Analysis of the Witty Worm

Here's a very interesting analysis of the Witty Worm from March 2004. Among other things, the researchers found the initial infection point (patient 0). They also believe that the attack was, at least in part, a deliberate cyber-attack on the U.S. military; an army base was deliberately targeted in the worm's hotlist.

Posted on May 27, 2005 at 8:23 AM • 14 Comments

Comments

Israel TorresMay 27, 2005 8:58 AM

""If the attacker is savvy, discovering Patient Zero can be almost useless for law enforcement purposes," he said. "

One would figure that if the author is savvy enough to write the worm they would be savvy enough to plant P0 instead of running it from their core system. But then of course criminals that get caught are generally stupid overall in not foreseeing their mistakes.

Israel Torres

jayhMay 27, 2005 9:29 AM

>>criminals that get caught are generally stupid overall in not foreseeing their mistakes.

Not necessarily stupid; but at a significant disadvantage. They are limited by only one mind and one perspective, whereas the investigators have the advantage of many minds, many perspectives. If 49 investigators overlook an error and 1 finds it the error is spotted. If the criminal covers 49 possibilities and misses 1 he is still vulnerable.

Nicholas WeaverMay 27, 2005 10:32 AM

Part of the worry is that, in all other ways, the author of Witty was very savvy. He knew the lore. He tested & debugged. He had a real motive. He was malicious.

The one, very subtle, very minor, bug came from knowing TOO much about pRNGs (or at least reading Knuth or another source on the subject).

Chris WalshMay 27, 2005 2:50 PM

Funny how the worm whose author seems smartest is also the one with the traditional #include -like comment.

Coincidence? I'm not so sure.

Davi OttenheimerMay 27, 2005 3:56 PM

"the author of Witty was very savvy"
"the worm whose author seems smartest"

I can't resist. Let's just admit that the author of the witty worm is, well...witty.

The paper says "this represents the first occurence of significant seeding in an
autonomous worm. However, this was almost superfluous. Because
Witty's single-packet nature is naturally fast, an unseeded Witty
would have still spread worldwide in under two hours."

The thing everyone points to is the sophistication of the code and efficiency of witty's propogation. And yet, the botnet appears to have been used primarily to provide some level of obscurity or resiliance to outages (e.g. to source the author and/or stop the spread). Perhaps there was more to the experiment than speed alone.

Nicholas WeaverMay 27, 2005 8:57 PM

It wasn't a botnet. It was launched from a single host, and the attacker KNEW IN ADVANCE a set of victims, including a US Military base. The start set, execpt for patient 0, was running the worm code itself. Only patient 0 wasn't running the worm code.

John PritchardMay 29, 2005 3:15 PM

Yes, the paper is not very good, in particular the layers of "research" into the most obvious Egg (patient zero).

Apparently the Egg code is much smaller than the Worm code, which is an interesting part of the story, being the story of its installation, and not discussed by this paper.

Would be fun to know the story of the Egg.

Curt SampsonMay 29, 2005 11:03 PM

I think it was an excellent paper. Who would have thought that so much information could be deduced from the available evidence?

As for not discussing patient 0, I suspect that's more related to law enforcement's traditional silence in "matters under investigation." We may find out more about it eventually.

Ari HeikkinenMay 30, 2005 8:31 AM

I'd say the stuff in the article don't really matter much as long as the attacker don't get caught. It goes without saying the more information a worm leaks about its propagation the easier it is to analyze and thus harder for an attacker not to get caught.

As for patient zero would anyone be stupid enough not to cover their tracks in case someone discovers it?

Bill HerdleJune 1, 2005 3:14 PM

Misinterpretation of Knuth's advice on linear congruential pseudorandom number generators caused the worm to fail to scan 10% of IP addresses. This is the sort of subtle error that makes it so hard to implement crypto correctly.

Gary W. LongsineJune 8, 2005 7:59 PM

@ Nicholas Weaver, who wrote:
"It was launched from a single host, and the attacker KNEW IN ADVANCE a set of victims, including a US Military base."

Although I agree that it's interesting that the worm was pre-populated with a seed target list, and also interesting that some of those hosts were on a military base, I'm not convinced of the conclusions that others have drawn from these facts, namely that the attacker had to be an insider -- either from the product vendor, or from the company who reported the defect. Likewise, the implication that the attack was directed at the US Military doesn't make sense.

A few minutes of scanning could have produced a list of 100 vulnerable hosts. The scanning algorithm might have been something like this:

- google to find likely customers of the company whose product will be exploited,
- find address blocks likely to be associated with those clients using various DNS tools,
- scan randomly until you find a vulnerable host,
- then walk up and down from that IP address to find others which are likely to be nearby.

The worm could have been sitting around waiting for the seed list and the egg. Vulnerability announced, write the egg, test the worm, scan for some infect-able hosts, and fire away.

No insider knowledge required.

It's possible that the attack was directed at the military base, but it seems just as likely that it wasn't. The attack was global, and could certainly have been restricted to the IP address ranges assigned to the US Military, or even to major US corporations, but it wasn't.

Finally, analysts seem to universally assume that writing the egg to exploit a defect like this would be hard and take a long time. Perhaps the Witty Cracker started months in advance, developing their worm against a previously well documented Windows/x86 UDP exploit, say SQL Slammer or something. When a new vulnerability showed up that was similar enough to allow a single-packet UDP exploit, perhaps it only took them a few hours to write and test their code.

Has anybody narrowed down how many hours elapsed between the public announcement of the vulnerability and the start of the worm propagation? It was clearly less than 48 hours.

I hope you and your colleagues are funded for further research on the Witty Worm. I'd like to see you analyze the worm to determine if it would have been possible to develop in a few hours, given the starting position of a previous "prototype" worm. Other worms are clearly developed this way from existing toolkits that are publicly available. Perhaps this worm was developed from a private toolkit.

/gary

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..