The Witty Worm: A New Chapter in Malware
By Bruce Schneier
June 2, 2004
If press coverage is any guide, then the Witty worm wasn't all that successful. Blaster, SQL Slammer, Nimda, even Sasser made bigger headlines. Witty infected only about 12,000 machines, almost none of them home users. It didn't seem like a big deal.
But Witty was a big deal (see story). It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did.
Witty was the first worm to target a particular set of security products -- in this case Internet Security System's BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running.
A few things we learned from this worm:
Witty was wildly successful. Twelve thousand machines was the entire vulnerable and exposed population, and Witty infected them all -- worldwide -- in 45 minutes. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow.
Witty was speedily written. Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild.
Witty was very well written. It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with random destination ports, a trick that made it easier to sneak through firewalls. It was -- and this is a very big deal -- bug-free. This strongly implies that the worm was tested before release.
Witty was released cleverly, through a bot network of about 100 infected machines. This technique has been talked about before, but Witty marks the first time we've seen a worm do it in the wild. This, along with the clever way it spread, helped Witty infect every available host in 45 minutes.
Witty was exceptionally nasty. It was the first widespread worm that destroyed the hosts it infected. And it did so cleverly. Its malicious payload, erasing data on random accessible drives in random 64KB chunks, caused immediate damage without significantly slowing the worm's spread.
What do we make of all this? Clearly the worm writer is an intelligent and experienced programmer; Witty is the first worm to combine this level of skill with this level of malice. Either he had inside advance knowledge of the vulnerability -- it is unlikely that he reverse-engineered it from the ISS patch -- or he worked very quickly. Maybe he had the worm written and just dropped the vulnerability in at the last minute. In any case, he seems to have deliberately targeted ISS. If his goal had been maximum spread, he could have waited for a more general vulnerability -- or series of vulnerabilities -- to use. The one he chose was optimized to inflict maximum damage on a specific set of targets. Was the attack against ISS, or against a particular user of ISS products? We don't know.
Witty represents a new chapter in malware. If it had used common Windows vulnerabilities to spread, it would have been the most damaging worm we have seen yet. Worm writers learn from each other, and we have to assume that other worm writers have seen the disassembled code and will reuse it in future worms. Even worse, Witty's author is still unknown and at large -- and we have to assume that he's going to do this kind of thing again.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..