Witty Extinction

Subject: Witty Extinction
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Wed, 14 Apr 2004 15:30:39 -0400
Content-Type: multipart/alternative; boundary="=====================_15419000==.ALT"

re: http://www.securityfocus.com/printable/columnists/232

" The "Witty" worm appeared on March 19th, and within a few short days it completed its mission and effectively disappeared. ... If the Witty worm didn't affect you, as is the case for most people, you probably don't care. But you should. The Witty worm ... introduced a number of evil new "firsts" in the ever-changing world of modern worms and viruses."

"... Instead of immediately destroying the host, Witty sent out 20,000 packets of its payload (plus some random padding) as fast as possible, and then it started to eat away at its host. Mission accomplished."

"For the first time ever, we saw the appearance of a widely spread Internet worm that ultimately destroyed the hosts it infected, ... It's also the first time a security product was targeted by a worm."

"... come out a mere a day after the vulnerability it exploited was first announced."

"According to CAIDA, it took only about 45 minutes for the Witty worm to reach saturation across the entire Internet ... it simply stopped propagating and destroyed its host once its mission was completed. Apparently, that's not especially news-worthy."

"Updated definition files were created for Witty by all the major anti-virus vendors in their usual speedy fashion. But however fast these updates were released, it was far too late. By then the Witty worm had long since destroyed the machines it had targeted, leaving little choice for administrators and users but to start over. So much for protection from the major AV companies."

"... the average home user, even the ones who proactively went out and purchased a personal firewall, already have up-to-date AV software, and are current with their patches -- and still woke up to a dead machine."

"Several groups now suspect that Witty was released through a bot network of compromised machine, giving it a "kickstart" or "jumpstart" to start infecting as many machines at the same time as possible. ..."

"... Witty clearly shows that even products without very large install bases can be wiped out of existence, a mere day after an exploit is announced."

"We're fortunate that the mostly widely spread worms thus far have appeared months, sometimes many months after the vulnerability they exploit was first announced. Let's hope that the Witty worm was just an anomaly, an exception. Under the current model of constant, frequent patching (yes, of all operating systems and applications, across the board), that lag is pretty much the only thing we as security professionals can hang onto to give us time to do our jobs."

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: IBM architecture gets Common Criteria EAL5
Next by Date: Latest Netsky infects via Microsoft flaw
Prev by thread: Latest Netsky infects via Microsoft flaw
Next by thread: IBM architecture gets Common Criteria EAL5

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov