worm blog

Animations form CAIDA

Via Kamal (and in my inbox for far too long ...) ...

CAIDA has a neat set of animations over the years of various important worm events. SQLSlammer, Code Red, and Witty. They use a map tool and (presumably) GeoIP-type information along with their sensors to map the source of infected boxes and animate it over time. You can see things spread geographically.

All of this is in the Animations section of the CAIDA publications page.

August 21, 2006 in Code Red, SQLSlammer, witty | Permalink | Comments (0)

Updated Microsoft Malicious Software Removal Tool (March, 2006)

Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:

• Win32/Atak
• W32/Torvil
• W32/Zlob

Source: Malicious Software Removal Tool, updated March 14, 2006.

March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)

Updated Windows Defender Tool (Nov, 2005)

It's "patch Tuesday", the day when Microsoft releases their monthly patches (in this case, one fixup for November, 2005), and they also release updates to their malware removal tool. It now has a new name, too, Windows Defender, signifying it's larger purpose. The new families detected by this latest update to Windows Defender:

• Bugbear
• Codbot
• Mabutu
• Opaserv
• Swen

You can see the full list of families detected by the tool on the Microsoft website Families Cleaned by the Malicious Software Removal Tool. Remember, keep your AV policies current, always make sure you have the latest tool for the newest malware, and check on their sites for updates. You wont detect new threats with out of date tools.

Update: As noted in comments, the malicious software removal tool has not been renamed. I guess I'll still call it the MSRT in future posts.

November 8, 2005 in Bagle, Blaster, defense, malware , microsoft, SQLSlammer, tools, witty, Zotob | Permalink | Comments (2)

Can a Network be Protected from Single-Packet Warhol Worms?

Given the recent back and forth debate over the wormability of a recent Snort bug (single UDP packet, a'la Witty), this paper couldn't be more timely.

Can a network be protected from single-packet Warhol worms? This paper generates and simulates random network environments to answer that question. The research assumes a perfect detection algorithm and varies the time required to perform the identification. Perfect detection alone is not sufficient; it must also be swift in recognizing threats as some cases presented here show that perfect detection offers no noticeable protection. The impact of other network factors on worm propagation and prevention are investigated as well, including: router participation in the prevention scheme, the percentage of routers involved in the traffic passing, and the ability for participating routers to communicate. The results are promising: realistic simulations without communication can protect over 50% of the network. The addition of communication increases that protection to over 80%. The key result is that emerging identification technologies such as LeBrea can be leveraged into viable automated network protection systems against single-packet worms.

Source: Can a Network be Protected from Single-Packet Warhol Worms?, Larry G. Irwin II & Richard J. Enbody.

October 24, 2005 in defense, modeling, papers, SQLSlammer, witty | Permalink | Comments (1)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are:

• Antinny
• Gibe
• Mywife
• Wukill

As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Updated MS Malware Removal Tool (Sept. 2005)

Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:

• Zotob.A
• Zotob.B
• Zotob.C
• Zotob.D
• Zotob.E
• Bobax.O
• Esbot.A
• Rbot.MA
• Rbot.MB
• Rbot.MC

If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".

If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.

September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)

Chiba Witty Blues and Blastoff!

A short but intetresting pair of papers from Peter Szor and company on Witty and Blaster:

W32/Witty is a UDP-based worm employing a vulnerability in ISS security products, such as the BlackICE firewall, to spread. More specifically, Witty uses a stack buffer overflow in the code that parses ICQ v5 packets.

Witty is very similar to last year’s W32/Slammer (see VB, March 2003, p.6) in a number of ways: it is short (only 647 bytes for the attack buffer, excluding the variable UDP payload padding), its sending rate is limited only by available bandwidth, and it selects random target IP addresses. Unlike Slammer, however, Witty features a very destructive payload: it overwrites random portions of the hard drives of machines it infects.

Source: CHIBA WITTY BLUES, Peter Ferrie, Frédéric Perriot, Péter Ször, Virus Bulletin, May, 2004.

On 11 August 2003 – the same day it was completed – a 6176-byte-long UPX-compressed bug started to invade the world using a recent vulnerability described in Microsoft’s MS03-26 security bulletin. Even Windows Server 2003 was affected by this vulnerability. Patches were made available by Microsoft, but on this occasion there was only a short delay between the announcement of the vulnerability and the appearance of the worm that exploited it.

Users of Windows XP had a chance to get the patch applied automatically via Windows Automatic Updates. However, the same cannot be said for the Windows 2000 platforms, where users would need to pay closer attention to the update procedures

Source: Blast Off!, Peter Ferrie, Frédéric Perriot, Péter Ször, September, 2003.

June 6, 2005 in Blaster, papers, witty | Permalink | Comments (0)

Outwitting the Witty Worm

An interesting analysis of the Witty work (March, 2004) data from the CAIDA team and another author. It shows the power of analyzing a raw data set with information about the worm itself. Have a look at a recent paper that was here on Wormblog, too, Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior. What at first appears random isn't, and just when you think you've done a thorough analysis you realize there's more to do, and more that can be done.

Network ``telescopes'' that record packets sent to unused blocks of Internet address space have emerged as an important tool for observing Internet-scale events such as the spread of worms and the backscatter from flooding attacks that use spoofed source addresses. Current telescope analyses produce detailed tabulations of packet rates, victim population, and evolution over time. While such cataloging is a crucial first step in studying the telescope observations, incorporating an understanding of the underlying processes generating the observations allows us to construct detailed inferences about the broader "universe" in which the Internet-scale activity occurs, greatly enriching and deepening the analysis in the process.

In this work we apply such an analysis to the propagation of the Witty worm, a malicious and well-engineered worm that when released in March 2004 infected more than 12,000 hosts worldwide in 75 minutes. We show that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data we can with high fidelity: extract the individual rate at which each infectee injected packets into the network priorto loss; correct distortions in the telescope data due to the worm's volume overwhelming the monitor; reveal the worm's inability to fully reach all of its potential victims; determine the number of disks attached to each infected machine; compute when each infectee was last booted, to sub-second accuracy; explore the "who infected whom" infection tree; uncover that the worm specifically targeted hosts at a US military base; and pinpoint Patient Zero, the initial point of infection, i.e., the IP address of the system the attacker used to unleash Witty.

Source: Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event, by Abhishek Kumar, Vern Paxson, Nicholas Weaver.

May 26, 2005 in papers, witty | Permalink | Comments (1)

Witty growth and decay rate modeled by Zou

Cliff Zou has modeled the Witty worm's propagation using differential equations, accounting for the destructive aspect of the worm. This analysis gives a compelling reason as to the decay rate and accounts for significant portions of the observations. The data used in the analysis comes from the University of Michigan Internet Motion Sensor project's collection.

In our Witty propagation modeling, we have not considered other factors that could possibly affect Witty's propagation. For example, some infected computers could have been patched or filtered out by people before they were crashed by Witty worm.  However, if this factor played a major role, then the I(t) shown in Fig. 2 should have decreased more quickly instead of slower than what our model predicts. Therefore, the same as researchers in [2] said, we believe the rapid decay in the number of active infected hosts is primarily caused by Witty's destructive action.

Source: Witty Worm Progattion Modeling, Cliff C. Zou.

October 2, 2004 in modeling, papers, witty | Permalink | Comments (0) | TrackBack

The Spread of the Witty Worm in IEEE S&P

Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end users apply patches to plug security holes is not viable.

In one of the most recent IEEE Security & Privacy magazine issues, a piece covered the March, 2004, Witty worm. In The Spread of the Witty Worm, Colleen Shannon and David Moore, both from the Cooperative Association for Internet Data Analysis (CAIDA), cover the data they collected using their dark IP sensor on the Witty worm's spread. This is almost a complete reprint of their original witty worm analysis, also calledThe Spread of the Witty Worm.

September 19, 2004 in papers, witty | Permalink | Comments (0) | TrackBack