Exploit in ISS's BlackICE firewall feeds fast-spreading worm Witty

Posted on Tuesday, Mar 23 2004 @ 00:14 CET by Thomas De Maesschalck
Since Saturday Witty, a fast-spreading worm, has infected between 10,000 and 50,000 computer systems by exploiting a vulnerability in ISS's BlackICE firewall. The worm Witty exploits a stack overflow vulnerability within BlackICE that was disclosed only two days before the worm first appeared.
Unlike most other worms, Witty doesn't need human interaction to spread. Rather than rely on users to open a file attachment--the typical way worms propagate--Witty simply scans for vulnerable systems, then uses UDP port 4000 to infect the machine. This auto-spread strategy was last used to wreak havoc by 2003's MSBlast worm.

Witty is particularly dangerous, said experts, because after it executes, it opens a random drive on the PC and writes 65KB of data to a random location on the disk. It repeats that process until the system is rebooted or the computer crashes.

"This worm is highly malicious, slowly destroying the systems it infects," said security firm Lurhq, in an alert posted on its Web site. "Rather than simply executing a 'format C:' or similar destructive command, the worm slowly corrupts the file system while it continues to spread. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine."

Internet Security Systems said its analysis indicated that only about two percent of its customers could be open to Witty's attack, but other analysts have tagged the number of infected machines at significant levels.

"It's unlikely that many computers will be patched against this vulnerability at this time," said Ken Dunham, the director of malicious code research at iDefense, in an e-mailed statement. "Early data suggests about 10,000 infected computers worldwide." Others have put forward the number of 50,000 infected machines.

Experts such as Dunham urged ISS customers to disable the firewall until it has been patched, and, where feasible, block traffic on UDP port 4000. ISS recommended that infected systems be disconnected from the network to stop the worm's spread.
So if you are using BlackICE please update your firewall as soon as possible at ISS's website

Source: InformationWeek


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments