Analysis of the Witty Worm

DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."

buggy code

The end of the worm seems to have bytes suggesting a flaw in the original worm code.
I'm still getting data points for the infected by analyzing the worms victims who contact my IP.

Re:buggy code

"The end of the worm seems to have bytes suggesting a flaw in the original worm code."

Would you mind elaborating on that assertion? I'm curious.

Re:buggy code

There's a bug, in the worm, ... in the bottom of the sea....

Destructive

Interesting: one could have had the feeling that it was 'stupid' for these worms to destroy their hosts so rapidly. Why not wait for a few hours or days and then do it in a synchronized manner?

In fact, the overall number of host that could be infested was low (~12,000): there was no need for waiting.

It seems that those who launched it had a very good knowledge of what they where doing.

Definitely interesting.

Re:Destructive

there was no need for waiting.

I'd go a step further and say that immediate damage to the system was mandatory. Waiting in this case would have detracted from the destructiveness of this worm. Since it was attacking firewalled, and, probably anti-virus enabled machines, waiting would mean that the destruction would be nullified.

It seems that those who launched it had a very good knowledge of what they where doing.

Sounds like someone from marketing has decided to write worms. They thought about the market of hosts they were trying to infect. A good reason for infecting this set of hosts would have been to stifle the security software vendors. In order to avoid this situation in the future, a person should invest in a new model of protection. Seems to be a perfect opening for a new market.

Re:Destructive

Hmmm, and what would this new model of protection entail? Something like Cisco proposed?

From the analysis:

When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

Folks, we don't need any more infrastructure to prevent worms. We don't need any more infrastructure to control what you can and can't do on the Internet.

It's not the Internet that causes the problems, it's the in-secure machines that are vunerable.

That is by design

From the article text:

"The worm payload of 637 bytes is padded with data from system memory to fill this random size..."

So you are seeing some random grabage that was in memory on the victim's machine while the worm was being sent out. That helps to avoid detection as it is harder to profile the worm.

Save yourself some reading

Conclusion:

The Witty worm incorporates a number of dangerous characteristics. It is the first widely spreading Internet worm to actively damage infected machines. It was started from a large set of machines simultaneously, indicating the use of a hit list or a large number of compromised machines. Witty demonstrated that any minimally deployed piece of software with a remotely exploitable bug can be a vector for wide-scale compromise of host machines without any action on the part of a victim. The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts.

While many of these Witty features are novel in a high-profile worm, the same virulence combined with greater potential for host damage has been a feature of bot networks (botnets) for years. Any vulnerability or backdoor that can be exploited by a worm can also be exploited by a vastly stealthier botnet. While all of the worms seen thus far have carried a single payload, bot functionality can be easily changed over time. Thus while worms are a serious threat to Internet users, the capabilities and stealth of botnets make them a more sinister menace. The line separating worms from bot software is already blurry; over time we can expect to see increasing stealth and flexibility in Internet worms.

Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable.

It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

Re:Save yourself some reading

The parent is incorrect. It is not a Windows worm and the worm is not the fault of Microsoft. The worm exploits a vulnerability in BlackIce, a "personal firewall" that runs on Windows.

While the vulnerability will not show up on non-Windows machines, it is not because it is a Windows vulnerability.

The parent is very misleading at best.

Re:Save yourself some reading

Neither does Linux. At the moment if you need protection your choices are to use a VM (Java,.NET) or a high level scripting language.

Re:Save yourself some reading

And that relies on the assumption that your VM securely isolates the virtual machine from the real one. This turns out to be false in practice -- there have been several exploits for Sun's Java VM, and there's no reason to think that Microsoft's .NET runtime will be any better. High-level scripting languages help against low-level stack-smashing attacks, but it's far too easy to write a script that doesn't properly prevent exploitation of the dynamic features of the language (improper filtering of commands to Perl's system(), PHP's remote-fetching include(), etc). Features like Perl's taint-checking can help a lot, but don't take the place of careful coding.

As for the issue of the underlying OS providing security features, it's not entirely a moot point. Linux provides some stack/heap protection and other binary runtime security through the grsecurity [grsecurity.net] patches; OpenBSD has W^X and other security features built into the kernel. Still, expecting the OS to protect binaries at runtime is a completely ass-backwards way of approaching security. Ultimately, application developers have to bear most of the burden for writing secure code.

Re:Why are you blaming ZoneAlarm?

It was an honest mistake. I was thinking of BlackIce and put the wrong firewalling program. Blame my lack of sleep for the error. The rest of the argument remains true, however. Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.

Another poster in the thread cited that worms affecting Outlook are Windows worms and Outlook is software that runs on Windows. The difference is that Outlook is bundled with IE, and is integrated into Windows and it is very difficult to seperate it. Surely I don't need to educate Slashbots on this. Since it is so tightly wrapped with Windows, and Microsoft claims it's an integral part of Windows (they told the DOJ that), then it's part of Windows. If the problem involves Windows, a component of Windows (such as a DLL shipped with it), or a program integrated into Windows or installed with Windows, then it's a Windows vulnerability. When BlackIce is installed with Windows by the Windows installer, then a BlackIce vulnerability would be considered a Windows vulnerability.

In terms of Linux, a particular distro would be said to have a vulnerability if it involves the actual operating system or a package that the distro releases along with the OS. If I go install some buggy unsupported software on my Linux box, and then there's a worm for it, should that worm be considered an exploit of that distro since I was running that distro and was infected by the worm? That's absurd.

Re:Save yourself some reading

You are failing to consider the extent to which Windows internal architecture dictates the software running on the platform.

Most of the time Microsoft bashing is valid, but saying that this is Microsoft's fault in any way is about one step away from stupid.

If this was the fault of Windows, a buffer overflow such as this one could not happen under Linux/MacOS/FreeBSD/Netware etc etc etc. However, a quick search on SecurityFocus [securityfocus.com] tells us that it did infact happen on all the platforms listed above.

So, please explain to me how Microsoft can be blamed for this in any way!

...and saying that they should not allow code-execution on the stack or make it more secure so you dont need a firewall are not valid arguments.

More information on the Witty Worm

You can find more information here [lurhq.com].

Re:More information on the Witty Worm

Better info here. [caida.org]

Before it gets slashdotted even.

Re:ground zero hosts?

i believe it's the first host to be infected, the 'master server', but it might just be that the master server just had server 'baby' master servers.

Re:ground zero hosts?

A ground zero host/vector is a host that wasn't infected by another machine, but by an individual who wished the machine to infect other machines. A ground zero host does not necessarily need to have the same exact code as the code it sends out, for example, in this case, it would be unproductive for the ground zero host to have the original code since it erodes the filesystem of the host.

Re:ground zero hosts?

Is anyone else sensing the likelyhood that compromised MyDoom machines were the ground zero hosts?

Re: Windows Security Model Needs Fixing!

In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software.

This makes me feel a bit safer, since we used to run Windows-based boxen directly on the Internet but now they all hide behind a Linksys NAT Router and firewall.

From what I've learned, the general rule is NEVER to put a Windows machine directly on an unsecure network. Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows. I turned on the Internet Connection Firewall...but this kind of worm vulnerability makes me nervous. Today, someone attacks the eEye security software; tomorrow, someone takes out Microsoft's ICF.

Similarly, end users may also be unaware that perceived slowness of their computer or Internet connection is caused by a worm, and they may reboot their computers in the hope that that will fix the problem.

I find this problem with spyware and adware too. I recently cleaned out the computer of a family friend that was very slow and would no longer connect to the Internet. Removed a huge gob of spyware with Ad-Aware and Bazooka, and BAM! we were back online.

Goes to show you. I'm thinking that Microsoft's security model in Windows may need to be revised, considering in XP Home at least, all users run as Administrator (root) and system services have way too many privileges.

Makes me glad I replaced my aging NT file server with Linux/Samba.

Re: Windows Security Model Needs Fixing!

There is no reason on Earth that this worm couldn't have attacked Linux boxen. If this worm had been tailored to attack the the recent openssh vulnerability the day after it came out, many of us would have been owned immediately. How many of us have an open ssh port through our NAT devices and firewalls? The scary thing about this worm is that the authors have demonstrated an ability to attack new vulnerabilities in third-party software very quickly. In the case of the openssh vulnerability (a root exploit) that would have meant that very many of us Linux users would have been affected before we could do anything about it.

Their unsaid conclusion

They state that the most important thing is to force users into a security mindset and this is near impossible. Also, they point out that even security-aware users may be at risk because of the risk of infection before the ability to patch the firewall/AV software is possible.

This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time. Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.

This is one of the most depressing stories about the state of the Internet that I've read in a while.

not the best solution, maybe rethink the stack?

This leads to the conclusion that firewall/AV software should be included as part of the baseline system

That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.

I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.

Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.

If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.

-paul

Interesting conclusion

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants.

While I agree that the success of most internet worms does indicate that the patching model is no good, come on now - there is no way that that end users would be financially liable for their computers. No matter how good an idea it might sound at first, such a concept just isn't workable.

Re:Interesting conclusion

A driver is responsible for the upkeep of his vehicle if his negligence causes an accident ... a property owner is responsible for its upkeep if someone is injured on his property. I don't think it's a very large leap to be able to consider a computer owner liable for its upkeep if it is used in an attack, and I don't think many in this country would object either.

The concept would be at least as workable, in the courts, as any liability legislation is currently.

Re:Interesting conclusion

Are you willing to bet a large amount of money (or jail time) that your computer will *never* be compromised. What if a worm before a patch is available. If you compare to cars, you'd have to say that you're responsible for what happens to your car even if it's been sabotaged.

Re:Interesting conclusion

A driver is responsible for the upkeep of his car but there is an assumption that the car is safe to drive to begin with when I buy it from the dealership. If it's the case that the car isn't safe there is usually a recall where I can take it in to the dealer for free and get the problem fixed. If there isn't a recall and the car isn't safe and I do have an accident then I can sue the manufacturer for selling me a defective product.

When cars begin to become unsafe there are a variety of noticable warning signs that I need to maintain my vehicle. The oil light will go on, the brakes will grind, sundry odors emit from the hood, the tires begin to look flat... It doesn't even have to get that far. Some dealerships will send you mail reminding you that you might need an oil change. Of course there reason for doing this is to make some cash but it is a reminder to maintain your car and once at the garage things like rotating tires or what-not can also come up.

To make this short [too late], there are a variety of mechanisms in place to let the driver know he needs to maintain his vehicle that simply isn't present or currently applicable when compared to a PC owner. From where I'm sitting there seems to be a great deal of wiggle room when applying the standards you propose.

Re:Interesting conclusion

A driver is responsible for the upkeep of his vehicle if his negligence causes an accident ... a property owner is responsible for its upkeep if someone is injured on his property. I don't think it's a very large leap to be able to consider a computer owner liable for its upkeep if it is used in an attack, and I don't think many in this country would object either.

Your analogy fails on many levels, but I'm too tired to point them all out. Here's a biggie: Automobiles are highly engineered and legally regulated devices; there are safety standards to be met before you can put one on the road, and there are legal limits to how the end user can modify them. PCs and especially software don't have that kind of pre-consumer engineering.

Another one: the roadways are public works. The internet as we use it is a collection of private agreements to communicate between points. Why don't the intermediate points share liability for passing on the attacking packets? Hell, the operators of the intermediate points are generally trained for their equipment and pay people to monitor traffic and health. (This is making a point; actually I don't want my ISP or any of their providers policing my internet connection.)

Re:Interesting conclusion

That was not their conclusion. If you continued the quote, you'd see that they said much the same thing as you.

When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

vulnerability to worm time

the rate of worm creation on this one was almost a little TOO quick. This time to creation would almost suggest that the author of the worm perhaps had inside knowledge. It's not entirely outside the realm of reason that the vulnerability leaked from ISS before the announcement was made.

Re:vulnerability to worm time

It could also be that whoever wrote this worm found the vulnerability independently and had been writing code to exploit it, when he saw the security advisory go up he released it ASAP before people had a chance to patch their boxes. If the vulnerability hadn't been announced the worm may have been released later with a different payload.

Re:vulnerability to worm time

I guess the writer had written the payload in advance and waited for an appropriated vulnerability to show up to use as a vectir. Generating exploits isn't rocket-science... in fact there are automated tools out there that will generate exploits for common holes like buffer/stack overflows.

There is also the chance that the author discovered the bug either himself or through "black hat" groups before the advisory was put out.

Anyone else see this?

On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, Proventia, RealSecure Desktop, and BlackICE. Emphasis mine.

Man, I am so used to seeing IIS in a security vulnerability I had to give it a second glace. I guess people shouldn't use those letters in software abbreviations anymore. It's becoming bad luck!

Seriously, worms like this that damage computers are very un-cool. As a freelancer I got to see this on only a few machines and by gratuitous use of recovery console, fixmbr, and (alas) one format and reinstall later I was able to fix them all.

While doing this onsite at a realty company I asked what they used as a firewall. Seeing blank stares from them all wasn't the highlight of the day. Not having a hardware firewall handy it was quite fun to race against the vermin as I downloaded patches off of the net on a virgin XP install! I actually thought I heard giggling echoing from the DSL modem as the DL percentage ticked higher slowly but surely....

What's It going To Take

Another day, another virulent internet worm utilizing an unaccounted-for "buffer overflow" to propagate itself throughout the internet. Users suffer and system administrators grind their teeth to clean out their networks.

By now I am sure it has been noticed that the "buffer overflow" is a very common "exploit" used by these internet worms to infect machine after machine. One simple way to address this problem would be to replace these vulnerable "buffers" with something that will not overflow, perhaps something spongy and highly absorbent. Isn't anyone working on a solution along these lines? You never seem to hear about any progress being made. Honestly, sometimes it seems like no one in the technology industry has any common sense.

Net Telescope

Network Telescope

The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.

They have 1/256th of all the IPv4 space?!?
Thats alot of IPs that could be freed up for other purposes.

Its great that they are doing this. And it is an interesting project. But I've been hearing about the lack of IPs for the last 5 years, and this one group has 1/256th of them.

------------
www.ComicSmash.com [comicsmash.com]

Time to learn SELinux I think

Cause Linux and BSD sure ain't safe against this. Bufferoverflows ain't nothing new and this analasys shows there is no security in being a small target.

Might be time to make a security model that stops a firewall application from writing to the Harddisk or deleting files. Why should it after all? Or a limiting just how many emails a user can send, how many times do you send thousands in a minute?

Perhaps even a delete mechanism that doesn't allow destruction of data without a password.

Paranoid? 12.000 machines just went Poof in half an hour with this virus if the story tells it right. Doesn't exactly cheer me.

Holy CRAP

Jesus Christ, if you read that and weren't frightened, you're dead inside.

The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!

If you've read nothing else, check out the conclusion:

It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.

And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.

Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.

Re:Holy CRAP

I don't know. This is scary, in a sense. But there's a lot of risk in the world, and you just have to live with it. If my computer gets wiped off, it's not the end of the world.

I know that everyone isn't in a position to say that -- some people are running banks, or whatever. But most people can say it.

We drive cars, even though cars crash and people die in them. Another person can crash into you even if you're doing everything right, and you'll die. We live and work in buildings, even though we know that there are fires every day in large cities. Sometimes people die in fires. You lock your doors, and you make a good faith effort to keep the bad guys out, but if someone really wanted to get in, they could.

You just have to deal with uncertainty in life.

Your computers are never going to be completely safe. The sun will come up tomorrow anyway.

As a practical matter, people who take reasonable precautions *usually* come off pretty well with computers. They can hold on to their data and keep it out of other people's hands. There's no guarantee that will always be the case, but it's been true until now.

Re:Holy CRAP

>I'm not sure what the ultimate solution is, but I do know one thing. We need to change our naive behavior.

None of my security colleagues that I know of believes in the existence of an ultimate solution (though building a plywood box around the computer and filling it with concrete works pretty well. Just make sure you remove the wireless card first).

We need fault tolerance. Backing up protects against the undiscovered bug you correctly warned about, and also protects against fire, burglary and human error.

Watertight compartments on a ship are an example of fault tolerance. A hull breach will cause damaage but the ship may stay afloat. So are circuit breakers -- they turn a potential fire into a loss of power. We need things like stack canaries. They're not solutions, but they limit damage.