Skip to main content

Witty Worm Insider? Perhaps not.

In several discussions around the net it has been suggested that the author of the Witty Worm must be an insider. I'm not so sure. Although I agree that it's interesting that the worm was pre-populated with a seed target list, and also interesting that some of those hosts were on a military base, I'm not convinced of the conclusions that others have drawn from these facts, namely that the attacker had to be an insider -- either from the product vendor, or from the company who reported the defect. Likewise, the implication that the attack was directed at the US Military doesn't make sense. A few minutes of scanning could have produced a list of 100 vulnerable hosts. The scanning algorithm might have been something like this:
  • google to find likely customers of the company whose product will be exploited,
  • find address blocks likely to be associated with those clients using various DNS tools,
  • scan randomly until you find a vulnerable host,
  • then walk up and down from that IP address to find others which are likely to be nearby.
The worm could have been sitting around waiting for the seed list and the egg. Vulnerability announced, write the egg, test the worm, scan for some infect-able hosts, and fire away. No insider knowledge required. It's possible that the attack was directed at the military base, but it seems just as likely that it wasn't. The attack was global, and could certainly have been restricted to the IP address ranges assigned to the US Military, or even to major US corporations, but it wasn't. Finally, analysts seem to universally assume that writing the egg to exploit a defect like this would be hard and take a long time. Perhaps the Witty Cracker started months in advance, developing their worm against a previously well documented Windows/x86 UDP exploit, say SQL Slammer or something. When a new vulnerability showed up that was similar enough to allow a single-packet UDP exploit, perhaps it only took them a few hours to write and test their code. Has anybody narrowed down how many hours elapsed between the public announcement of the vulnerability and the start of the worm propagation? It was clearly less than 48 hours. I hope Nicholas Weaver and his colleagues are funded for further research on the Witty Worm. I'd like to see them analyze the worm to determine if it would have been possible to develop in a few hours, given the starting position of a previous "prototype" worm. Other worms are clearly developed this way from existing toolkits that are publicly available. Perhaps this worm was developed from a private toolkit.

Technorati Tags: , , , , , , , , ,

-- NOTE: A few days ago I saw a reference to some that Bruce Schneier had posted to his blog. Last night I surfed it up, and was inspired to post to his comments. This entry is an edited version of my observations, which I post here as our clients browsing the Intrinsic Security blog may be interested. This was quite a worm, still provoking so much thought and discussion all these months later. /gary

Comments

Post a Comment

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom
20 comments
Read more

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber
Post a Comment
Read more

Jailbreaking iOS is a Dead Man Walking

Rumor has it that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of namespaces on Linux ). Most of the public speculation about the rumor concerns a possible end to jailbreaking , a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were
Post a Comment
Read more