CAIDA Home
 www.caida.org > publications : papers : 2004 : : witty
    donate     contact     search:
CAIDA: Cooperative Association for Internet Data Analysis
The Spread of the Witty Worm

-----summary of contents-----
Abstract for the article "The Spread of the Witty Worm" authored by David Moore and Colleen Shannon. Published in IEEE Security and Privacy, vol. 2, no. 4, Jul-Aug 2004, pp. 46-50. The Cisco Systems University Research Program, the US National Science Foundation, DARPA, the US Department of Homeland Security, and CAIDA members provided support for this work.
|  Original Analysis    Animations    View full paper:    HTML  |

-----end summary of contents-----

The Spread of the Witty Worm

David Moore and Colleen Shannon
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center
University of California, San Diego

On Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST), an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including its RealSecure Network,

RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm took advantage of a security flaw in these firewall applications that eEye Digital Security discovered earlier in March. Once the Witty worm--so called because its payload contained the phrase, "(^.^) insert witty message here (^,^)"--infects a computer, it deletes a randomly chosen section of the hard drive, which, over time, renders the machine unusable.

While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:

  • It was the first widely propagated Internet worm to carry a destructive payload.
  • It started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
  • It represents the shortest known interval between vulnerability disclosure and worm release--it began spreading the day after the ISS vulnerability was publicized.
  • It spread through a host population in which every compromised host was proactive in securing its computers and networks.
  • It spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating worms' viability as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.

In this article, we share a global view of the worm's spread, with particular attention to these worrisome features.

|  Original Analysis    Animations    View full paper:    HTML  |

Cooperative Association for Internet Data Analysis (CAIDA)
  Last Modified: Tues May-19-2009 10:38:43 PDT
  Page URL: http://www.caida.org/publications/papers/2004/witty/index.xml