![[CAIDA - Cooperative Association for Internet Data Analysis logo]](/images/caida_globe_faded.png)
![[CAIDA]](/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
The Spread of the Witty Worm
David Moore and Colleen Shannon
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center
University of California, San Diego
On Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST), an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including its RealSecure Network,
RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm took advantage of a security flaw in these firewall applications that eEye Digital Security discovered earlier in March. Once the Witty worm--so called because its payload contained the phrase, "(^.^) insert witty message here (^,^)"--infects a computer, it deletes a randomly chosen section of the hard drive, which, over time, renders the machine unusable.
While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:
- It was the first widely propagated Internet worm to carry a destructive payload.
- It started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
- It represents the shortest known interval between vulnerability disclosure and worm release--it began spreading the day after the ISS vulnerability was publicized.
- It spread through a host population in which every compromised host was proactive in securing its computers and networks.
- It spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating worms' viability as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.
In this article, we share a global view of the worm's spread, with particular attention to these worrisome features.