Last Updated: 3/23/2004 11:17:41 AM
Visits | Place Your Comments | Printable Version | Email this to a friend

PC Worm's Attack on Security Software Sparks Extra

The first Internet worm to target flawed computer-security software struck over the weekend, fanning worries among experts that the very products computer users rely on for defense against attack will increasingly come under attack themselves.
Experts also were alarmed at the rapid emergence and unusually destructive payload of the worm, which was dubbed "Witty," apparently for a line in the worm's code reading "insert.witty.message.here." The worm struck computers running flawed versions of software from Internet Security Systems Inc. (ISSX, news) on Saturday morning, just two days after the existence of the flaws was revealed by closely held eEye Digital Security.

The flaws affect certain versions of Internet Security Systems' RealSecure, Proventia and BlackICE products, but Witty only exploits certain RealSecure and BlackICE versions.

The time between the revelation of software flaws and attacks by damaging network worms has been shrinking. Until Witty, the most swiftly widespread worm was August 2003's "Blaster," which exploited a flaw in the Windows operating system disclosed about a month earlier.

Flaws, "especially buffer overflows, are so rapidly exploitable that attackers are getting the upper hand" and attacking before computer users have time to patch their systems, said Ken Dunham, director of malicious codes at iDefense Inc. "We're seeing increased interest in worms, and buffer-overflow attacks in particular, and those two go together to create a nasty brew."

Buffer-overflow attacks, like the one Witty uses, involve sending more data into a memory area, or buffer, than it's designed to take. If a buffer is badly constructed, the excess information can cause confusion that leads the computer to run the attacker's program.

Vulnerabilities in security software aren't new, although the increasing complexity of anti-hacking tools like those made by Internet Security Systems creates more opportunity for error. Still, up to now, security-software flaws only have been exploited by one-off targeted hacker attacks, not automated attacks, according to Johannes B. Ullrich, chief technology officer of the independent SANS Internet Storm Center.

While, it's new to see security software targeted by a network worm -- an automated program that moves directly through Internet connections to attack computers running flawed software -- security products have been getting attention from e-mail virus authors, who now regularly include commands to delete or disable various antivirus and firewall programs if they're found on victim PCs. The emergence of a worm may reflect the increased use of security software, since widespread use is required for a worm to spread successfully, Ullrich said.

And successful Witty was, albeit for a brief time. A highly aggressive spreader, it quickly hit a peak on Saturday morning and likely managed to infiltrate most computers using vulnerable software. Its spread then dropped precipitously, and by Monday the outbreak was essentially over. A total of about 30,000 computers were infected, Ullrich estimates.

"This one generated traffic as fast as it could. It saturated local networks" that contained infected machines, he said. "If you had a vulnerable host connected to the Internet over the weekend it probably got exploited."

Built For Destruction

Witty was designed to send out 20,000 copies of itself rapid fire, and then overwrite part of the computer's hard disk. It repeated this pattern until the hard-disk damage was severe enough that the computer crashed. Few viruses and worms cause this sort of damage to the machines they infect, mainly because destroying the host can mean killing the virus or worm before it has a chance to spread.

"It managed to spread while it was causing damage," said Dan Ingevaldson, director of X-Force, the research and development arm of Internet Security Systems, or ISS. Modern worms "have been purpose-built to propagate. They have not been purpose-built to be destructive. This one was purpose-built to be destructive."

He said only 1% to 2% of ISS' customers were vulnerable to Witty and that a maximum of 11,000 to 12,000 machines were infected. That's because the flaws weren't present in the most recent versions of its software and because many customers patched their systems.

Ingevaldson said ISS began making patches available soon after eEye notified it of the flaws on March 8. ISS software, like other security programs, is designed for frequent updates, which makes patching them less onerous than other types of software, he added. ISS also believes a large number of infected computers were using pirated versions of its software because it saw a lot of worm traffic from Malaysia, where it has few customers.
Source: Shot4u Studios