Witty worm proves patching 'not viable' - research

Robert Lemos
CNET News.com
March 29, 2004

Companies could not apply patches in time to prevent the Witty worm spreading, according to a report from US academics

The Witty worm first hit computers known to be vulnerable and emerged so quickly that most companies had no time to apply a patch, according a recent report by US-based academics.

The worm started spreading around the Internet last week, less than 48 hours after the first public description of the flaw was released. That's the fastest development to date of a worm from a vulnerability, according to a report published late last week by the Cooperative Association for Internet Data Analysis (CAIDA) and the University of California at San Diego.

"The fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicised indicates that the security model in which end users apply patches to plug security holes is not viable," the report stated.

Witty took advantage of a flaw in Internet Security Systems software security products such as RealSecure and BlackIce. While ISS has said that only 2 percent of its users were vulnerable to the worm, as many as 12,000 computers may have been infected in less than an hour, according to the report.

If other worms can be produced as quickly, companies will likely have to start relying less on plugging holes in the security of their software and more on other methods of reducing the threat of vulnerabilities, said Colleen Shannon, senior security researcher at CAIDA and one of the report's authors.

"Two days is not enough time to get a large group of people to do anything," she said, adding that "it requires so much skill on the side of the end user" to stay up-to-date on patches that most users don't patch often.

The report also found evidence that the worm was released in a way that would it allow it to speed its attack on vulnerable servers.

The Witty worm started spreading early on Saturday morning. In about 45 minutes, the worm had infected the majority of vulnerable servers -- about 12,000 -- on the Internet, according to the report. Within 10 seconds, 110 compromised hosts appeared, which led CAIDA to believe that those servers were used to actively spread the worm, a tactic known as "preseeding."

"The worm had to have been preseeded," Shannon said. "It is not possible (given the data) for it not to be."

The Witty worm burned out quickly, due to its malicious nature. The worm slowly corrupted the information on a system's hard drive by writing 65 kilobytes of data to a random place on the drive. As a result, nearly half the systems infected by the worm crashed within 12 hours.

Compared with the Microsoft SQL Slammer worm, which infected 70,000 to 100,000 computers, the Witty worm attacked a smaller population, according to CAIDA. The worm also attacked computers that were specifically in place to protect against such threats.

The implications of this evolution should not be ignored, the report said.

"With minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts," it stated.

Back To The Study