SCI/TECH: 'Witty' Worm Attacks Firewalls

page: 1
0

log in

join

posted on Mar, 21 2004 @ 05:26 PM
link   
A new internet worm dubbed "W32.Witty" attacks and infects computers running Microsoft Windows and firewall/intrusion detection software produced by Internet Security Systems (ISS)
The U.S. Department of Homeland Security saw fit to release a cyber alert about a piece of malicious software that exploits a nine month old Windows vulnerability (Phatbot), but has not yet issued a statement about a new worm that attacks two widely used programs used to safeguard home and business computers and is not caught by antivirus software. I found out about the problem when it began to appear in various online articles. It is unlikely that it would have been immediately obvious to our intrusion detection mechanisms because the worm spreads using a port commonly used by the Internet messaging service ICQ.
 

The Register Witty

The 'Witty' worm's name comes from a message buried within its code that says: "insert witty message here."

Using flaws in the code of BlackIce and RealSecure programs the worm loads into memory of the target machine and begin to propagate to other computers. Unlike many other self-replicating worms this one has a destructive payload and can overwrite computer data and even render a hard drive un-bootable.

A new worm that, ironically, makes sport of Win-32 systems defended by BlackIce and RealSecure firewall products from Internet Security Systems (ISS) began circulating Saturday.

The worm, dubbed 'witty,' is memory-resident only and propagates via UDP port 4000, and possibly others. While occupied with reproducing itself, it overwrites data on the local hard disk(s), and can render a machine un-bootable if it corrupts the master boot record or partition table, or file allocation tables.

The worm is exceptionally vicious by current standards and implies the presence of a highly motivated spoil-sport, such as a disgruntled former employee, an envious competitor, or a monumentally dissatisfied customer. Or it could just be a cool bit of retro coding.

ISS has released updates for the affected software packages on Mar 19th, 2004 to address the ICQ parsing flaw. If you have either BlackIce or RealSecure it is very important to apply the updates immediately. Blocking UDP port 4000 at the network perimeter would also be prudent.

Removal of the worm is simple. Since it is never written to the hard disk a re-boot will unload it, but unless the vulnerable software is patched or the worm traffic is blocked, there is every chance that the computer will be re-infected. Recovering data from a damaged hard disk is much more problematic.

Since implementing a rule to block UDP port 4000 at 16:00 hours (GMT -5) there have been 286 scans for that port and there are no users running ICQ on the network.

NOTE: As an experiment, I set up a Windows XP machine with an old version of the BlackIce PC software and exposed its IP address to the Internet. Within 3 hours the computer had locked up and when re-booted the hard disk was corrupted and the OS would not load.

More Information:
Symantec
ISS Download Center
SecurityFocus



[Edited on 21-3-2004 by Banshee]




posted on Mar, 21 2004 @ 07:49 PM
link   
why people make such devastating hacks is beyond me, besides the fact that they are just trouble makers.

Unless it spawned from a cirrupted file, I dunno. Any other articles about this?



posted on Mar, 21 2004 @ 08:57 PM
link   
Google News has picked up the story, so it will be making it into the mainstream media soon. This worm contains a taunting message from the writer and specifically attacks two different products from the same vendor. Also, it is written in the "assembly" programming language.

Initial analysis by LURHQ indicates the following:

1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1

LURHQ



posted on Mar, 22 2004 @ 08:52 AM
link   
This one sound like a nasty worm. I'm not really concerned, as all my computers are always up to date, but I've read that this biatch also scan for personnal info, such as credit card number, and have a online server where it can report and post sensitive information.

You can have more info on El Reg.
More Info



posted on Mar, 22 2004 @ 09:01 AM
link   

Originally posted by m0rbid
This one sound like a nasty worm. I'm not really concerned, as all my computers are always up to date, but I've read that this biatch also scan for personnal info, such as credit card number, and have a online server where it can report and post sensitive information.

You can have more info on El Reg.
More Info

The "Phatbot" that your link refers to is a different animal and while not destructive is quite nasty in its ability to open up computers to tampering and steal personal information.

ATSNN article on "Phatbot"



posted on Mar, 22 2004 @ 09:09 AM
link   
Yeah, just noticed I wasn't talking about the same worm than the original post of this thread.

My mistake, but it's still related, as I think the second one was based on Phatbot, or exploited the same Windows flaw.



posted on Mar, 22 2004 @ 09:30 AM
link   
Forgive me for being blunt, m0rbid, but the two are completely unrelated. As pointed out in the article, 'witty' does NOT exploit a flaw in Microsoft Windows, but takes advantage of an error in two security products produced by ISS.

'Phatbot' is a variant of a successful older bot, 'Agobot' both of which spread by exploiting well documented vulnerabilities in the MS Windows operating systems.

I make this distinction to illustrate that the actions required to protect a computer from each threat differ greatly and are covered in their respective articles.



posted on Mar, 22 2004 @ 09:43 AM
link   
Spectre

Sorry, was misleaded by your first post on this thread.



A new internet worm dubbed "W32.Witty" attacks and infects computers running Microsoft Windows and firewall/intrusion detection software produced by Internet Security Systems (ISS)
The U.S. Department of Homeland Security saw fit to release a cyber alert about a piece of malicious software that exploits a nine month old Windows vulnerability (Phatbot),


BTW, you weren't blunt.



posted on Mar, 29 2004 @ 05:07 PM
link   
It could have been worse, but fortunately, I read about it here first, the day it was posted. Otherwise I would have suspected some file corruption, and would have spent more time trying to
recover a disk, that really needed to be reformatted.
Even with an up-to-date Virus scanner I was hit. Once
I read about it here, I downloaded the patch from ISS.
and am back in Biz...I was lucky, in that the corrupted
files were mostly OS files, replaceable. some of my personal data was corrupted, but I have backups (highly recommended!!)

Thanks SPECTRE





new topics




 
0

log in

join