The "Witty" worm appeared on 19 March, and within a few short days it completed its mission and effectively disappeared. It received minimal coverage by the major news media outlets and for many people it has already been largely forgotten, a mere blip on the radar among so many blips of new viruses and virus variants that appear each week. If the Witty worm didn't affect you, as is the case for most people, you probably don't care. But you should. The Witty worm set a dangerous precedent on the Internet because it introduced a number of evil new "firsts" in the ever-changing world of modern worms and viruses.
CAIDA, the Cooperative Association for Internet Data Analysis, recently released an analysis of the Witty worm by Colleen Shannon and David Moore, that should be an eye-opener for many people. It shows new techniques used by the malicious creators of this worm, a new level of sophistication and helps disprove some basic assumptions that many people have made about malicious code.
The evil goes beyond what many people believed was a basic tenet of modern malicious worms: don't destroy the hosts you compromise, or else you'll lose the ability to propagate. At 637 bytes, Witty's payload was larger than the 376 byte Slammer worm but it's still very small as compared to, say, the 12KB virus bombs. Instead of immediately destroying the host, Witty sent out 20,000 packets of its payload (plus some random padding) as fast as possible, and then it started to eat away at its host. Mission accomplished.
For the first time ever, we saw the appearance of a widely spread Internet worm that ultimately destroyed the hosts it infected, writing data to the hard drive until the machine was either rebooted or rendered unusable. Thousands of people no doubt woke up on that Saturday morning to find that their server or workstation, protected by security vendor ISS, had been effectively destroyed. It's also the first time a security product was targeted by a worm.
Slammer was smaller and faster than Witty, sure - but it did not destroy its host, did not target such a small population, and did not come out a mere a day after the vulnerability it exploited was first announced. Slammer didn't target a security product, either. By analyzing packets received across an entire Class-A segment of the Internet, the CAIDA report on Witty is hard to dispute. It is interesting to note that threat analysts at Symantec have also analyzed the worm's propagation and have so far come up with the same conclusion as CAIDA. There are likely others that have analyzed this in-depth as well.
A limited audience, destroyed
According to CAIDA, it took only about 45 minutes for the Witty worm to reach saturation across the entire Internet - about three times as long as the now-famous Slammer worm, but let's put things in perspective. It is believed that there were only about 12,000 installs of vulnerable products from ISS, and thus a fraction of the roughly 75,000 vulnerable hosts Slammer used to propagate once infected. Witty also didn't bring the Internet to a halt, either: it simply stopped propagating and destroyed its host once its mission was completed. Apparently, that's not especially news-worthy.
Some people were able to recover their inoperable systems, of course, but no doubt countless home users without those skills were not. Say goodbye to your taxes, Aunt Tillie's casserole recipes, and anything else you had on your firewall-protected home computer.
Updated definition files were created for Witty by all the major anti-virus vendors in their usual speedy fashion. But however fast these updates were released, it was far too late. By then the Witty worm had long since destroyed the machines it had targeted, leaving little choice for administrators and users but to start over. So much for protection from the major AV companies.
The fact that Witty came out only one short day after the exploit vulnerability was announced, and that it went after a specific set of products designed to provide adequate security to hosts means that the concept of defense in depth, or layered security, is becoming ever-more important. It should already be a given for most organizations: a multi-vendor, multi-layered security architecture to protect a network even when a single component fails. But it would be ridiculous to expect the same thing from the average home user, even the ones who proactively went out and purchased a personal firewall, already have up-to-date AV software, and are current with their patches -- and still woke up to a dead machine.
Launched from a bot network
Several groups now suspect that Witty was released through a bot network of compromised machine, giving it a "kickstart" or "jumpstart" to start infecting as many machines at the same time as possible. This is quite different from just one malicious individual releasing one copy of a worm into the wild. Using a bot network is a relatively new way to release a worm, and it allows malevolent individuals to greatly speed the initial infection times of a new worm. However, I have to wonder if a saturation time of, say, an hour or even two, instead of 45 minutes would have made any difference anyway.
All those hundreds of thousands of compromised machines out there, loosely held together in bot networks to be used for anything from DDOS attacks to spam relays for the low-life spammers, can apparently also be used to provide some anonymity and speed the release of new worms - as if Slammer and its ilk weren't effective enough.
One suggestion I've heard on a possible solution is to make security vendors accountable for the damage caused by vulnerabilities in their products, which by nature were designed to improve security of a given system, rather than make them more vulnerable. This is a noble goal but one that is unlikely to happen anytime soon, unless large corporate customers begin to demand it. Having worked for several large software companies myself, I suspect that this is clearly not a liability vendors will take lightly, if at all.
There have always been security vulnerabilities in software written by humans, and there always will be. Much of the focus on malicious code so far has looked at some of the most popular software products on the Internet and how these might be compromised en-masse by a new worm. Reports have even been written for and against "software monoculture," or the extinction of an entire class of systems on the Internet in the face of a new, and as-yet unknown threat - but Witty clearly shows that even products without very large install bases can be wiped out of existence, a mere day after an exploit is announced.
We're fortunate that the most widely-spread worms thus far have appeared months, sometimes many months, after the vulnerability they exploit was first announced. Let's hope that the Witty worm was just an anomaly, an exception. Under the current model of constant, frequent patching (yes, of all operating systems and applications, across the board), that lag is pretty much the only thing we as security professionals can hang onto to give us time to do our jobs.
Copyright © 2004,