It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
SCI/TECH: 'Witty' Worm Attacks Firewalls
page: 10
share:
A new internet worm dubbed "W32.Witty" attacks and infects computers running Microsoft Windows and firewall/intrusion detection software produced
by Internet Security Systems (ISS)
The U.S. Department of Homeland Security saw fit to release a �cyber alert� about a piece of malicious software that exploits a nine month old Windows vulnerability (Phatbot), but has not yet issued a statement about a new worm that attacks two widely used programs used to safeguard home and business computers and is not caught by antivirus software. I found out about the problem when it began to appear in various online articles. It is unlikely that it would have been immediately obvious to our intrusion detection mechanisms because the worm spreads using a port commonly used by the Internet messaging service �ICQ.�
The Register � �Witty�
The 'Witty' worm's name comes from a message buried within its code that says: "insert witty message here."
Using flaws in the code of BlackIce and RealSecure programs the worm loads into memory of the target machine and begin to propagate to other computers. Unlike many other self-replicating worms this one has a destructive payload and can overwrite computer data and even render a hard drive un-bootable.
A new worm that, ironically, makes sport of Win-32 systems defended by BlackIce and RealSecure firewall products from Internet Security Systems (ISS) began circulating Saturday.
The worm, dubbed 'witty,' is memory-resident only and propagates via UDP port 4000, and possibly others. While occupied with reproducing itself, it overwrites data on the local hard disk(s), and can render a machine un-bootable if it corrupts the master boot record or partition table, or file allocation tables.
The worm is exceptionally vicious by current standards and implies the presence of a highly motivated spoil-sport, such as a disgruntled former employee, an envious competitor, or a monumentally dissatisfied customer. Or it could just be a cool bit of retro coding.
ISS has released updates for the affected software packages on Mar 19th, 2004 to address the ICQ parsing flaw. If you have either BlackIce or RealSecure it is very important to apply the updates immediately. Blocking UDP port 4000 at the network perimeter would also be prudent.
Removal of the worm is simple. Since it is never written to the hard disk a re-boot will unload it, but unless the vulnerable software is patched or the worm traffic is blocked, there is every chance that the computer will be re-infected. Recovering data from a damaged hard disk is much more problematic.
Since implementing a rule to block UDP port 4000 at 16:00 hours (GMT -5) there have been 286 scans for that port and there are no users running ICQ on the network.
NOTE: As an experiment, I set up a Windows XP machine with an old version of the BlackIce PC software and exposed its IP address to the Internet. Within 3 hours the computer had locked up and when re-booted the hard disk was corrupted and the OS would not load.
More Information:
Symantec
ISS Download Center
SecurityFocus
[Edited on 21-3-2004 by Banshee]
The U.S. Department of Homeland Security saw fit to release a �cyber alert� about a piece of malicious software that exploits a nine month old Windows vulnerability (Phatbot), but has not yet issued a statement about a new worm that attacks two widely used programs used to safeguard home and business computers and is not caught by antivirus software. I found out about the problem when it began to appear in various online articles. It is unlikely that it would have been immediately obvious to our intrusion detection mechanisms because the worm spreads using a port commonly used by the Internet messaging service �ICQ.�
The Register � �Witty�
The 'Witty' worm's name comes from a message buried within its code that says: "insert witty message here."
Using flaws in the code of BlackIce and RealSecure programs the worm loads into memory of the target machine and begin to propagate to other computers. Unlike many other self-replicating worms this one has a destructive payload and can overwrite computer data and even render a hard drive un-bootable.
A new worm that, ironically, makes sport of Win-32 systems defended by BlackIce and RealSecure firewall products from Internet Security Systems (ISS) began circulating Saturday.
The worm, dubbed 'witty,' is memory-resident only and propagates via UDP port 4000, and possibly others. While occupied with reproducing itself, it overwrites data on the local hard disk(s), and can render a machine un-bootable if it corrupts the master boot record or partition table, or file allocation tables.
The worm is exceptionally vicious by current standards and implies the presence of a highly motivated spoil-sport, such as a disgruntled former employee, an envious competitor, or a monumentally dissatisfied customer. Or it could just be a cool bit of retro coding.
ISS has released updates for the affected software packages on Mar 19th, 2004 to address the ICQ parsing flaw. If you have either BlackIce or RealSecure it is very important to apply the updates immediately. Blocking UDP port 4000 at the network perimeter would also be prudent.
Removal of the worm is simple. Since it is never written to the hard disk a re-boot will unload it, but unless the vulnerable software is patched or the worm traffic is blocked, there is every chance that the computer will be re-infected. Recovering data from a damaged hard disk is much more problematic.
Since implementing a rule to block UDP port 4000 at 16:00 hours (GMT -5) there have been 286 scans for that port and there are no users running ICQ on the network.
NOTE: As an experiment, I set up a Windows XP machine with an old version of the BlackIce PC software and exposed its IP address to the Internet. Within 3 hours the computer had locked up and when re-booted the hard disk was corrupted and the OS would not load.
More Information:
Symantec
ISS Download Center
SecurityFocus
[Edited on 21-3-2004 by Banshee]
why people make such devastating hacks is beyond me, besides the fact that they are just trouble makers.
Unless it spawned from a cirrupted file, I dunno. Any other articles about this?
Unless it spawned from a cirrupted file, I dunno. Any other articles about this?
Google News has picked up the story, so it will be making it into the mainstream media soon. This worm contains a taunting message from the writer
and specifically attacks two different products from the same vendor. Also, it is written in the "assembly" programming language.
Initial analysis by LURHQ indicates the following:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
LURHQ
Initial analysis by LURHQ indicates the following:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
LURHQ
This one sound like a nasty worm. I'm not really concerned, as all my computers are always up to date, but I've read that this biatch also scan for
personnal info, such as credit card number, and have a online server where it can report and post sensitive information.
You can have more info on El Reg.
More Info
You can have more info on El Reg.
More Info
Originally posted by m0rbid
This one sound like a nasty worm. I'm not really concerned, as all my computers are always up to date, but I've read that this biatch also scan for personnal info, such as credit card number, and have a online server where it can report and post sensitive information.
You can have more info on El Reg.
More Info
The "Phatbot" that your link refers to is a different animal and while not destructive is quite nasty in its ability to open up computers to tampering and steal personal information.
ATSNN article on "Phatbot"
Yeah, just noticed I wasn't talking about the same worm than the original post of this thread.
My mistake, but it's still related, as I think the second one was based on Phatbot, or exploited the same Windows flaw.
My mistake, but it's still related, as I think the second one was based on Phatbot, or exploited the same Windows flaw.
Forgive me for being blunt, m0rbid, but the two are completely unrelated. As pointed out in the article, 'witty' does NOT exploit a flaw in
Microsoft Windows, but takes advantage of an error in two security products produced by ISS.
'Phatbot' is a variant of a successful older bot, 'Agobot' both of which spread by exploiting well documented vulnerabilities in the MS Windows operating systems.
I make this distinction to illustrate that the actions required to protect a computer from each threat differ greatly and are covered in their respective articles.
'Phatbot' is a variant of a successful older bot, 'Agobot' both of which spread by exploiting well documented vulnerabilities in the MS Windows operating systems.
I make this distinction to illustrate that the actions required to protect a computer from each threat differ greatly and are covered in their respective articles.
Spectre
Sorry, was misleaded by your first post on this thread.
BTW, you weren't blunt.
Sorry, was misleaded by your first post on this thread.
A new internet worm dubbed "W32.Witty" attacks and infects computers running Microsoft Windows and firewall/intrusion detection software produced by Internet Security Systems (ISS)
The U.S. Department of Homeland Security saw fit to release a �cyber alert� about a piece of malicious software that exploits a nine month old Windows vulnerability (Phatbot),
BTW, you weren't blunt.
It could have been worse, but fortunately, I read about it here first, the day it was posted. Otherwise I would have suspected some file corruption,
and would have spent more time trying to
recover a disk, that really needed to be reformatted.
Even with an up-to-date Virus scanner I was hit. Once
I read about it here, I downloaded the patch from ISS.
and am back in Biz...I was lucky, in that the corrupted
files were mostly OS files, replaceable. some of my personal data was corrupted, but I have backups (highly recommended!!)
Thanks SPECTRE
recover a disk, that really needed to be reformatted.
Even with an up-to-date Virus scanner I was hit. Once
I read about it here, I downloaded the patch from ISS.
and am back in Biz...I was lucky, in that the corrupted
files were mostly OS files, replaceable. some of my personal data was corrupted, but I have backups (highly recommended!!)
Thanks SPECTRE
new topics
-
God's Righteousness is Greater than Our Wrath
Religion, Faith, And Theology: 1 hours ago -
Electrical tricks for saving money
Education and Media: 4 hours ago -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 5 hours ago -
Sunak spinning the sickness figures
Other Current Events: 6 hours ago -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 6 hours ago -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 8 hours ago -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 9 hours ago -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 11 hours ago
top topics
-
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 16 hours ago, 8 flags -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 9 hours ago, 8 flags -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 5 hours ago, 8 flags -
Bobiverse
Fantasy & Science Fiction: 16 hours ago, 3 flags -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 13 hours ago, 3 flags -
Electrical tricks for saving money
Education and Media: 4 hours ago, 3 flags -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 6 hours ago, 3 flags -
Sunak spinning the sickness figures
Other Current Events: 6 hours ago, 3 flags -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 8 hours ago, 2 flags -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 11 hours ago, 1 flags
active topics
-
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News • 35 • : SchrodingersRat -
The Acronym Game .. Pt.3
General Chit Chat • 7744 • : bally001 -
Truth Social goes public, be careful not to lose your money
Mainstream News • 128 • : Astyanax -
New whistleblower Jason Sands speaks on Twitter Spaces last night.
Aliens and UFOs • 53 • : pianopraze -
Sunak spinning the sickness figures
Other Current Events • 5 • : glen200376 -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs • 44 • : MikeDeGrasseTyson -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three • 31 • : budzprime69 -
How ageing is" immune deficiency"
Medical Issues & Conspiracies • 33 • : rickymouse -
The Reality of the Laser
Military Projects • 46 • : Zaphod58 -
God's Righteousness is Greater than Our Wrath
Religion, Faith, And Theology • 0 • : randomuser2034
0