Sign up for the Security newsletter

'Witty worm' burns briefly but brightly

Fastest turnaround ever from 'flaw to infection'?

By Robert Lemos on 23 March 2004 08:30

NEWS A worm exploiting holes in one company's internet security software quickly compromised tens of thousands of servers this past weekend, before crashing the infected computers.

The worm, dubbed Witty, exploits a flaw found last Wednesday in software and devices created by network protection firm Internet Security Systems. Using a manner of infection similar to the fast-spreading Slammer worm, the Witty program compromised more than 20,000 machines in less than an hour. The worm also overwrote data on the infected computer, quickly crashing systems, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

"Because it crashes the machines eventually, it died off really fast," Ullrich said. He estimated almost 30,000 computers had been infected by the worm, and most of them had crashed because of file corruption within 30 minutes of being infected.

The worm breached systems through a security hole in ISS's firewall products, such as its BlackICE and RealSecure software. While the flaw affects the company's Proventia network devices, the manner in which the worm is constructed prevents it from infecting the devices.

ISS estimated that the worm could only affect about two per cent of its customer base. Subscribers to the company's maintenance service had already received the update a week prior to the release of the worm, ISS stated on its website.

Dan Ingevaldson, director of ISS's vulnerability research and development group, said: "We have been doing our own research and we came up with 12,000 internet addresses [that seem to be infected] at last check. It is impossible to know how widespread it is. Whenever you count IP addresses you may be double counting or triple counting machines."

An unknown author created the worm about two days after news of the flaw became public, in what may be the fastest turnaround of malicious code writing to date. Like Slammer, the Witty worm spread through single packets of data sent on the Internet using a protocol known as the user datagram protocol, or UDP.

Robert Lemos writes for News.com

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your silicon.com account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ

Get silicon.com's daily newsletter

  • Register on silicon.com

    Enter your email to register

Keep in touch with silicon.com

silicon.com newsletters