KF_PM
@192.97.x.x
| reply to underattack
Re: Blackice "Witty" Worm: source port 4000 UDP
Goddamn this sucks. We have close to about 6000 laptop support users that work for our company that need reimaging due to the boot sector loss. And the tickets are in the thousands. I swear, the headaches are getting worse and worse listening to these managers go on and on, on their bridge calls. We're still having problems as of Sunday morning. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to kpatz
said by kpatz  :
I'm guessing the "random" destination port is calculated based on the destination IP. I'm making this assumption based on the fact that every single Witty hit I've seen on my IP has had the same destination port, 18067. Not exactly "random"...
There's a Bugtraq post with an attempted disassembly, but the author doesn't seem totally confident in the intrepretation. Still, you might be interested:
»www.securityfocus.com/archive/1/···-03-24/0
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
1 edit | reply to underattack
fyi |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| reply to KF_PM
said by KF_PM:
Goddamn this sucks. We have close to about 6000 laptop support users that work for our company that need reimaging due to the boot sector loss. And the tickets are in the thousands. I swear, the headaches are getting worse and worse listening to these managers go on and on, on their bridge calls. We're still having problems as of Sunday morning.
6000 laptop users all used the unpatched version of black ice? |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to underattack
Consider for a moment this worm and some of it nuances. Since the Port is dependent on the IP address ISP can't filter it as they would have to filter a large number of ports. Central reporting services like myNetWatchman, DShield, DeepSight etc are also semi hooped on this as again there isn't a consistent destination port. I can't update Link Logger for this as I base alerts on the Destination port as well. If you have a dynamic IP Address then the attack port can change, which really makes me wonder how ISS figured this would work in such an environment.
So in some ways this is a very smart worm as it is very different then anything else we have seen before. And this is a great example as to what makes security interesting and impossible (who would have guessed a worm like this could have existed where the source port is static and the destination port is dynamic).
This is very likely a 'thing' that someone or some group has against Black Ice or ISS, as again its purpose is ultimately to destroy the host on which it runs which isn't very common for worms and viruses as it is ultimately self defeating for itself (it lives long enough to infect other systems but ultimately it will kill itself). Witty's purpose is very much different then most worms and viruses that we see as it was made to destroy selected systems. I sure hope we are not entering a new phase of destructive worms and such as that would be very bad for all sorts of reasons beside the destroyed systems.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| it had been a mystery to me why so few virii have been destructive to date. In the good old days, "boot sector" viruses that were transmitted by disks, were more often destructive.
But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived.
The ongoing value of a zombified PC on a cable connection is of significant value (for sending SPAM) vs the value of it dead, hence the few viruses that kill the host. Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS. |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
1 edit | reply to underattack
How would this affect hardware firewalls:(
I have a cisco pix at the job and I know it says blackice and all, but what about hardware firewalls?
I checked everything remotely and it looks okay.
Edit NM I see its only ISS software that is affected. Still I am going to check and make sure re tear down and rebuild the firewall config just to make sure.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Link Logger
said by Link Logger :
This is very likely a 'thing' that someone or some group has against Black Ice or ISS, as again its purpose is ultimately to destroy the host on which it runs which isn't very common for worms and viruses as it is ultimately self defeating for itself (it lives long enough to infect other systems but ultimately it will kill itself). Witty's purpose is very much different then most worms and viruses that we see as it was made to destroy selected systems. I sure hope we are not entering a new phase of destructive worms and such as that would be very bad for all sorts of reasons beside the destroyed systems.
I also speculate that given how malicious this malware is, the release time was also intentional (Saturday at midnight EST) as I believe security response is still muted on weekends.
And I'm also definitely worried about copycats...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Jan Janowski
join:2000-06-18
Skokie, IL
 ·AT&T Midwest
1 edit | reply to vic102482
I'm using a Linksys BEFSX41 followed by BlackIce V3.6ccg
and I have yet to see anything get past the Linky, (BID is Silent) and BID is cranked up all the way (Paranoid, with audible & visual alerts at max sensitivity)...
So far nothing here.....
But today's UDP 4000 probes are directed at my Local 46657 |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to underattack
first totally harmful virus in a while
Worth noting that:
1. This corrupts the hard drive of the infected computer, usually meaning total data loss.
2. That AV products may not warn of it because it isn't written to disk.
3. The ISC recommendation that systems running BlackIce be removed from the Internet until the patch is installed.
4. That a patch to prevent this has been available for over a week.
»https://iss.custhelp.com/cgi-bin/iss.cfg···**&p_li=
»xforce.iss.net/xforce/alerts/id/167
quote:
Witty Worm Remediation Information:
This information applies to customers currently using an impacted ISS product as detailed in X-Force Alert Article 167, which is referenced above. Consult this article for determining if a system is currently infected.
For systems that are NOT infected with the Witty worm:
- Update your ISS software to the latest version. The latest version of every ISS product is not impacted by the Witty worm.
For systems that are infected with the Witty worm:
- Power off the infected machine immemdiately.
- Since the worm overwrites random sectors of the hard drive as it executes within memory, customers should recover any available hard drive data using a noncompromised operating system.
- Customers should reload a working system image from backup using normal restore procedures. If reinstalling the ISS software is necessary, customers should update to the latest version.
Further questions should be directed to ISS Technical Support.
quote:
ISS network customers have been protected from this potential threat for more than a week prior to the release of the worm, removing any threat before impact. The fix was delivered as a maintenance update before eEye publicly disclosed the vulnerability. Before any worm could be developed 'in the wild', ISS customers were protected automatically via a simple update that shielded the vulnerability from attack.
|
|
jeisenberg
New Year's Eve
join:2001-07-06
Windsor, ON
·Cogeco Cable
 ·Cogeco Voip
| reply to Jan Janowski
Re: Blackice "Witty" Worm: source port 4000 UDP
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.
I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to justin
said by justin :
But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived.
Same idea, I would speculate, with malware that acts in an overt way versus malware that acts more covertly.
Exploit-based malware that scans like mad (high packet rates and broad IP address space "coverage") draws more attention to multiple aspects of the scanning (not just the ports, but also things like the "exploit"). And it will likely provoke a higher/escalated response to address the scanning -- usually involving an escalation of traffic filtering and patching. (Blaster being an example, I believe.) E-mail based malware is a more complicated situation, I believe (more factors).
In this case, I don't think the author of this thing cares as much about the level of response -- other than striking at a time which allows for a perhaps two-day headstart -- since the "average" response time is still so long that a good portion of the infected systems will have crashed before someone gets to them.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Bobcat
Premium
join:2001-02-04
Bedminster, NJ
·Verizon Online DSL
| reply to vic102482
said by vic102482 :
How would this affect hardware firewalls:(
It doesn't.
I'm glad I have a NAT router instead of some buggy firewall software.
--
"...Saddam Hussein still has chemical and biological weapons..."
» George W. Bush, October 7, 2002. |
|
jeisenberg
New Year's Eve
join:2001-07-06
Windsor, ON
·Cogeco Cable
·Cogeco Voip
| reply to justin
said by justin :
Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS.
I agree that a disgruntled employee is a good place to start for the author of the worm. Another source might be an overzealous employee of a competitor, trying to drive sales toward their own product.
Whatever the motivation, it would be naive to believe that copycat virii / worms are not just around the corner. And I'd expect to see random source ports to begin shortly as well, further disguising and confounding attempts to head off this threat. |
|
atangel
Now What??
Premium
join:2002-02-18
Bronx, NY
| reply to justin
I agree with Justin, the "good ole days" where viruses destroyed the system they were on may be back, and I had thought the same thing. Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).
Some people are in for a rude surprise. And they will also be the ones screaming loudest.
--
The reason you think I'm way on the left is 'cause you're so far to the right.
Dell Dimension, XP Pro, 2.4 Ghz, 512MB, BEFSX41, ZAP 4.5, NOD32, BOClean, Adaware, Spybot, MW Pro, The Bat! |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by atangel :
Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).
This factors into the miscreants' "strategy", though, too. Apathy is good for them, and of course the opposite isn't. Dead PCs are just as bad for those miscreants as they are for their owners -- for completely different reasons.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to jeisenberg
That is one of the things that made this worm unique, in that the source port is usually dynamic and the destination port is static (but this was reversed in the Witty worm), now certainly this is somewhat unique to ISS products and I would think that it was meant as a security measure to vary the ports used between installations, but if it coded it can be cracked, just takes some time (cracking code is like trying to figure out where a train goes when your standing on the tracks, just takes some time).
Given that this worm is clearly malicious/criminal and has 'real' damage associated directly to it, if they ever catch who is responsible I can see real jail time and such in their future, not to mention pretty well endless civil suits. I would also hope that eEye and ISS worked together in harmony on this.
A week might not be long enough to patch 6000 laptops considering some might be used by remote users (for example traveling sales dudes who have been out of town for longer then a week). This exploit didn't take very long to hit the streets so either they were working on it independently (most likely), or they were totally tipped off by eEye announcement which would be bad as then we might have to rethink delays between patch releases and announcements of vuls.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| reply to atangel
It is ironic how in this case running a "security product" makes you actually more vulnerable.
This is just a reminder that computer security is never a "set-it-and-forget-it" process.
I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track. |
|
Selecter
join:2003-11-23
Charles Town, WV
| reply to underattack
Maybe some of these people will go buy a G5 so they can lessen their exposure to this crap by a factor of 10 or more. I'm sorry, but The Windows world got to be too dangerous for the likes of mere mortals so I jumped ship last year. Best thing I ever did. I read these stories and shake my head. One day the first big OS X worm will come along Im sure but thats day's not here yet.
Sometimes I think I dont want the mac platform to get any bigger - if it does someone will surely write something. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to jeisenberg
said by jeisenberg :
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.
I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.
But, I can tell you that this is one of the reasons I haven't done this. I would want an old, cheap PC with absolutely nothing of consequence on it, and for which I could completely restore not only the hard drive image, but -- if necessary -- the hard drive itself before I'd try this. Well, I don't have one. (And I would also totally isolate it from machines behind the firewall or second router.)
There are people here (gkweb comes to mind), who routinely put machines up, let them get slaughtered, and then take them down and reconstitute them. (After a few repeats, one can pretty much automate this process, I suspect, but I'm not there yet.) This is inherently a dangerous process and I doubt you're going to see anyone publish directions on how to do it. It's not so much that some of these guys worry that they're going to miss something, so much as them worrying that someone might read the process they enumerate and then decide to do the same thing -- eliminating some of the steps in the process as being "unnecessary".
--
Regards, Joseph V. Morris |
|
