have crumpled under hack attacks. I doubt Voom's products are so superior that they are immune. It is quite obvious today that solution providers are so arrogant and money hungy that they do not persue rigorous stress testing of their products. With a name like cisco or symantec or Microsoft, how could their product contain any flaws??? Ouch says the consumer. So maybe or maybe not, until Voom is put to the test, I think I'll hold up on the gold stars. It would be refreshing to think a company might still be doing things right, but that would be betting against the odds.
Posted by bjbrock (98 comments )
Link Flag
Glad I use a mac
Must be getting old for PC lemmings.
How many reinstalls/data losses will it take before you wake up?
Posted by 198775425444042216790779840523 (102 comments )
Reply Link Flag
Hmmm.. it's well worth taking the chance...
The cost per effectiveness ratio of PC's versus MAC is far too good to make anyone become a MAC user instead of a PC. For instance, I can allways get a GOOD PC for less than 400 USD. An equivalent MAC would cost me somewhere around 1500. Pretty nifty difference, is it not?! Most particularly in a country where average pay is 150 USD per month and some 1000 USD are top notch management pay. So... keep dreaming. Besides... software for macs, drivers, components and so on are allways a lag! I prefere backing up often! After all a recordable CD is only a measly 20 cents. So... u may as well keep your mac to yourself... we'll stick to PC's.
Posted by (7 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.