Witty worm
Reflections on Witty by Nicholas Weaver and Dan Ellis. Very good.
On March 20th, 2004, an attacker released a single-packet UDP worm, Witty, into the wild. Although only infecting roughly 12,000 machines, and less than 700 bytes long, this worm represents a dangerous trend in malicious code. The attack is well understood: there have been several analyses [lurhq, disassembly] of the worm itself, and an excellent analysis by Moore and Shannon on the network propagation [caida_witty], including the presence of seeding or hitlisting (starting the worm on a group of systems to speed the initial propagation). But what can we learn about the attacker?
Examining the timeline of events, the worm itself, its malicious payload, and the skills required all point to a sophisticated attacker. Witty was written by an author who was motivated, sophisticated, skilled, and malicious. Although there have been previous well-engineered worms (notably the Morris worm and Nimda), Witty represents a dangerous new trend, combining both skill and malice.
It's actually unfortunate that Witty hasn't gotten the attention lavished on previous worms, as it was a very significant attack. This worm contained a payload malicious to the host computer, was released with almost no time to patch systems. The worm contained no significant bugs, and was written by a malicious author deeply familiar with the theoretical and practical state-of-the-art in worm construction and computer security.
Analysis of Witty worm spread by CAIDA.
posted Mon 7 Jun 2004 in /software/security | link
Archives 2008: Apr Feb 2007: Jul May Feb Jan 2006: Dec Nov Oct Sep Aug Jul Jun Jan 2005: Sep Aug Jul Jun May Apr Mar Feb Jan 2004: Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan 2003: Dec Nov Oct Sep Aug Jul Jun May
Copyright (C) 1999-2007 Martin Pool.