The Spread of the Witty Worm

David Moore and Colleen Shannon
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center
University of California, San Diego

On Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST), an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including its RealSecure Network,

RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm took advantage of a security flaw in these firewall applications that eEye Digital Security discovered earlier in March. Once the Witty worm--so called because its payload contained the phrase, "(^.^) insert witty message here (^,^)"--infects a computer, it deletes a randomly chosen section of the hard drive, which, over time, renders the machine unusable.

While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:

• It was the first widely propagated Internet worm to carry a destructive payload.
• It started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
• It represents the shortest known interval between vulnerability disclosure and worm release--it began spreading the day after the ISS vulnerability was publicized.
• It spread through a host population in which every compromised host was proactive in securing its computers and networks.
• It spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating worms' viability as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.

In this article, we share a global view of the worm's spread, with particular attention to these worrisome features.