On Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time
(PST), an Internet worm began to spread, targeting a buffer overflow
vulnerability in several Internet Security Systems (ISS) products,
including its RealSecure Network,
RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm took
advantage of a security flaw in these firewall applications that eEye
Digital Security discovered earlier in March. Once the Witty worm--so
called because its payload contained the phrase, "(^.^) insert witty
message here (^,^)"--infects a computer, it deletes a randomly chosen
section of the hard drive, which, over time, renders the machine unusable.
While the Witty worm is only the latest in a string of self-propagating
remote exploits, it distinguishes itself through several interesting
features:
- It was the first widely propagated Internet worm to carry a
destructive payload.
- It started in an organized manner with an order of magnitude more
ground-zero hosts than any previous worm.
- It represents the shortest known interval between vulnerability
disclosure and worm release--it began spreading the day after the ISS
vulnerability was publicized.
- It spread through a host population in which every compromised host
was proactive in securing its computers and networks.
- It spread through a population almost an order of magnitude smaller
than that of previous worms, demonstrating worms' viability as an automated
mechanism to rapidly compromise machines on the Internet, even in niches
without a software monopoly.
In this article, we share a global view of the worm's spread, with
particular attention to these worrisome features.
Cooperative Association for Internet Data Analysis (CAIDA)