Witty (computer worm)
Encyclopedia
The Witty worm is a computer worm
that attacks the firewall and other computer security
products written by a particular company, Internet Security Systems (ISS)
now IBM Internet Security Systems. It was the first worm to take advantage of vulnerabilities in the very pieces of software
designed to enhance network
security, and carried a destructive payload, unlike previous worms. It is so named because the phrase "(^.^) insert witty message here (^.^)" appears in the worm's payload.
The Witty worm incident was unique in that the worm spread very rapidly after announcement of the ISS vulnerability (a day later), and infected a much smaller and presumably harder-to-infect (because the administrators had taken security measures) host population than previous worms.
(and running the vulnerable ISS software) from a "seed" population, probably of previously compromised computers. Within a half-hour it infected 12,000 computers and was generating 90 Gb/s (gigabit
s per second) of UDP
traffic.
Witty launches these attacks as fast as possible, attacking a pseudo-random subset of IP address
es as quickly as allowed by the computer's Internet connection. It repeats these attacks in groups of 20,000, alternately launching attacks and overwriting sections of the computer's hard disk(s)
.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that attacks the firewall and other computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
products written by a particular company, Internet Security Systems (ISS)
Internet Security Systems
IBM Internet Security Systems is a security software provider which was founded in 1994 as Internet Security Systems, and is often known simply as ISS or ISSX...
now IBM Internet Security Systems. It was the first worm to take advantage of vulnerabilities in the very pieces of software
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
designed to enhance network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
security, and carried a destructive payload, unlike previous worms. It is so named because the phrase "(^.^) insert witty message here (^.^)" appears in the worm's payload.
The Witty worm incident was unique in that the worm spread very rapidly after announcement of the ISS vulnerability (a day later), and infected a much smaller and presumably harder-to-infect (because the administrators had taken security measures) host population than previous worms.
Propagation
On March 19, 2004, the 'Witty' worm began infecting hosts connected to the InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
(and running the vulnerable ISS software) from a "seed" population, probably of previously compromised computers. Within a half-hour it infected 12,000 computers and was generating 90 Gb/s (gigabit
Gigabit
The gigabit is a multiple of the unit bit for digital information or computer storage. The prefix giga is defined in the International System of Units as a multiplier of 109 , and therefore...
s per second) of UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
traffic.
Effect of worm
Once Witty infects a computer by exploiting a vulnerability in the ISS software packages (RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE), it attempts to infect other computers using the same vulnerability.Witty launches these attacks as fast as possible, attacking a pseudo-random subset of IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es as quickly as allowed by the computer's Internet connection. It repeats these attacks in groups of 20,000, alternately launching attacks and overwriting sections of the computer's hard disk(s)
Hard disk
A hard disk drive is a non-volatile, random access digital magnetic data storage device. It features rotating rigid platters on a motor-driven spindle within a protective enclosure. Data is magnetically read from and written to the platter by read/write heads that float on a film of air above the...
.
External links
- ISS vulnerability announcement
- Witty Worm Analysis
- Analysis of the worm propagation by CAIDA (Cooperative Association for Internet Data Analysis)
- Slashdot article