@ Nicholas Weaver, who wrote:
"It was launched from a single host, and the attacker KNEW IN ADVANCE a set of victims, including a US Military base."
Although I agree that it's interesting that the worm was pre-populated with a seed target list, and also interesting that some of those hosts were on a military base, I'm not convinced of the conclusions that others have drawn from these facts, namely that the attacker had to be an insider -- either from the product vendor, or from the company who reported the defect. Likewise, the implication that the attack was directed at the US Military doesn't make sense.
A few minutes of scanning could have produced a list of 100 vulnerable hosts. The scanning algorithm might have been something like this:
- google to find likely customers of the company whose product will be exploited,
- find address blocks likely to be associated with those clients using various DNS tools,
- scan randomly until you find a vulnerable host,
- then walk up and down from that IP address to find others which are likely to be nearby.
The worm could have been sitting around waiting for the seed list and the egg. Vulnerability announced, write the egg, test the worm, scan for some infect-able hosts, and fire away.
No insider knowledge required.
It's possible that the attack was directed at the military base, but it seems just as likely that it wasn't. The attack was global, and could certainly have been restricted to the IP address ranges assigned to the US Military, or even to major US corporations, but it wasn't.
Finally, analysts seem to universally assume that writing the egg to exploit a defect like this would be hard and take a long time. Perhaps the Witty Cracker started months in advance, developing their worm against a previously well documented Windows/x86 UDP exploit, say SQL Slammer or something. When a new vulnerability showed up that was similar enough to allow a single-packet UDP exploit, perhaps it only took them a few hours to write and test their code.
Has anybody narrowed down how many hours elapsed between the public announcement of the vulnerability and the start of the worm propagation? It was clearly less than 48 hours.
I hope you and your colleagues are funded for further research on the Witty Worm. I'd like to see you analyze the worm to determine if it would have been possible to develop in a few hours, given the starting position of a previous "prototype" worm. Other worms are clearly developed this way from existing toolkits that are publicly available. Perhaps this worm was developed from a private toolkit.