Simon Willison’s Weblog

It’s only going to get worse

This analysis of the spread of the witty worm is fascinating for a whole bunch of different reasons.

Firstly, the analysis was made possible by USCD’s Network Telescope, a network monitoring system on a massive scale which takes advantage of the fact that IP arranges were handed out like candy back when the ’net was in its infancy. USCD controls a huge chunk of all potential IPv4 addresses, and their network telescope tracks data sent to 1/256th of all IPv4 traffic. Since most worms target random IP addresses this makes the telescope a unique tool in analysing the spread of hostile code in the wild.

Next, Witty Worm was no ordinary worm. It targeted an exploit in ISS firewall products, which include the popular BlackICE product targeted at home users; this means the worm was actively attacking people who had made an effort to secure their machines! It also carried a destructive payload—a rarity for worms in the wild. Additionally, the exploit it used had only been publically announced the day before. It’s possible the authors new of the vulnerability in advance, but it’s far more likely they had already written the payload and were just waiting for a new vulnerability to use as the carrier.

From reading the report, it seems that the worm managed to infect virtually every one of its potential targets that were connected to the internet. This critical point is what makes the worm so interesting, because it destroys the idea that non-Windows users are made more secure by their relatively lesser numbers. If a worm came out with a similar methodology to Witty Worm but that targeted Linux, OS X or even something with a truly tiny statistical footprint like BeOS it could still achieve almost total infection of its chosen target audience.

The worm also appears to have used a number of techniques that had previously been hypothesized by the security communit, such as spreading from a number of pre-infected hosts.

If a worm can spread this fast, with this little notice, and infect almost all of the vulnerable population, we’re in a pretty precarious state.

Related reading: The Peon’s Guide to Secure System Development, Slashdot’s thread on the Witty Worm analysis (some of the +5 comments are pretty good).

This is It’s only going to get worse by Simon Willison, posted on 27th March 2004.

Tagged ,

Next: Omit needless words, codified

Previous: Conferences with Macs

Previously hosted at http://simon.incutio.com/archive/2004/03/27/notSoWitty