Witty.A Worm Targets BlackICE Firewall Vulnerability

A computer worm that targets antivirus or firewall protection is nothing new, but the most recent case of a direct attack against computer defenses unfolded with alarming speed, less than two days after vulnerabilities in BlackICE and RealSecure software -- made by Internet Security Systems (Nasdaq: ISSX) -- were disclosed.

As a result, the Witty.A worm -- a network-attack worm that targets host systems running BlackICE and RealSecure software -- reportedly managed to infect about 10,000 computers worldwide using UDP port 4,000. The worm attempts to send itself to 20,000 randomized IP addresses and interacts with the local hard drive, possibly causing a crash.

However, thanks to a limited number of target machines and apparent programming mistakes that stifled its spread, Witty did not go much further than the initial round of infections.

"It turns out it's not so witty after all," iDefense director of malicious code Ken Dunham told TechNewsWorld. "It had a problem with the code that ended up killing itself off in the wild. It looks like it had errors in the programming that didn't allow it to become widespread."

Quick and Easy

Dunham said that because Witty exploited a buffer-overflow condition reported only two days prior to its release, many computers were likely unpatched against the worm.

With the rapid exploitation of new vulnerabilities on the rise, buffer overflows -- a commonly targeted software glitch -- are increasingly the basis of attacks that are relatively easy to create, according to Dunham.

"Anyone using BlackICE software should be concerned about this worm," Dunham advised. "Disable such software until patched and protected -- and block UDP port 4,000 traffic where feasible to block Witty.A exploitation packets."

ISS said product updates to address the vulnerability have been available since March 9th -- even before the vulnerability was disclosed -- from its download center. The company recommended blocking UDP packets with a source port of 4,000 to prevent inbound worm propagation.

Problems Slow Pace

While it may have sputtered out as it truncated itself, the Witty worm's quick release does highlight the faster and faster turnaround time for attackers taking advantage of the latest software holes.

"It's the same thing we saw last year," Dunham said. "There are more attackers able to come up with buffer overflows very quickly. That's a dangerous trend."

The rapid development of Witty, which was launched onto the Internet within two days of disclosure of the vulnerabilities by eEye Digital Security and ISS, also might be the reason the worm's spread was hindered, Dunham added.

Limited Impact

McAfee Avert vice president Vincent Gullotto told TechNewsWorld that Witty was not considered too much of a threat because of its aim at only the ISS security software.

"It's not attacking a piece of software to be found on almost every machine like Nimda or Code Red," Gullotto said.

He said while it is certainly troubling for the company that has its products under fire, Witty is not expected to go too far and appears to be a "proof-of-concept [worm] more than anything else."

Growing Army

However, Gullotto did indicate the rapid development and release of a worm so soon after the vulnerability's disclosure might be more troubling.

"What it does point out is that the hacker and virus-writer communities are constantly looking for opportunities and ways in which they can prove something is vulnerable," he said. "You never know where they are going to find an opportunity or a vulnerability that they will attack."

Dunham said the increase in worms makes it difficult to predict which ones are most dangerous, but he added that security professionals and system administrators also are responding to the threats with more proactive information-gathering and action.