jeisenbergNew Year's Eve
reply to justin
Re: Blackice "Witty" Worm: source port 4000 UDP
said by justin:I agree that a disgruntled employee is a good place to start for the author of the worm. Another source might be an overzealous employee of a competitor, trying to drive sales toward their own product.
Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS.
Whatever the motivation, it would be naive to believe that copycat virii / worms are not just around the corner. And I'd expect to see random source ports to begin shortly as well, further disguising and confounding attempts to head off this threat.
That is one of the things that made this worm unique, in that the source port is usually dynamic and the destination port is static (but this was reversed in the Witty worm), now certainly this is somewhat unique to ISS products and I would think that it was meant as a security measure to vary the ports used between installations, but if it coded it can be cracked, just takes some time (cracking code is like trying to figure out where a train goes when your standing on the tracks, just takes some time).
Given that this worm is clearly malicious/criminal and has 'real' damage associated directly to it, if they ever catch who is responsible I can see real jail time and such in their future, not to mention pretty well endless civil suits. I would also hope that eEye and ISS worked together in harmony on this.
A week might not be long enough to patch 6000 laptops considering some might be used by remote users (for example traveling sales dudes who have been out of town for longer then a week). This exploit didn't take very long to hit the streets so either they were working on it independently (most likely), or they were totally tipped off by eEye announcement which would be bad as then we might have to rethink delays between patch releases and announcements of vuls.
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel