Wisdom of the Witty Worm

For all the malicious code that has attacked computers in recent years, no widespread worm has actually targeted security software--until now. The Witty Worm, which struck in March, targeted a vulnerability in firewall products from Internet Security Systems (ISS).

Like other worms, Witty commandeered infected computers to seek out new targets; and like other worms, once its target population had been saturated, the rate of infections quickly dropped off (Witty peaked in about 45 minutes and ultimately infected far fewer computers than did worms such as SQL Slammer).

But despite its limited spread, Witty was a pioneer in many ways, even apart from targeting ISS firewalls. Unlike most other worms, Witty spread without relying on e-mail. It masqueraded as an ICQ instant-message packet, and carried a harmful payload that caused it to write data to the hard drive until the machine crashed--two ways in which this worm signals alarming trends, according to research by analysts at the University of California at San Diego's Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis (CAIDA).

It began its spread only a day after the vulnerability it exploited was made public, "the shortest known interval between vulnerability disclosure and worm release" yet seen, according to a CAIDA paper on Witty. This brings it dangerously close to realizing the much-feared "zero-day exploit," in which an attack will exploit a vulnerability that is not yet known. Worm researcher Jose Nazario, author of the book Defense and Detection Strategies against Internet Worms, agrees that the short interval between disclosure and worm shows "that someone had intimate knowledge of the attack required to leverage the vulnerability" even before the vulnerability was disclosed.

The CAIDA paper also credits Witty with accomplishing an amazing task: It infected 110 hosts in the first ten seconds of its spread, meaning that it likely used a list of computers known to be vulnerable (the paper calls the chances of a single instance of a worm infecting so many machines randomly in so short a time "vanishingly small").

Not everyone agrees with that assessment, however. Nazario notes that the spread of Internet worms is not typically measured in seconds and says he would like to see "additional measurement points to attempt to discern this phenomenon." But, he adds, "If it's real, then something is really interesting about this."

Witty also proves that worms are an effective tool for compromising machines "even in niches without a software monopoly," according to the CAIDA paper. @ Link to The Spread of the Witty Worm, along with animations of the spread of the worm across the USA and the world, through SM Online.