Why Wasn’t the Witty Worm Widely Worrisome?

I came across plenty of excellent writing last year, but two pieces stood out as superior. One was a book called Krakatoa, about the eruption of a volcano in Southeast Asia, which triggered an epic tsunami and in turn, author Simon Winchester argues, spurred a fundamentalist Islamic movement. All this took place in 1883, but for obvious reasons, Krakatoa is suddenly and sadly apposite.

The other piece that I found exceptional was an academic research paper.

It’s called The Spread of the Witty Worm. It was written by Colleen Shannon and David Moore, researchers at the Cooperative Association for Internet Data Analysis, also known by its unfortunate acronym, CAIDA. In just nine pages, “Spread” manages a dispassionate and concise dissection of Witty’s anatomy, a biography of its short, effective life and a broad analysis of its ramifications. The paper also includes excellent supporting visuals, including beautiful animated maps online that tell the whole story themselves.

If you know even just a little about worms and viruses, the paper is gripping. If you know more than a little, it can (and should) scare the bleep out of you.

When it hit on March 19 last year, Witty was downplayed by many, including the press, as a pedestrian nuisance. It’s true, for example, that Witty attacked only 12,000 computersa tenth the number of Slammer victims. It exploited a buffer overflow, the most common vulnerability. It arrived through port 4000, which in most cases you don’t need open. It was launched after a patch was available, and it didn’t really slow down the Internet enough to register with most users. Just another worm, and not a very impressive one at that.

But read the CAIDA paper and you’ll quickly realize why Witty is actually a dark harbinger in the evolution of worms.

True, it attacked only a few machines, but Witty was 100 percent effective, taking down every vulnerable machine on the Internet, most within 45 minutes of its launch. Buffer overflows are indeed common, but this one was found on security products, meaning the worm attacked (successfully) those with superior security. Witty did come after a patch was issued, but just 36 hours after, and the worm was well written, professional grade code. That means the bad guys either started writing the worm before the good guys even knew about the vulnerability, or they were quicker. Either way, we’re fast approaching the true zero-day exploit.

Witty also infected 110 hosts in its first 10 seconds. The chances of a worm doing that using random IP address generation are, as the paper notes, “vanishingly small,” meaning Witty was premeditated. It may have used an IP-address “hit list” to attack machines known to be exposed, or it might have used a set of previously compromised machines to ensure its success.

Finally, Witty carried a destructive payload and destroyed many of the computers it infected.

I asked Shannon if the developer in her could appreciate that Witty was, well, clever. If she was, in a crooked sense, impressed by its sophistication. “Impressed?” she asks, surprised. “Horrified is a better word. It was disappointing. And disturbing.” She adds that as sophisticated as the attack was, the implications of Witty’s attack mode were more frightening. Witty, she says, looked a lot like a test run. A proof-of-concept that one could disable security infrastructure to open up wider access. Destroy the gate and then storm the unprotected castle.

“It didn’t get as much publicity as it should have,” Shannon says. “People need to be concerned.” Yet, here we are, almost a year later, and few seem to know about Witty or its prowess. Fewer still seem to care. Why is that?

I suspect part of this has to do with the fact that, in terms of news, Witty is not a sexy story. Television news won’t devote precious time to a story that seemingly affected only a small, mostly business population. A worm like Slammer, on the other hand, affected far more people, even if it affected them in a far more trivial manner.

Still, news value alone can’t explain away the apathy. Security professionals don’t decide what’s important based on what’s on TV. And still, they seem to have decided this isn’t important. Shannon says, “I know people who work in information security who don’t know what I’m talking about when I bring it up.”

Bruce Schneier thinks it might have to do with the boy-who-cried-wolf or Chicken Little syndromes. “We in the industry are at fault,” he says. “We’ve tried so hard to get people to pay attention, to take it seriously. People are given so many wake up calls that wake up calls don’t affect them anymore. They’re numb to these things.”

Here’s another contributing factor: a leadership void. Washington’s as numb as the private sector. Despite lip service that cybersecurity is a serious part of protecting the homeland, information security has become a sad kind of joke inside the beltway. No one wants to lead. Dick Clarke left. Howard Schmidt left. Amit Yoran resigned. Ridge is gone. Just yesterday, it was announced that Yoran’s former boss, Robert Liscouski, will resign.

It turns out that, as distressfully brilliant as Witty was technically, that’s not what it will be remembered for. It will be remembered as the moment in time when hackers raised the level of the game, and we just dropped out of it.

Did you know about Witty? Does it concern you? Let me know at sberinato@cxo.com