Wednesday, March 24, 2004

Fast-Moving Worm Crashes Computers:
"Witty, a new worm that hit the Internet Saturday, looked late Monday to be running down. It corrupts the hard drives of machines running vulnerable versions of ISS' BlackIce products."

The Witty worm, which took hold of the Internet for a short time during the weekend, appears to have peaked thanks to its habit of destroying the machines it infects.

Witty made a dramatic entrance Saturday morning, quickly infecting more than 6,000 computers, which then began scanning the Internet for other machines to attack. But within 24 hours, the number of Witty-infected PCs scanning the Internet had dropped to around 2,000. That number dropped even further, to around 1,000 machines by Monday morning, according to data compiled by The SANS Institute, based in Bethesda, Md.

Unlike most worms, which exist for the lone purpose of spreading themselves, Witty is capable of corrupting the hard drives of infected machines, preventing normal operation of the PC and eventually causing it to crash. The worm attacks via random UDP ports; however, it always comes from UDP source port 4000, according to various analyses of the code by security experts. Infected machines will begin sending out large amounts of UDP traffic as the worm attempts to infect other machines.

Rebooting an infected machine appears to remove the worm, experts said on the weekend.

The main reason for the drop-off seems to be that Witty gradually corrupts the hard drives of infected machines, eventually causing them to crash and preventing them from scanning any longer. At the peak of the outbreak Saturday, SANS was seeing as many as 300,000 Witty-related packets per hour. Witty exploits a flaw in a component of Internet Security Systems Inc.'s BlackIce protection software. The vulnerable component also is found in several other ISS products, but the Atlanta-based company said they are not susceptible to the worm.

Once it infects a given machine, the worm generates a random IP address and sends its payload to that PC. It repeats this process 20,000 times, then turns its attention back to the local machine it's on. Witty opens a random drive on the PC and writes 65 kb of data to a random location.

http://www.eweek.com/article2/0,1759,1552000,00.asp?kc=EWNWS032204DTX1K0000599
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)