[clug] Witty worm a wake up call

Michael James Michael.James at csiro.au
Mon Jun 7 03:58:44 GMT 2004 

An article in Computerworld has some interesting points, 
 that change some of my thinking
 about the damage a Linux worm could do.

The article is at:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,93584,00.html

and says:

> -- A few things we learned from this worm:

> Witty was wildly successful.
> Twelve thousand machines was the entire vulnerable and exposed population,
> and Witty infected them all -- worldwide -- in 45 minutes.
> It's the first worm that quickly corrupted a small population.
> Previous worms targeting small populations such as Scalper and Slapper were glacially slow.     

> Witty was very well written. It was less than 700 bytes long.
> It used a random-number generator to spread itself,
> avoiding many of the problems that plagued previous worms.
> It spread by sending itself to random IP addresses with random destination ports,
> a trick that made it easier to sneak through firewalls.

> Witty was released cleverly, through a bot network of about 100 infected machines.
> This technique has been talked about before,
> but Witty marks the first time we've seen a worm do it in the wild.
> This, along with the clever way it spread,
> helped Witty infect every available host in 45 minutes.

If a worm can spread so quickly among such a sparce population,
 then we could see a damaging worm appear
 even if only 1 flavour of Linux is vulnerable.

Techniques:
Starting with an already compromised seed population of bots
 helps avoid sitting on the flat part of the exponential infection curve.

Then carrying a long hot-list of likely hosts makes a fast second stage.

Then do exhaustive scanning of IP space.

Each stage uses a binary split of the hot-list/search-space.
ie: each instance of the worm
 devolves half of its search space to each child infection.

The worm could be in orbit before you know it.
michaelj



Michael James                         michael.james at csiro.au
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

More information about the linux mailing list