United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Researchers trace Witty worm to its source

In a discovery that bodes well for our future ability to capture worm authors, a trio of researchers using innovative Internet-wide forensics discovered the source of last year's Witty worm.

In case you tuned in late: On March 19, 2004, Witty appeared out of nowhere, exploited holes in Internet Security Systems' (ISS) RealSecure and BlackICE security products, and spread worldwide. Witty wiped virtually all vulnerable computers from the Internet in 75 minutes. Witty not only took infected computers offline; they had to be rebuilt. Several things about Witty rocked security professionals back on their heels: its speed; its power; and, most of all, our utter lack of defenses to it. A year after Witty's savage romp, the world still had little idea of where it came from.

But that has changed. Three researchers (Abhishek Kumar of the Georgia Institute of Technology; Vern Paxson of the International Computer Science Institute; and Nicholas Weaver, also of ICSI) performed extensive analysis of data captured by network "telescopes" -- machines that record packets sent to unused blocks of Internet address space. Since few or no machines occupy unused routable IP addresses, much of the traffic sent there occurs as the overkill of some worm's pseudo-random number generator inventing addresses for it to spread to. To learn how Kumar, Paxson, and Weaver then evaluated captured Witty traffic, read their fascinating paper (PDF). The upshot is, their research yielded convincing proof that Witty specifically targeted hosts at a US military base, and enabled them to pinpoint "Patient Zero" -- the IP address of the system the attacker used to release Witty.

"Telescopes" have been used in the past to calculate how rapidly a worm propagated and the probable number of infected systems. The researchers' innovation was that instead of studying the worm itself, they studied all the sources sending traffic to the telescope, backtracing infected Witty machines to their source, a single machine on a European ISP.

Kumar, Paxson, and Weaver have pioneered a new forensics approach that could make it much tougher for future worm authors to remain anonymous. If researchers can quickly establish what machine launched a worm, attackers will have to work that much harder to cover their tracks. Any research that makes the criminal's task tougher represents a significant step in helping the good guys retain dominance of the Internet.

Witty got its name from a phrase in its payload that read, "Insert witty comment here." Kumar, Paxson, and Weaver's 15-page "witty comment" has turned destruction into insight, thus outwitting Witty. Bravo to them. -- Scott Pinzon

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.