dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13802
share rss forum feed


underattack
Join Dshield.Org

join:2003-06-23

1 edit

Blackice "Witty" Worm: source port 4000 UDP

looks like a worm is hunting for systems running blackice.
Only 3 days from vulnerability announcement to worm!

details:

http://isc.sans.org/diary.html
»isc.sans.org/diary.html?date=2004-03-20

[Edited link so it will also point to the right place in the future--SYNACK]
--
----
DShield.org
make the net a safer place.



LostSneeze

@client2.attbi.co

I'm getting a bunch of those this morning. Seems they all are aiming for port 41105 on the target machine.


Fizz753

join:2004-01-03
Berrien Springs, MI

3 edits
reply to underattack

Ahhh HA! I knew I could find what I was looking for on this forum. I just had a bunch of these myself and was wondering what they were..
Although they seems to like my local port 60757...
Edit: I have only seen hits on the dsl line the cable line hasent seen any of these... yet..

Blocked Incoming 20/Mar/2004 02:53:03 Catch all UDP 140.134.26.134 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:52:44 Catch all UDP 80.164.89.69 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:48:30 Catch all UDP vweye.com [216.237.145.32] 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:35:33 Catch all UDP 221.170.172.160 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:28:04 Catch all UDP 216.237.145.32 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:26:52 Catch all UDP 216.196.212.154 4000 localhost 60757
Blocked Incoming 20/Mar/2004 02:17:10 Catch all UDP 128.143.11.103 4000 localhost 60757



gtdawg
Premium
join:2002-03-17
Los Angeles, CA
reply to underattack

I just had to disconnect 3 servers in our colo that were blasting 96mbits of this traffic, in 2 mins of ethereal capture I had a 10MByte log file.

The guy who owned 2 of the servers tried to reboot them but windows was totally fsck'ed and has to be reinstalled on both



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

reply to underattack

downloadWittyCapture.zip 2,172 bytes
Source1
(WittyCapture.txt)
downloadWitty2.zip 2,310 bytes
Another Source
(Witty2.txt)
PortPeeker capture of the Witty worm:

NOTE the worm is different from 0x032D on for each infection source, but the length is always 1082 bytes (why I included captures from two different sources)

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel


DevilFrank

join:2003-07-13
Reviews:
·T-Com

W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.

Type: Worm
Infection Length: 660 bytes, may vary

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

»www.symantec.com/avcenter/venc/d···orm.html
--
Regards from Germany. Please excuse my stumbling English


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

I've seen a bunch of these targeting my UDP port 18067. Maybe later I'll honeypot it and see what I grab.


x539

join:2003-08-23
Oklahoma City, OK
reply to Link Logger

quote:
NOTE the worm is different from 0x032D on for each infection source, but the length is always 1082 bytes (why I included captures from two different sources)
I just set up a listener for both of my home IPs but just what I see from my firewall logs doesn't really look like that. I have 2 (sequential) IPs. The destination port of these packets is unique to each of my IPs, but constant to that value regardless of the source. Same for the packet length: packets destined to one IP are consistantly 156 bytes longer than packets to the other IP (and none of them are 1082 bytes). So I suspect that both the destination port and packet length are related to the destination IP address.


Jan Janowski
Premium
join:2000-06-18
Skokie, IL
Reviews:
·Comcast

4 edits
reply to underattack

downloadblank.zip 155 bytes
(blank.txt)
Disregard this post, contained an error...

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to underattack

Pretty noticeable here, too -- the target port is random across target IPs, but I'm getting the same "packet size" and target port here. The packets I'm getting are all 859 bytes, though the content varies a little.

Since the source port appears to be spoofed, does anyone know if the source IP address is also spoofed?

The only other curious thing I see in my capture logs is that the first packet I received was to the same target port here, but using a different source port of 48805 rather than 4000. That was at 5:00:26 GMT; I started receiving the source port 4000 packets at 5:45:57 GMT.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org



Jan Janowski
Premium
join:2000-06-18
Skokie, IL
Reviews:
·Comcast

2 edits
reply to underattack

Only BID V 3.6ccf and before are affected...
V 3.6ccg is current now...

Edit! I must not have my WallReViewer not configured right...
I HAVE been getting UDP Port 4000 (showing up as local ports 35944 & 54368) probes, but they are not being displayed by the WallReViewer..

--
Looking for 1939 Indian Motocycle


Fizz753

join:2004-01-03
Berrien Springs, MI

4 edits
reply to underattack

I am curious on how it picks the destination port. Like I said the dsl line has been getting these since last night but ONLY to port 60757. Yet other people have it only hitting ports 18067 and 41105 as well as others. And the still the cable line is clueless and has not seen a single one or for some reason the router / firewall isn't logging them.

I also have a port peeker log of some 20 packets if anyone is interested.

Edit:
Another write up : »www.lurhq.com/witty.html


wattjg
Premium
join:2003-05-24
San Jose, CA

All the "Witty" traffic I've seen since the first sighting last night at 2055 PST has been UDP 4000 to 56643.

I added the Snort signature posted by SANS (»isc.sans.org/diary.html). The traffic matches that pattern and is now being reported to MyNetWatchman.

Jim


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to Fizz753

said by Fizz753:
Edit:
Another write up : »www.lurhq.com/witty.html

Just read the LURHQ analysis -- that's some nasty malware. Apparently the source IP isn't spoofed...as the writeup says, it's somewhat irrelevant since whichever systems are executing the malware are slowly getting their HD data trashed:
quote:
This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to underattack

Click for full size
Witty Traffic
This is a very interesting worm for all sorts of reasons. The destination port calculation, the size differences etc, make it rather interesting and unique. Too bad its so very destructive. We saw our first hit here last night at about 11pm local time and it hits our UDP Port 61163 on another pot it hit UDP port 64584.

Mar 20, 2004 10:54:37.350 - (UDP) 63.92.218.51 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 10:23:08.464 - (UDP) 202.99.219.140 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 10:09:56.475 - (UDP) 130.212.14.10 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 10:03:12.064 - (UDP) 164.67.152.57 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 08:56:36.228 - (UDP) 61.153.176.126 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 08:26:15.660 - (UDP) 61.144.43.211 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 08:17:03.226 - (UDP) 129.49.200.200 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 08:14:26.721 - (UDP) 129.49.200.200 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 08:12:09.724 - (UDP) 128.173.185.111 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 07:39:04.980 - (UDP) 141.213.149.133 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 07:34:44.906 - (UDP) 218.66.101.24 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 07:21:50.552 - (UDP) 128.173.92.165 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 07:00:31.734 - (UDP) 61.238.242.33 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 06:52:13.988 - (UDP) 209.10.98.234 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 06:50:18.993 - (UDP) 212.42.13.104 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 06:20:17.031 - (UDP) 195.52.218.114 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 06:14:05.287 - (UDP) 216.133.229.199 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 04:43:48.107 - (UDP) 63.67.137.198 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 04:43:00.709 - (UDP) 141.211.25.21 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 04:39:01.235 - (UDP) 129.128.158.29 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 02:42:56.350 - (UDP) 211.161.86.77 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 02:04:32.517 - (UDP) 64.157.176.253 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 01:54:20.417 - (UDP) 64.70.191.200 : 4000 >>> 192.168.1.36 : 61163
Mar 20, 2004 00:39:50.129 - (UDP) 218.89.0.105 : 4000 >>> 68.144.193.246 : 61163
Mar 20, 2004 00:32:07.854 - (UDP) 35.10.45.185 : 4000 >>> 68.144.193.246 : 61163
Mar 20, 2004 00:20:17.323 - (UDP) 69.133.114.117 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 23:32:30.520 - (UDP) 146.201.174.124 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 22:35:28.920 - (UDP) 61.184.240.117 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 22:30:29.360 - (UDP) 141.211.181.5 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 22:19:04.214 - (UDP) 164.67.152.78 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 22:04:34.313 - (UDP) 128.173.13.105 : 4000 >>> 68.144.193.246 : 61163
Mar 19, 2004 21:47:26.996 - (UDP) 140.153.189.4 : 4000 >>> 68.144.193.246 : 61163

Feel for these guys as they are all hooped.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel


Glaice
Brutal Video Vault
Premium
join:2002-10-01
North Babylon, NY
reply to underattack

Mar/20/2004 12:11:49 Drop UDP packet from WAN 192.73.213.57:4000 68.195.189.207:4496 Rule: Default deny
Mar/20/2004 10:51:14 Drop UDP packet from WAN 35.10.74.143:4000 68.195.189.207:4496 Rule: Default deny
Mar/20/2004 10:35:40 Drop UDP packet from WAN 159.178.62.81:4000 68.195.189.207:4496 Rule: Default deny
Mar/20/2004 10:13:32 Drop UDP packet from WAN 211.99.203.80:4830 68.195.189.207:1434 Rule: Default deny
Mar/20/2004 10:10:58 Drop UDP packet from WAN 139.102.74.16:4000 68.195.189.207:4496 Rule: Default deny

I'm seeing some of these hitting my router too...
--
Firefox


Fizz753

join:2004-01-03
Berrien Springs, MI
reply to Link Logger

said by Link Logger:

Feel for these guys as they are all hooped.
Blake

Heres my list looks like we have one or two of the same sources.
147.188.73.139
195.52.218.114 x2
35.8.188.133 x2
211.96.25.109
128.173.92.224
129.49.200.200
159.150.2.175
35.8.128.176
213.206.77.21 x2
211.95.72.209
204.157.0.94
141.236.12.250
218.89.0.105
24.87.77.35
202.99.219.140
212.88.134.40
81.3.150.5
156.35.159.167
68.0.59.5
80.164.89.69
221.170.172.160
216.237.145.32
216.196.212.154
130.212.14.10
And more but the post is long enough already


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
reply to underattack

slashdot.org

»slashdot.org/article.pl?sid=04/0···&tid=201

"A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T: Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.



justin
..needs sleep
Australian
join:1999-05-28
kudos:15

2 recommendations

reply to underattack

Re: Blackice "Witty" Worm: source port 4000 UDP

we just need a few more of these worms, and the net will get a great spring clean of old buggy versions of windows and related products!



Marilla9
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH

I am aware of many of the dynamics that might discourage this, but it *might* actually be helpful if some willing parties were to occasionally jump on vulnerabilities with worms that actually purposefully disable infected systems after a certain period of time.

I remember some speculated that MS Blaster might have had that intent, due to it's incessant crashing of infected machines, but the last time I heard, I think it was generally decided that behavior was un-intended.

But to have something happen that, after passing itself along in a relatively Internet-Friendly way (thinking here, not doing things like bombing networks the way SQL Slammer did), simply forces the user to address the underlying problem.

By no means am I advocating this directly, or indirectly. I wish we lived in a world where no one would ever develop code that did something the user of said code would not want done, but the fact is, it happens. All I am really stating is that maybe, in some small way, while still causing the attention and disruption that these things usually do, perhaps something like this would force some people to 'wake up'...
--
Windows, Mac, Linux, BSD - just use the right tool for the right job... end the OS Politics!


psloss
Premium
join:2002-02-24
Lebanon, KS

said by Marilla9:
I am aware of many of the dynamics that might discourage this, but it *might* actually be helpful if some willing parties were to occasionally jump on vulnerabilities with worms that actually purposefully disable infected systems after a certain period of time.
I haven't read all the threads on Netsky here, but Netsky looked/looks like another vigilante "thing" to me. It compounds the amount of e-mail there is, but it purported to kill MyDoom and Bagle/Beagle backdoors. (And I still speculate that the intent behind Blaster was at least partially vigilante.)

It's curious to me that this worm (Witty), which is more destructive than most, preys on systems where the owner/operator had actively tried to secure them -- rather then SQL Slammer (for instance) carrying this hard drive trashing payload. I would have thought there was more venom for so-called "stupid users" than Internet Security Systems. Perhaps there is, but not in the hands of people who were willing to do something like this. Unfortunately, I think that this idea of gradually destroying systems will end up being inspirational to other miscreants.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

I'm guessing the "random" destination port is calculated based on the destination IP. I'm making this assumption based on the fact that every single Witty hit I've seen on my IP has had the same destination port, 18067. Not exactly "random"...

That'll make capturing a sample easier. When I find the time.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend.



KF_PM

@192.97.x.x
reply to underattack

Goddamn this sucks. We have close to about 6000 laptop support users that work for our company that need reimaging due to the boot sector loss. And the tickets are in the thousands. I swear, the headaches are getting worse and worse listening to these managers go on and on, on their bridge calls. We're still having problems as of Sunday morning.


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to kpatz

said by kpatz:
I'm guessing the "random" destination port is calculated based on the destination IP. I'm making this assumption based on the fact that every single Witty hit I've seen on my IP has had the same destination port, 18067. Not exactly "random"...
There's a Bugtraq post with an attempted disassembly, but the author doesn't seem totally confident in the intrepretation. Still, you might be interested:
»www.securityfocus.com/archive/1/···-03-24/0

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


pcdebb
RIP lil hurricane
Premium
join:2000-12-03
Brandon, FL
kudos:5
Reviews:
·Bright House

1 edit
reply to underattack

Click for full size
fyi


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet
reply to KF_PM

said by KF_PM:
Goddamn this sucks. We have close to about 6000 laptop support users that work for our company that need reimaging due to the boot sector loss. And the tickets are in the thousands. I swear, the headaches are getting worse and worse listening to these managers go on and on, on their bridge calls. We're still having problems as of Sunday morning.

6000 laptop users all used the unpatched version of black ice?


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

reply to underattack

Consider for a moment this worm and some of it nuances. Since the Port is dependent on the IP address ISP can't filter it as they would have to filter a large number of ports. Central reporting services like myNetWatchman, DShield, DeepSight etc are also semi hooped on this as again there isn't a consistent destination port. I can't update Link Logger for this as I base alerts on the Destination port as well. If you have a dynamic IP Address then the attack port can change, which really makes me wonder how ISS figured this would work in such an environment.

So in some ways this is a very smart worm as it is very different then anything else we have seen before. And this is a great example as to what makes security interesting and impossible (who would have guessed a worm like this could have existed where the source port is static and the destination port is dynamic).

This is very likely a 'thing' that someone or some group has against Black Ice or ISS, as again its purpose is ultimately to destroy the host on which it runs which isn't very common for worms and viruses as it is ultimately self defeating for itself (it lives long enough to infect other systems but ultimately it will kill itself). Witty's purpose is very much different then most worms and viruses that we see as it was made to destroy selected systems. I sure hope we are not entering a new phase of destructive worms and such as that would be very bad for all sorts of reasons beside the destroyed systems.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

1 recommendation

it had been a mystery to me why so few virii have been destructive to date. In the good old days, "boot sector" viruses that were transmitted by disks, were more often destructive.

But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived.

The ongoing value of a zombified PC on a cable connection is of significant value (for sending SPAM) vs the value of it dead, hence the few viruses that kill the host. Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS.


vic102482
Premium
join:2002-04-30
Upper Marlboro, MD

1 edit
reply to underattack

How would this affect hardware firewalls:(

I have a cisco pix at the job and I know it says blackice and all, but what about hardware firewalls?

I checked everything remotely and it looks okay.

Edit NM I see its only ISS software that is affected. Still I am going to check and make sure re tear down and rebuild the firewall config just to make sure.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!!


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to Link Logger

said by Link Logger:
This is very likely a 'thing' that someone or some group has against Black Ice or ISS, as again its purpose is ultimately to destroy the host on which it runs which isn't very common for worms and viruses as it is ultimately self defeating for itself (it lives long enough to infect other systems but ultimately it will kill itself). Witty's purpose is very much different then most worms and viruses that we see as it was made to destroy selected systems. I sure hope we are not entering a new phase of destructive worms and such as that would be very bad for all sorts of reasons beside the destroyed systems.
I also speculate that given how malicious this malware is, the release time was also intentional (Saturday at midnight EST) as I believe security response is still muted on weekends.

And I'm also definitely worried about copycats...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org