It’s only going to get worse
27th March 2004
This analysis of the spread of the witty worm is fascinating for a whole bunch of different reasons.
Firstly, the analysis was made possible by USCD’s Network Telescope, a network monitoring system on a massive scale which takes advantage of the fact that IP arranges were handed out like candy back when the ’net was in its infancy. USCD controls a huge chunk of all potential IPv4 addresses, and their network telescope tracks data sent to 1/256th of all IPv4 traffic. Since most worms target random IP addresses this makes the telescope a unique tool in analysing the spread of hostile code in the wild.
Next, Witty Worm was no ordinary worm. It targeted an exploit in ISS firewall products, which include the popular BlackICE product targeted at home users; this means the worm was actively attacking people who had made an effort to secure their machines! It also carried a destructive payload—a rarity for worms in the wild. Additionally, the exploit it used had only been publically announced the day before. It’s possible the authors new of the vulnerability in advance, but it’s far more likely they had already written the payload and were just waiting for a new vulnerability to use as the carrier.
From reading the report, it seems that the worm managed to infect virtually every one of its potential targets that were connected to the internet. This critical point is what makes the worm so interesting, because it destroys the idea that non-Windows users are made more secure by their relatively lesser numbers. If a worm came out with a similar methodology to Witty Worm but that targeted Linux, OS X or even something with a truly tiny statistical footprint like BeOS it could still achieve almost total infection of its chosen target audience.
The worm also appears to have used a number of techniques that had previously been hypothesized by the security communit, such as spreading from a number of pre-infected hosts.
If a worm can spread this fast, with this little notice, and infect almost all of the vulnerable population, we’re in a pretty precarious state.
Related reading: The Peon’s Guide to Secure System Development, Slashdot’s thread on the Witty Worm analysis (some of the +5 comments are pretty good).
More recent articles
- AI for Data Journalism: demonstrating what we can do with this stuff right now - 17th April 2024
- Three major LLM releases in 24 hours (plus weeknotes) - 10th April 2024
- Building files-to-prompt entirely using Claude 3 Opus - 8th April 2024
- Running OCR against PDFs and images directly in your browser - 30th March 2024
- llm cmd undo last git commit - a new plugin for LLM - 26th March 2024
- Building and testing C extensions for SQLite with ChatGPT Code Interpreter - 23rd March 2024
- Claude and ChatGPT for ad-hoc sidequests - 22nd March 2024
- Weeknotes: the aftermath of NICAR - 16th March 2024
- The GPT-4 barrier has finally been broken - 8th March 2024
- Prompt injection and jailbreaking are not the same thing - 5th March 2024