« Internet Worms As Internet-wide Threat | Main | Traffic Analysis on a Mass Mailing Worm and DNS/SMTP »
Chiba Witty Blues and Blastoff!
A short but intetresting pair of papers from Peter Szor and company on Witty and Blaster:W32/Witty is a UDP-based worm employing a vulnerability in ISS security products, such as the BlackICE firewall, to spread. More specifically, Witty uses a stack buffer overflow in the code that parses ICQ v5 packets.Source: CHIBA WITTY BLUES, Peter Ferrie, Frédéric Perriot, Péter Ször, Virus Bulletin, May, 2004.Witty is very similar to last year’s W32/Slammer (see VB, March 2003, p.6) in a number of ways: it is short (only 647 bytes for the attack buffer, excluding the variable UDP payload padding), its sending rate is limited only by available bandwidth, and it selects random target IP addresses. Unlike Slammer, however, Witty features a very destructive payload: it overwrites random portions of the hard drives of machines it infects.
On 11 August 2003 – the same day it was completed – a 6176-byte-long UPX-compressed bug started to invade the world using a recent vulnerability described in Microsoft’s MS03-26 security bulletin. Even Windows Server 2003 was affected by this vulnerability. Patches were made available by Microsoft, but on this occasion there was only a short delay between the announcement of the vulnerability and the appearance of the worm that exploited it.Source: Blast Off!, Peter Ferrie, Frédéric Perriot, Péter Ször, September, 2003.Users of Windows XP had a chance to get the patch applied automatically via Windows Automatic Updates. However, the same cannot be said for the Windows 2000 platforms, where users would need to pay closer attention to the update procedures
June 6, 2005 in Blaster, papers, witty | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
