Why Wasn't the Witty Worm Widely Worrisome?
Ten months ago, the nastiest, most effective computer attack ever took place. Why doesn't anyone care?
By Scott Berinato
January 14, 2005 — CSO —
I came across plenty of excellent writing last year, but two pieces stood out as superior. One was a book called Krakatoa, about the eruption of a volcano in Southeast Asia, which triggered an epic tsunami and in turn, author Simon Winchester argues, spurred a fundamentalist Islamic movement. All this took place in 1883, but for obvious reasons, Krakatoa is suddenly and sadly apposite.
The other piece that I found exceptional was an academic research paper.
It's called The Spread of the Witty Worm. It was written by Colleen Shannon and David Moore, researchers at the Cooperative Association for Internet Data Analysis, also known by its unfortunate acronym, CAIDA. In just nine pages, "Spread" manages a dispassionate and concise dissection of Witty's anatomy, a biography of its short, effective life and a broad analysis of its ramifications. The paper also includes excellent supporting visuals, including beautiful animated maps online that tell the whole story themselves.
If you know even just a little about worms and viruses, the paper is gripping. If you know more than a little, it can (and should) scare the bleep out of you.
When it hit on March 19 last year, Witty was downplayed by many, including the press, as a pedestrian nuisance. It's true, for example, that Witty attacked only 12,000 computers
But read the CAIDA paper and you'll quickly realize why Witty is actually a dark harbinger in the evolution of worms.
True, it attacked only a few machines, but Witty was 100 percent effective, taking down every vulnerable machine on the Internet, most within 45 minutes of its launch. Buffer overflows are indeed common, but this one was found on security products, meaning the worm attacked (successfully) those with superior security. Witty did come after a patch was issued, but just 36 hours after, and the worm was well written, professional grade code. That means the bad guys either started writing the worm before the good guys even knew about the vulnerability, or they were quicker. Either way, we're fast approaching the true zero-day exploit.
Witty also infected 110 hosts in its first 10 seconds. The chances of a worm doing that using random IP address generation are, as the paper notes, "vanishingly small," meaning Witty was premeditated. It may have used an IP-address "hit list" to attack machines known to be exposed, or it might have used a set of previously compromised machines to ensure its success.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
