In several discussions around the net it has been suggested that the author of the Witty Worm must be an insider. I'm not so sure. Although I agree that it's interesting that the worm was pre-populated with a seed target list, and also interesting that some of those hosts were on a military base, I'm not convinced of the conclusions that others have drawn from these facts, namely that the attacker had to be an insider -- either from the product vendor, or from the company who reported the defect. Likewise, the implication that the attack was directed at the US Military doesn't make sense. A few minutes of scanning could have produced a list of 100 vulnerable hosts. The scanning algorithm might have been something like this:
- google to find likely customers of the company whose product will be exploited,
- find address blocks likely to be associated with those clients using various DNS tools,
- scan randomly until you find a vulnerable host,
- then walk up and down from that IP address to find others which are likely to be nearby.