It’s only going to get worse
27th March 2004
This analysis of the spread of the witty worm is fascinating for a whole bunch of different reasons.
Firstly, the analysis was made possible by USCD’s Network Telescope, a network monitoring system on a massive scale which takes advantage of the fact that IP arranges were handed out like candy back when the ’net was in its infancy. USCD controls a huge chunk of all potential IPv4 addresses, and their network telescope tracks data sent to 1/256th of all IPv4 traffic. Since most worms target random IP addresses this makes the telescope a unique tool in analysing the spread of hostile code in the wild.
Next, Witty Worm was no ordinary worm. It targeted an exploit in ISS firewall products, which include the popular BlackICE product targeted at home users; this means the worm was actively attacking people who had made an effort to secure their machines! It also carried a destructive payload—a rarity for worms in the wild. Additionally, the exploit it used had only been publically announced the day before. It’s possible the authors new of the vulnerability in advance, but it’s far more likely they had already written the payload and were just waiting for a new vulnerability to use as the carrier.
From reading the report, it seems that the worm managed to infect virtually every one of its potential targets that were connected to the internet. This critical point is what makes the worm so interesting, because it destroys the idea that non-Windows users are made more secure by their relatively lesser numbers. If a worm came out with a similar methodology to Witty Worm but that targeted Linux, OS X or even something with a truly tiny statistical footprint like BeOS it could still achieve almost total infection of its chosen target audience.
The worm also appears to have used a number of techniques that had previously been hypothesized by the security communit, such as spreading from a number of pre-infected hosts.
If a worm can spread this fast, with this little notice, and infect almost all of the vulnerable population, we’re in a pretty precarious state.
More recent articles
- Talking Large Language Models with Rooftop Ruby - 29th September 2023
- Weeknotes: Embeddings, more embeddings and Datasette Cloud - 17th September 2023
- Build an image search engine with llm-clip, chat with models with llm chat - 12th September 2023
- LLM now provides tools for working with embeddings - 4th September 2023
- Datasette 1.0a4 and 1.0a5, plus weeknotes - 30th August 2023
- Making Large Language Models work for you - 27th August 2023
- Datasette Cloud, Datasette 1.0a3, llm-mlc and more - 16th August 2023
- How I make annotated presentations - 6th August 2023
- Weeknotes: Plugins for LLM, sqlite-utils and Datasette - 5th August 2023
- Catching up on the weird world of LLMs - 3rd August 2023